One of the main issues in the OS security is to provide trusted code execution in an untrusted environment. During executing, kernel-mode drivers allocate and process memory data: OS internal structures, users’ private information, and sensitive data of third-party drivers. All this data and the drivers’ code can be tampered with by kernel-mode malware. Microsoft security experts integrated new features to fill this gap, but they are not enough: allocated data can be stolen and patched and the driver’s code can be dumped without any security reaction. The proposed hypervisor-based system (MemoryRanger) tackles this issue by executing drivers in separate kernel enclaves with specific memory attributes. MemoryRanger protects code and data using Intel VT-x and EPT features with low-performance degradation on Windows 10 x64.
MemoryRanger details are here:
Korkin, I. (2018, December 5-6). Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces. In Proceedings of the BlackHat Europe Conference, London, UK. Retrieved from https://www.blackhat.com/eu-18/briefings/schedule/#divide-et-impera-memoryranger-runs-drivers-in-isolated-kernel-spaces-12668
|
Article Link: https://igorkorkin.blogspot.com/2018/12/divide-et-impera-memoryranger-runs.html