Kruiser: Semi-synchronized Non-blocking Concurrent Kernel Heap Buffer 
	 Overflow Monitoring
Donghai Tian, Qiang Zeng, Dinghao Wu, Peng Liu, Changzhen Hu

Abstract

Kernel heap buffer overflow vulnerabilities have been exposed for
decades, but there are few practical countermeasure that can be
applied to OS kernels. Previous solutions either suffer from high
performance overhead or compatibility problems with mainstream kernels
and hardware.  In this paper, we present KRUISER, a concurrent kernel
heap buffer overflow monitor. Unlike conventional methods, the
security enforcement of which is usually inlined into the kernel
execution, Kruiser migrates security enforcement from the kernel’s
normal execution to a concurrent monitor process, leveraging the
increasingly popular multi-core architectures. To reduce the
synchronization overhead between the monitor process and the running
kernel, we design a novel semi-synchronized non-blocking monitoring
algorithm, which enables efficient runtime detection on live memory
without incurring false positives. To prevent the monitor process from
being tampered and provide guaranteed performance isolation, we
utilize the virtualization technology to run the monitor process out
of the monitored VM, while heap memory allocation information is
collected inside the monitored VM in a secure and efficient way. The
hybrid VM monitoring technique combined with the secure canary that
cannot be counterfeited by attackers provides guaranteed overflow
detection with high efficiency. We have implemented a prototype of
KRUISER based on Linux and the Xen hypervisor. The evaluation shows
that Kruiser can detect realistic kernel heap buffer overflow attacks
effectively with minimal overhead.