{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,5]],"date-time":"2025-11-05T14:03:42Z","timestamp":1762351422001,"version":"3.37.3"},"reference-count":35,"publisher":"Springer Science and Business Media LLC","issue":"5","license":[{"start":{"date-parts":[[2024,7,25]],"date-time":"2024-07-25T00:00:00Z","timestamp":1721865600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2024,7,25]],"date-time":"2024-07-25T00:00:00Z","timestamp":1721865600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/100019084","name":"Kobe University","doi-asserted-by":"crossref","id":[{"id":"10.13039\/100019084","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"published-print":{"date-parts":[[2024,10]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Kernel memory corruption, which leads to a privilege escalation attack, has been reported as a security threat to operating systems. To mitigate privilege escalation attacks, several security mechanisms are proposed. Kernel address space layout randomization randomizes kernel code and data virtual address layout on the kernel memory. Privileged information protection methods monitor and restore illegal privilege modifications. Therefore, if an adversary identifies the kernel data containing privileged information, an adversary can achieve the privilege escalation in a running kernel. This paper proposes a kernel data relocation mechanism (KDRM) that dynamically relocates privileged information in the running kernel to mitigate privilege escalation attacks. The KDRM introduces the relocation-only page into the kernel. The relocation-only page allows the virtual address of the privileged information to change by dynamically relocating for the user process. One of the relocation-only pages is randomly selected to store the privileged information at the system call invocations. The evaluation results indicate the possibility of mitigating privilege escalation attacks through direct memory overwriting by user processes on Linux with KDRM. The KDRM showed an acceptable performance cost. The overhead of a system call was up to 11.52%, and the kernel performance score was 0.11%.<\/jats:p>","DOI":"10.1007\/s10207-024-00890-4","type":"journal-article","created":{"date-parts":[[2024,7,25]],"date-time":"2024-07-25T14:39:09Z","timestamp":1721918349000},"page":"3351-3367","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["Mitigation of privilege escalation attack using kernel data relocation mechanism"],"prefix":"10.1007","volume":"23","author":[{"given":"Hiroki","family":"Kuzuno","sequence":"first","affiliation":[]},{"given":"Toshihiro","family":"Yamauchi","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2024,7,25]]},"reference":[{"key":"890_CR1","doi-asserted-by":"publisher","unstructured":"Chen, H., Mao, Y., Wang, X., Zhou, D., Zeldovich, N., Kaashoek, M.F.: Linux kernel vulnerabilities: state-of-the-art defenses and open problems. In: Proceedings of the Second Asia-Pacific Workshop on Systems (APSys\u201911). Association for Computing Machinery, NY (2011). https:\/\/doi.org\/10.1145\/2103799.2103805","DOI":"10.1145\/2103799.2103805"},{"key":"890_CR2","doi-asserted-by":"publisher","unstructured":"Chen, Q., Azab, A.M., Ganesh, G., Ning, P.: Privwatcher: non-bypassable monitoring and protection of process credentials from memory corruption attacks. