Identification of Vulnerable Kernel Code Using Kernel Tracing Mechanism

Vulnerable kernel code is a threat to an operating system kernel. An adversary's user process can forcefully invoke vulnerable kernel code to cause privilege escalation or denial of service (DoS). Although security engineers belong Computer Security Incident Response Team (CSIRT) and Product Security Incident Response Team (PSIRT) of service providers or security operators have to consider the effect of kernel vulnerability on their system environment when deciding whether or not to update a kernel, the list of vulnerable kernel code is not provided in the Common Vulnerabilities and Exposures (CVE) report In addition, it is difficult to identify the vulnerable kernel code from the exploitation results in the kernel which indicates the account or the kernel suspension information. To identify the details of kernel vulnerability, we propose a vulnerable kernel code tracer (vkTracer), which uses an alternative viewpoint using proof-of-concept (PoC) code to create a profile of kernel vulnerability. vkTracer traces the user process of the PoC code and the running kernel to hook the invocation of the vulnerable kernel code. Moreover, vkTracer extracts the whole kernel component's information using the running and static kernel image and debug section. This ensures that vkTracer identifies the virtual address range and function name of the invoked kernel code from the traced user process; a profile of kernel vulnerability is then created. The evaluation results indicate that vkTracer could trace PoC code execution (e.g., privilege escalation or DoS), identify vulnerable kernel code, and generate a kernel vulnerability profile. Additionally, vkTracer could trace the kernel code of system call invocation regarding CVE information. Furthermore, the implementation of vkTracer reveals that the identification overhead ranges from 5.2683 s to 5.2728 s on the PoC codes and the acceptable system call latency is 3.7197 μs. Moreover, vkTracer represents 0.37% and 0.56% of the dynamic kernel tracing overhead for the web client program access overhead of 100,000 Hypertext Transfer Protocol sessions.------------------------------This is a preprint of an article intended for publication Journal ofInformation Processing(JIP). This preprint should not be cited. Thisarticle should be cited as: Journal of Information Processing Vol.31(2023) (online)DOI　http://dx.doi.org/10.2197/ipsjjip.31.788------------------------------

Vulnerable kernel code is a threat to an operating system kernel. An adversary's user process can forcefully invoke vulnerable kernel code to cause privilege escalation or denial of service (DoS). Although security engineers belong Computer Security Incident Response Team (CSIRT) and Product Security Incident Response Team (PSIRT) of service providers or security operators have to consider the effect of kernel vulnerability on their system environment when deciding whether or not to update a kernel, the list of vulnerable kernel code is not provided in the Common Vulnerabilities and Exposures (CVE) report In addition, it is difficult to identify the vulnerable kernel code from the exploitation results in the kernel which indicates the account or the kernel suspension information. To identify the details of kernel vulnerability, we propose a vulnerable kernel code tracer (vkTracer), which uses an alternative viewpoint using proof-of-concept (PoC) code to create a profile of kernel vulnerability. vkTracer traces the user process of the PoC code and the running kernel to hook the invocation of the vulnerable kernel code. Moreover, vkTracer extracts the whole kernel component's information using the running and static kernel image and debug section. This ensures that vkTracer identifies the virtual address range and function name of the invoked kernel code from the traced user process; a profile of kernel vulnerability is then created. The evaluation results indicate that vkTracer could trace PoC code execution (e.g., privilege escalation or DoS), identify vulnerable kernel code, and generate a kernel vulnerability profile. Additionally, vkTracer could trace the kernel code of system call invocation regarding CVE information. Furthermore, the implementation of vkTracer reveals that the identification overhead ranges from 5.2683 s to 5.2728 s on the PoC codes and the acceptable system call latency is 3.7197 μs. Moreover, vkTracer represents 0.37% and 0.56% of the dynamic kernel tracing overhead for the web client program access overhead of 100,000 Hypertext Transfer Protocol sessions.------------------------------This is a preprint of an article intended for publication Journal ofInformation Processing(JIP). This preprint should not be cited. Thisarticle should be cited as: Journal of Information Processing Vol.31(2023) (online)DOI　http://dx.doi.org/10.2197/ipsjjip.31.788------------------------------