Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces

One of the main issues in the OS security is to provide trusted code execution in an untrusted environment. During executing, kernel-mode drivers allocate and process memory data: OS internal structures, users’ private information, and sensitive data of third-party drivers. All this data and the drivers code can be tampered with by kernel-mode malware. Microsoft security experts integrated new features to fill this gap, but they are not enough: allocated data can be stolen and patched and the driver’s code can be dumped without any security reaction. The proposed hypervisor-based system (MemoryRanger) tackles this issue by executing drivers in separate kernel enclaves with specific memory attributes. MemoryRanger protects code and data using Intel VT-x and EPT features with low performance degradation on Windows 10 x64.

MemoryRanger details are here:

• paper: BHEU.paper.pdf, my version.pdf , my.paper.docx
• slides: BHEU.slides.pdf, my.slides.pdf, my.slides.pptx
• slides: speech.pdf, speech.docx,
• source code and two demos

Update: this research is evaluated by a famous security lead: Thank you for sharing my research results! It's a big privilege for me! — Igor Korkin (@IgorKorkin) December 11, 2018 Yuriy Bulygin has been the chief threat researcher at Intel Security/McAfee and led the Advanced Threat Research team. Thank you, Yuriy!

Korkin, I. (2018, December 5-6). Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces. In Proceedings of the BlackHat Europe Conference, London, UK. Retrieved from https://www.blackhat.com/eu-18/briefings/schedule/#divide-et-impera-memoryranger-runs-drivers-in-isolated-kernel-spaces-12668