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security (ASIA CCS\u201917), pp. 167\u2013178. Association for Computing Machinery, New York (2017). https:\/\/doi.org\/10.1145\/3052973.3053029","DOI":"10.1145\/3052973.3053029"},{"key":"890_CR3","doi-asserted-by":"publisher","unstructured":"Criswell, J., Dautenhahn, N., Adve, V.: Kcofi: complete control-flow integrity for commodity operating system kernels. In: Proceedings of 2014 IEEE Symposium on Security and Privacy, pp. 292\u2013307 (2014). https:\/\/doi.org\/10.1109\/SP.2014.26","DOI":"10.1109\/SP.2014.26"},{"key":"890_CR4","doi-asserted-by":"publisher","unstructured":"Criswell, J., Zhou, J., Gravani, S., Hu, X.: Privanalyzer: measuring the efficacy of Linux privilege use. In: 2019 49th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 593\u2013604 (2019). https:\/\/doi.org\/10.1109\/DSN.2019.00065","DOI":"10.1109\/DSN.2019.00065"},{"key":"890_CR5","unstructured":"Database, E.: Nexus 5 android 5.0\u2014privilege escalation. https:\/\/www.exploit-db.com\/exploits\/35711\/. Accessed 21 May 2019"},{"key":"890_CR6","unstructured":"details, C.: Linux vulnerability statistics. https:\/\/www.cvedetails.com\/vendor\/33\/Linux.html. Accessed 21 May 2019"},{"key":"890_CR7","unstructured":"Foundation, L.: The Linux kernel archives. https:\/\/www.kernel.org\/. Accessed 10 June 2022"},{"key":"890_CR8","unstructured":"Foundation, L.: Randomize the address of the kernel image (kaslr). https:\/\/www.kernelconfig.io\/config_randomize_base. Accessed 10 June 2022"},{"key":"890_CR9","unstructured":"FreeBSD: Freebsd architecture handbook. https:\/\/www.freebsd.org\/doc\/en_US.ISO8859-1\/books\/arch-handbook\/. Accessed 18 Aug 2019"},{"key":"890_CR10","unstructured":"grsecurity: super fun 2.6.30+\/rhel5 2.6.18 local kernel exploit. https:\/\/grsecurity.net\/~spender\/exploits\/exploit2.txt. Accessed 21 May 2019"},{"key":"890_CR11","doi-asserted-by":"publisher","first-page":"161","DOI":"10.1007\/978-3-319-62105-0_11","volume-title":"Engineering Secure Software and Systems","author":"D Gruss","year":"2017","unstructured":"Gruss, D., Lipp, M., Schwarz, M., Fellner, R., Maurice, C., Mangard, S.: Kaslr is dead: long live kaslr. In: Bodden, E., Payer, M., Athanasopoulos, E. (eds.) Engineering Secure Software and Systems, pp. 161\u2013176. Springer, Cham (2017)"},{"key":"890_CR12","unstructured":"Gu, J., Li, H., Li, W., Xia, Y., Chen, H.: EPK: scalable and efficient memory protection keys. In: 2022 USENIX Annual Technical Conference (USENIX ATC 22), pp. 609\u2013624. USENIX Association, Carlsbad (2022)"},{"key":"890_CR13","doi-asserted-by":"publisher","unstructured":"Holmes, B., Waterman, J., Williams, D.: Kaslr in the age of microvms. In: Proceedings of the Seventeenth European Conference on Computer Systems (EuroSys\u201922), pp. 149\u2013165. Association for Computing Machinery, NY (2022). https:\/\/doi.org\/10.1145\/3492321.3519578","DOI":"10.1145\/3492321.3519578"},{"key":"890_CR14","doi-asserted-by":"publisher","unstructured":"Hu, Z., Lee, S., Peinado, M.: Hacksaw: Hardware-centric kernel debloating via device inventory and dependency analysis. In: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security (CCS\u201923), pp. 1994\u20132008. Association for Computing Machinery, New York (2023). https:\/\/doi.org\/10.1145\/3576915.3623208","DOI":"10.1145\/3576915.3623208"},{"key":"890_CR15","unstructured":"Intel: Intel(r) 64 and ia-32 architectures software developer\u2019s manual. https:\/\/www.intel.com\/content\/www\/us\/en\/developer\/articles\/technical\/intel-sdm.html. Accessed 18 Aug 2021"},{"key":"890_CR16","doi-asserted-by":"publisher","unstructured":"Kemerlis, V.P., Polychronakis, M., Keromytis, A.D.: Ret2dir: rethinking kernel isolation. In: Proceedings of the 23rd USENIX Conference on Security Symposium (SEC\u201914), pp. 957\u2013972. USENIX Association, USA (2014). https:\/\/doi.org\/10.5555\/2671225.2671286","DOI":"10.5555\/2671225.2671286"},{"key":"890_CR17","first-page":"212","volume-title":"Detection of Intrusions and Malware, and Vulnerability Assessment","author":"A Kurmus","year":"2014","unstructured":"Kurmus, A., Dechand, S., Kapitza, R.: Quantifiable run-time kernel attack surface reduction. In: Dietrich, S. (ed.) Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 212\u2013234. Springer, Cham (2014)"},{"key":"890_CR18","doi-asserted-by":"publisher","first-page":"61","DOI":"10.1007\/978-3-031-39828-5_4","volume-title":"Network and System Security","author":"H Kuzuno","year":"2023","unstructured":"Kuzuno, H., Yamauchi, T.: Kdrm: kernel data relocation mechanism to mitigate privilege escalation attack. In: Li, S., Manulis, M., Miyaji, A. (eds.) Network and System Security, pp. 61\u201376. Springer, Cham (2023)"},{"key":"890_CR19","unstructured":"LWN.net: Kernel address space layout randomization. https:\/\/lwn.net\/Articles\/569635\/. Accessed 12 May 2022"},{"key":"890_CR20","doi-asserted-by":"publisher","unstructured":"Maar, L., Schwarzl, M., Rauscher, F., Gruss, D., Mangard, S.: Dope: domain protection enforcement with pks. In: Proceedings of the 39th Annual Computer Security Applications Conference (ACSAC\u201923), pp. 662\u2013676. Association for Computing Machinery, New York (2023). https:\/\/doi.org\/10.1145\/3627106.3627113","DOI":"10.1145\/3627106.3627113"},{"key":"890_CR21","unstructured":"MITRE: Cve-2016-4997. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2016-4997. Accessed 10 June 2019"},{"key":"890_CR22","unstructured":"MITRE: Cve-2016-9793. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2016-9793. Accessed 10 June 2019"},{"key":"890_CR23","unstructured":"MITRE: Cve-2017-1000112. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-1000112. Accessed 10 June 2019"},{"key":"890_CR24","unstructured":"MITRE: Cve-2017-16995. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-16995. Accessed 10 June 2019"},{"key":"890_CR25","doi-asserted-by":"publisher","unstructured":"Narayanan, V., Huang, Y., Tan, G., Jaeger, T., Burtsev, A.: Lightweight kernel isolation with virtualization and vm functions. In: Proceedings of the 16th ACM SIGPLAN\/SIGOPS International Conference on Virtual Execution Environments (VEE\u201920), pp. 157\u2013171. Association for Computing Machinery, New York (2020). https:\/\/doi.org\/10.1145\/3381052.3381328","DOI":"10.1145\/3381052.3381328"},{"key":"890_CR26","doi-asserted-by":"publisher","unstructured":"Nikolaev, R., Nadeem, H., Stone, C., Ravindran, B.: Adelie: continuous address space layout re-randomization for Linux drivers. In: Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS\u201922), pp. 483\u2013498. Association for Computing Machinery, NY (2022). https:\/\/doi.org\/10.1145\/3503222.3507779","DOI":"10.1145\/3503222.3507779"},{"key":"890_CR27","doi-asserted-by":"publisher","first-page":"103104","DOI":"10.1016\/j.cose.2023.103104","volume":"127","author":"B Novkovi\u0107","year":"2023","unstructured":"Novkovi\u0107, B., Golub, M.: Improving monolithic kernel security and robustness through intra-kernel sandboxing. Comput. Secur. 127, 103104 (2023). https:\/\/doi.org\/10.1016\/j.cose.2023.103104","journal-title":"Comput. Secur."},{"key":"890_CR28","doi-asserted-by":"publisher","unstructured":"Proskurin, S., Momeu, M., Ghavamnia, S., Kemerlis, V.P., Polychronakis, M.: xmp: selective memory protection for kernel and user space. