Policy-centric protection of OS kernel from vulnerable loadable kernel modules

Donghai Tian, Xi Xiong, Changzhen Hu, Peng Liu

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Scopus citations


Due to lack of the protecting mechanism in the kernel space, the loadable kernel modules (LKM) may be exploited and thus seriously affecting the OS kernel's security via utilizing the implicit or explicit vulnerabilities. Although lots of systems have been developed to address the above problem, there still remain some challenges. a) How to automatically generate a security policy before the kernel module is enforced? b) How to properly mediate the interactions between the kernel module and OS kernel to ensure the policy consistence without modifications (or least changes) on the existing OS, hardware, and kernel module structure? In this paper, we present LKMG, a policy-centric system which can protect commodity OS kernel from vulnerable loadable kernel modules. More powerful than previous systems, LKMG is able to generate a security policy form the kernel module, and then enforce the policy during the kernel module's execution. Generally, the working process of LKMG can be divided into two stages. First, we utilize static analysis to extract the kernel code and data access patterns from a kernel module's source code, and then combine these patterns with the related memory address information to generate a security policy. Second, by leveraging hardware-based virtualization technology, LKMG isolates the kernel module from the rest of the kernel, and then enforces the kernel module's execution to obey the derived policy. The experiment show that our system can defend against various loadable kernel module exploitations effectively with moderate performance overhead.

Original languageEnglish (US)
Title of host publicationInformation Security Practice and Experience - 7th International Conference, ISPEC 2011, Proceedings
Number of pages16
StatePublished - 2011
Event7th International Conference on Information Security Practice and Experience, ISPEC 2011 - Guangzhou, China
Duration: May 30 2011Jun 1 2011

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume6672 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Other7th International Conference on Information Security Practice and Experience, ISPEC 2011

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • General Computer Science


Dive into the research topics of 'Policy-centric protection of OS kernel from vulnerable loadable kernel modules'. Together they form a unique fingerprint.

Cite this