Hypervisor-Based Active Data Protection for Integrity and Confidentiality of Dynamically Allocated Memory in Windows Kernel
This addresses security vulnerabilities in Windows-based systems, including industrial CNC machines, by providing integrity and confidentiality for third-party driver memory, which is an incremental improvement over existing approaches.
The paper tackles the problem of protecting dynamically allocated memory in the Windows kernel from tampering and theft by kernel-mode malware, proposing a hypervisor-based system called AllMemPro that prevents access to even a single byte of allocated data and adapts in real time without requiring driver source code.
One of the main issues in the OS security is providing trusted code execution in an untrusted environment. During executing, kernel-mode drivers dynamically allocate memory to store and process their data: Windows core kernel structures, users' private information, and sensitive data of third-party drivers. All this data can be tampered with by kernel-mode malware. Attacks on Windows-based computers can cause not just hiding a malware driver, process privilege escalation, and stealing private data but also failures of industrial CNC machines. Windows built-in security and existing approaches do not provide the integrity and confidentiality of the allocated memory of third-party drivers. The proposed hypervisor-based system (AllMemPro) protects allocated data from being modified or stolen. AllMemPro prevents access to even 1 byte of allocated data, adapts for newly allocated memory in real time, and protects the driver without its source code. AllMemPro works well on newest Windows 10 1709 x64.