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 563\u2013577 (2020). https:\/\/doi.org\/10.1109\/SP40000.2020.00041","DOI":"10.1109\/SP40000.2020.00041"},{"key":"890_CR29","doi-asserted-by":"publisher","first-page":"46584","DOI":"10.1109\/ACCESS.2018.2866498","volume":"6","author":"W Qiang","year":"2018","unstructured":"Qiang, W., Yang, J., Jin, H., Shi, X.: Privguard: protecting sensitive kernel data from privilege escalation attacks. IEEE Access 6, 46584\u201346594 (2018). https:\/\/doi.org\/10.1109\/ACCESS.2018.2866498","journal-title":"IEEE Access"},{"key":"890_CR30","doi-asserted-by":"publisher","unstructured":"Shacham, H., Page, M., Pfaff, B., Goh, E.J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS\u201904), pp. 298\u2013307. Association for Computing Machinery, NY (2004). https:\/\/doi.org\/10.1145\/1030083.1030124","DOI":"10.1145\/1030083.1030124"},{"key":"890_CR31","doi-asserted-by":"publisher","unstructured":"Song, D., Lettner, J., Rajasekaran, P., Na, Y., Volckaert, S., Larsen, P., Franz, M.: Sok: sanitizing for security. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 1275\u20131295 (2019). https:\/\/doi.org\/10.1109\/SP.2019.00010","DOI":"10.1109\/SP.2019.00010"},{"key":"890_CR32","doi-asserted-by":"publisher","unstructured":"Sung, M., Olivier, P., Lankes, S., Ravindran, B.: Intra-unikernel isolation with intel memory protection keys. In: Proceedings of the 16th ACM SIGPLAN\/SIGOPS International Conference on Virtual Execution Environments (VEE\u201920), pp. 143\u2013156. Association for Computing Machinery, New York (2020). https:\/\/doi.org\/10.1145\/3381052.3381326","DOI":"10.1145\/3381052.3381326"},{"issue":"4","key":"890_CR33","doi-asserted-by":"publisher","first-page":"461","DOI":"10.1007\/s10207-020-00514-7","volume":"20","author":"T Yamauchi","year":"2021","unstructured":"Yamauchi, T., Akao, Y., Yoshitani, R., Nakamura, Y., Hashimoto, M.: Additional kernel observer: privilege escalation attack prevention mechanism focusing on system call privilege changes. Int. J. Inf. Secur. 20(4), 461\u2013473 (2021). https:\/\/doi.org\/10.1007\/s10207-020-00514-7","journal-title":"Int. J. Inf. Secur."},{"key":"890_CR34","unstructured":"Yoo, S., Park, J., Kim, S., Kim, Y., Kim, T.: In-kernel control-flow integrity on commodity OSes using ARM pointer authentication. In: 31st USENIX Security Symposium (USENIX Security 22), pp. 89\u2013106. USENIX Association, Boston (2022)"},{"key":"890_CR35","doi-asserted-by":"publisher","first-page":"691","DOI":"10.1007\/978-3-030-00470-5_32","volume-title":"Research in Attacks, Intrusions, and Defenses","author":"Z Zhang","year":"2018","unstructured":"Zhang, Z., Cheng, Y., Nepal, S., Liu, D., Shen, Q., Rabhi, F.: Kasr: a reliable and practical approach to attack surface reduction of commodity os kernels. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds.) Research in Attacks, Intrusions, and Defenses, pp. 691\u2013710. Springer, Cham (2018)"}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-024-00890-4.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10207-024-00890-4\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-024-00890-4.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,9,14]],"date-time":"2024-09-14T01:07:30Z","timestamp":1726276050000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10207-024-00890-4"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,7,25]]},"references-count":35,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2024,10]]}},"alternative-id":["890"],"URL":"https:\/\/doi.org\/10.1007\/s10207-024-00890-4","relation":{},"ISSN":["1615-5262","1615-5270"],"issn-type":[{"type":"print","value":"1615-5262"},{"type":"electronic","value":"1615-5270"}],"subject":[],"published":{"date-parts":[[2024,7,25]]},"assertion":[{"value":"25 July 2024","order":1,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no conflict of interest as defined by Springer or other interests that might be perceived to influence the results and\/or discussion reported in this paper.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}}]}}