Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
This addresses OS security for systems running Windows 10 x64 by providing enhanced protection against kernel-mode attacks, though it is incremental as it builds on existing hypervisor and hardware features.
The paper tackles the problem of securing kernel-mode drivers from memory tampering and data theft by malware, proposing MemoryRanger, a hypervisor-based system that isolates drivers in separate kernel enclaves using Intel VT-x and EPT, achieving low performance degradation on Windows 10 x64.
One of the main issues in the OS security is to provide trusted code execution in an untrusted environment. During executing, kernel-mode drivers allocate and process memory data: OS internal structures, users private information, and sensitive data of third-party drivers. All this data and the drivers code can be tampered with by kernel-mode malware. Microsoft security experts integrated new features to fill this gap, but they are not enough: allocated data can be stolen and patched and the drivers code can be dumped without any security reaction. The proposed hypervisor-based system (MemoryRanger) tackles this issue by executing drivers in separate kernel enclaves with specific memory attributes. MemoryRanger protects code and data using Intel VT-x and EPT features with low performance degradation on Windows 10 x64.