Hades∗: Scanning Kernel Extensions to Trust the Untrustworthy

Modern monolithic OSes leverage the loadable kernel module paradigm to add functionality to the kernel and allow a system to communicate with an increasing number of I/O devices. This paradigm is convenient as OS designers can outsource extra functionality to third parties and keep the original kernel from growing too large. On the other hand, this paradigm represents an avenue for exploitation as extensions become part of the kernel. Proposed kernel defense and driver containment solutions have not been widely deployed mostly because they require custom kernels and/or hypervisors. This paper proposes a practical solution to guide a system administrator in the challenging task of trusting the untrustworthy: a VM-based tool, Hades, which performs a fine-grained scan of module’s execution with the generation of a report file. Hades assumes the non-enforced kernel security policy that extensions should only interact with the kernel through a set of exported functions. It determines whether a module accesses a kernel data structure (static or dynamic), its name, type of access and also which non-exported functions were accessed. Experimental results with 14 benign modules and drivers and 7 rootkits show that even some benign extensions attempt to circumvent the kernel exported interface, and the vast majority of rootkits need to tamper with kernel data structures and invoke non-exported functions. Hades incurs negligible overhead to the guest OS (less than 2%) and a 1.25X slowdown to the VM, which is acceptable for an offline tool.