I mostly found examples the other way around: compromising the OS e.g. through a compromised BIOS or Intel ME. But are there known examples where stuff runs underneath the kernel and can be used to protect it or the OS in general? Regarding ring -1/ hypervisor mode I found some examples but could not really find anything else. I'm not thinking about SecureBoot et al but more about exploit protection of a running kernel.
3 Answers
Yes, with varying degrees of success. Of these, only the first two are commonly used in production:
- RKP (Real-time Kernel Protection) from Samsung Knox, which blocks unauthorized access or modification to kernel code by userspace, and monitors sensitive credentials in the kernel.
- KDP, a Microsoft technology using a set of hypervisor-based features called VBS.
- Various experimental hypervisors based on BitVisor, such as SecVisor, with varying goals.
- Cappsule by Quarkslab, which runs a CoW copy of the kernel for each spawned process.
- McAfee DeepSAFE, a hypervisor that provides a tamper-resistant view of system events.
- Co-processor-based integrity protection such as the experimental Copilot.
- VBH, an experimental and out-of-tree Linux hardening patch similar to Microsoft's KDP.
I believe there was also some short-lived custom Intel ME module ("ring -3") which was designed for similar purposes, but I forget the name. SMM ("ring -2") could also theoretically be used for integrity, depending on what events can trigger a SMI (System Management Interrupt). Note that these are not "true" protection rings, as I explained in greater detail in another answer.
- 64,616
- 20
- 206
- 257
-
Sony and geohot would disagree... – ThoriumBR May 25 '21 at 00:46
-
@ThoriumBR Most of these are not particularly effective (hence "with varying degrees of success"). I'm just listing some of the attempts, regardless of how easily they can be bypassed. – forest May 25 '21 at 00:47
You're very vague. Narrow it down: which OS? Which processor protections?
ATTACKER'S PERSPECTIVE
If you're speaking Linux, you can use the kernel to subvert the kernel (insmod a kernel module).
Windows is a little less straightforward depending on platform (x64 requires signed drivers, etc.).
Depending on the hardware, Rowhammer, etc. could be used.
DEFENDER'S PERSPECTIVE
Windows: from low level up, most AVs drop drivers to perform I/O Request Packet (IRP) hooking, rewrite/install or hook their own System Service Dispatch Table (SSDT), manipulate the Intterupt Descriptor Table (IDT), or even manipulate all processes' Import Address Tables (IATs), etc.:
https://www.amazon.com/Rootkits-Subverting-Windows-Greg-Hoglund/dp/0321294319
You can even view this with the gmer AV tool: http://www.gmer.net/
Linux: I'm not too familiar with RE on Linux, only OSX. However, there may be some merit in a formally verified kernel, e.g. SeL4: https://wiki.sel4.systems/FrequentlyAskedQuestions
- 610
- 4
- 15
I don't think it's possible to protect any layer from the layer bellow it, no matter how much you spend protecting it.
Take the Playstation 3 platform, for example. There were several layers of protection, from the boot ROM inside the chip to the code signing, everything was meant to resist attacks from hardware AND software. It took a while, but hackers started to break the security of the PS3 by using a memory corruption glitch.
The kernel can have routines to detect unauthorized changed memory, but an attacker can patch the routines to always return false. Functions can be signed, but the signature can be forged. Digital signatures depending on public key signatures can only protect themselves until the signatures are changed.
- 50,648
- 13
- 127
- 142
-
I looked into this a little and I can't see anything that suggests that the PlayStation 3 used a hypervisor or similar hardware abstractions for security. Do you have any references which suggest that their kernel is actively monitored by some lower-level software? – forest Aug 26 '22 at 21:29
-
What about https://www.psdevwiki.com/ps3/Hypervisor_Reverse_Engineering or https://rdist.root.org/2010/01/27/how-the-ps3-hypervisor-was-hacked/ ? – ThoriumBR Aug 27 '22 at 23:53
-
I thought the PS3 hypervisor was only used for things like Linux guest OSes and that's why guest OSes weren't able to access the GPU. Did the hypervisor also run the main PS3 software as well? – forest Aug 27 '22 at 23:57