TUM Logo

X-TIER: Kernel Module Injection

In spite of the fact that security applications can greatly benefit from virtualization, hypervisor-based security solutions remain sparse. The main cause for this is the semantic gap, which makes the development of hypervisor-based security applications cumbersome, error-prone, and time-consuming. In this paper, we present X-TIER, a framework that enables hypervisor-based security applications to bridge the semantic gap by injecting kernel modules from the outside into a running virtual machine (VM). While previous approaches bridge the semantic gap by reading kernel objects from memory, X-TIER goes beyond such work and allows the injected code to manipulate the guest operating system (OS) state and even call kernel functions without sacrificing the overall security. We have implemented a prototype of X-TIER on the x86 architecture that supports module injection for Windows and Linux guests. The evaluation of our system shows that kernel module injection only incurs a very small performance overhead, leaves no traces within the guest system, and provides access to all exported guest OS data structures and functions. Consequently, the mechanism is well-suited for creating hypervisor-based security applications.

X-TIER: Kernel Module Injection

Proceedings of the 7th International Conference on Network and System Security

Authors: Sebastian Vogl, Fatih Kilic, Christian Schneider, and Claudia Eckert
Year/month: 2013/6
Booktitle: Proceedings of the 7th International Conference on Network and System Security
Volume: 7873
Series: Lecture Notes in Computer Science
Pages: 192--206
Publisher: Springer

Abstract

In spite of the fact that security applications can greatly benefit from virtualization, hypervisor-based security solutions remain sparse. The main cause for this is the semantic gap, which makes the development of hypervisor-based security applications cumbersome, error-prone, and time-consuming. In this paper, we present X-TIER, a framework that enables hypervisor-based security applications to bridge the semantic gap by injecting kernel modules from the outside into a running virtual machine (VM). While previous approaches bridge the semantic gap by reading kernel objects from memory, X-TIER goes beyond such work and allows the injected code to manipulate the guest operating system (OS) state and even call kernel functions without sacrificing the overall security. We have implemented a prototype of X-TIER on the x86 architecture that supports module injection for Windows and Linux guests. The evaluation of our system shows that kernel module injection only incurs a very small performance overhead, leaves no traces within the guest system, and provides access to all exported guest OS data structures and functions. Consequently, the mechanism is well-suited for creating hypervisor-based security applications.

Bibtex:

@incolletion { Vogl2013,
author = { Sebastian Vogl and Fatih Kilic and Christian Schneider and Claudia Eckert},
title = { X-TIER: Kernel Module Injection },
year = { 2013 },
booktitle = { Proceedings of the 7th International Conference on Network and System Security },
volume = { 7873 },
publisher = { Springer },
series = { Lecture Notes in Computer Science },
pages = { 192--206 },

}