WEKO3
アイテム
Identification of Vulnerable Kernel Code Using Kernel Tracing Mechanism
https://ipsj.ixsq.nii.ac.jp/records/231545
https://ipsj.ixsq.nii.ac.jp/records/23154528de45f2-dd03-4805-b4cb-e1d98f0c22a2
| 名前 / ファイル | ライセンス | アクション |
|---|---|---|
IPSJ-JNL6412003.pdf (1.5 MB)
2025年12月15日からダウンロード可能です。
|
Copyright (c) 2023 by the Information Processing Society of Japan
|
|
| 非会員:¥0, IPSJ:学会員:¥0, 論文誌:会員:¥0, DLIB:会員:¥0 | ||
| Item type | Journal(1) | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| 公開日 | 2023-12-15 | |||||||||
| タイトル | ||||||||||
| タイトル | Identification of Vulnerable Kernel Code Using Kernel Tracing Mechanism | |||||||||
| タイトル | ||||||||||
| 言語 | en | |||||||||
| タイトル | Identification of Vulnerable Kernel Code Using Kernel Tracing Mechanism | |||||||||
| 言語 | ||||||||||
| 言語 | eng | |||||||||
| キーワード | ||||||||||
| 主題Scheme | Other | |||||||||
| 主題 | [特集:次世代デジタルプラットフォームにおける情報流通を支えるセキュリティとトラスト(推薦論文)] kernel vulnerability, dynamic analysis, system security | |||||||||
| 資源タイプ | ||||||||||
| 資源タイプ識別子 | http://purl.org/coar/resource_type/c_6501 | |||||||||
| 資源タイプ | journal article | |||||||||
| 著者所属 | ||||||||||
| Graduate School of Engineering, Kobe University | ||||||||||
| 著者所属 | ||||||||||
| Faculty of Natural Science and Technology, Okayama University | ||||||||||
| 著者所属(英) | ||||||||||
| en | ||||||||||
| Graduate School of Engineering, Kobe University | ||||||||||
| 著者所属(英) | ||||||||||
| en | ||||||||||
| Faculty of Natural Science and Technology, Okayama University | ||||||||||
| 著者名 |
Hiroki, Kuzuno
× Hiroki, Kuzuno
× Toshihiro, Yamauchi
|
|||||||||
| 著者名(英) |
Hiroki, Kuzuno
× Hiroki, Kuzuno
× Toshihiro, Yamauchi
|
|||||||||
| 論文抄録 | ||||||||||
| 内容記述タイプ | Other | |||||||||
| 内容記述 | Vulnerable kernel code is a threat to an operating system kernel. An adversary's user process can forcefully invoke vulnerable kernel code to cause privilege escalation or denial of service (DoS). Although security engineers belong Computer Security Incident Response Team (CSIRT) and Product Security Incident Response Team (PSIRT) of service providers or security operators have to consider the effect of kernel vulnerability on their system environment when deciding whether or not to update a kernel, the list of vulnerable kernel code is not provided in the Common Vulnerabilities and Exposures (CVE) report In addition, it is difficult to identify the vulnerable kernel code from the exploitation results in the kernel which indicates the account or the kernel suspension information. To identify the details of kernel vulnerability, we propose a vulnerable kernel code tracer (vkTracer), which uses an alternative viewpoint using proof-of-concept (PoC) code to create a profile of kernel vulnerability. vkTracer traces the user process of the PoC code and the running kernel to hook the invocation of the vulnerable kernel code. Moreover, vkTracer extracts the whole kernel component's information using the running and static kernel image and debug section. This ensures that vkTracer identifies the virtual address range and function name of the invoked kernel code from the traced user process; a profile of kernel vulnerability is then created. The evaluation results indicate that vkTracer could trace PoC code execution (e.g., privilege escalation or DoS), identify vulnerable kernel code, and generate a kernel vulnerability profile. Additionally, vkTracer could trace the kernel code of system call invocation regarding CVE information. Furthermore, the implementation of vkTracer reveals that the identification overhead ranges from 5.2683 s to 5.2728 s on the PoC codes and the acceptable system call latency is 3.7197 μs. Moreover, vkTracer represents 0.37% and 0.56% of the dynamic kernel tracing overhead for the web client program access overhead of 100,000 Hypertext Transfer Protocol sessions. ------------------------------ This is a preprint of an article intended for publication Journal of Information Processing(JIP). This preprint should not be cited. This article should be cited as: Journal of Information Processing Vol.31(2023) (online) DOI http://dx.doi.org/10.2197/ipsjjip.31.788 ------------------------------ |
|||||||||
| 論文抄録(英) | ||||||||||
| 内容記述タイプ | Other | |||||||||
| 内容記述 | Vulnerable kernel code is a threat to an operating system kernel. An adversary's user process can forcefully invoke vulnerable kernel code to cause privilege escalation or denial of service (DoS). Although security engineers belong Computer Security Incident Response Team (CSIRT) and Product Security Incident Response Team (PSIRT) of service providers or security operators have to consider the effect of kernel vulnerability on their system environment when deciding whether or not to update a kernel, the list of vulnerable kernel code is not provided in the Common Vulnerabilities and Exposures (CVE) report In addition, it is difficult to identify the vulnerable kernel code from the exploitation results in the kernel which indicates the account or the kernel suspension information. To identify the details of kernel vulnerability, we propose a vulnerable kernel code tracer (vkTracer), which uses an alternative viewpoint using proof-of-concept (PoC) code to create a profile of kernel vulnerability. vkTracer traces the user process of the PoC code and the running kernel to hook the invocation of the vulnerable kernel code. Moreover, vkTracer extracts the whole kernel component's information using the running and static kernel image and debug section. This ensures that vkTracer identifies the virtual address range and function name of the invoked kernel code from the traced user process; a profile of kernel vulnerability is then created. The evaluation results indicate that vkTracer could trace PoC code execution (e.g., privilege escalation or DoS), identify vulnerable kernel code, and generate a kernel vulnerability profile. Additionally, vkTracer could trace the kernel code of system call invocation regarding CVE information. Furthermore, the implementation of vkTracer reveals that the identification overhead ranges from 5.2683 s to 5.2728 s on the PoC codes and the acceptable system call latency is 3.7197 μs. Moreover, vkTracer represents 0.37% and 0.56% of the dynamic kernel tracing overhead for the web client program access overhead of 100,000 Hypertext Transfer Protocol sessions. ------------------------------ This is a preprint of an article intended for publication Journal of Information Processing(JIP). This preprint should not be cited. This article should be cited as: Journal of Information Processing Vol.31(2023) (online) DOI http://dx.doi.org/10.2197/ipsjjip.31.788 ------------------------------ |
|||||||||
| 書誌レコードID | ||||||||||
| 収録物識別子タイプ | NCID | |||||||||
| 収録物識別子 | AN00116647 | |||||||||
| 書誌情報 |
情報処理学会論文誌 巻 64, 号 12, 発行日 2023-12-15 |
|||||||||
| ISSN | ||||||||||
| 収録物識別子タイプ | ISSN | |||||||||
| 収録物識別子 | 1882-7764 | |||||||||
| 公開者 | ||||||||||
| 言語 | ja | |||||||||
| 出版者 | 情報処理学会 | |||||||||
