Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces

TL;DR

MemoryRanger is a hypervisor-based system that isolates kernel drivers in separate enclaves using hardware virtualization features, enhancing security against tampering and data theft with minimal performance impact.

Contribution

It introduces a novel approach to kernel driver isolation using hardware virtualization, improving OS security in untrusted environments.

Findings

Effective driver isolation with low performance overhead

Protection of driver code and data from tampering

Compatibility with Windows 10 x64 systems

Abstract

One of the main issues in the OS security is to provide trusted code execution in an untrusted environment. During executing, kernel-mode drivers allocate and process memory data: OS internal structures, users private information, and sensitive data of third-party drivers. All this data and the drivers code can be tampered with by kernel-mode malware. Microsoft security experts integrated new features to fill this gap, but they are not enough: allocated data can be stolen and patched and the drivers code can be dumped without any security reaction. The proposed hypervisor-based system (MemoryRanger) tackles this issue by executing drivers in separate kernel enclaves with specific memory attributes. MemoryRanger protects code and data using Intel VT-x and EPT features with low performance degradation on Windows 10 x64.