A Lightweight Kernel Objects Monitoring Infrastructure for Embedded Systems

In this paper, a lightweight system level monitoring infrastructure known as kernel objects monitoring infrastructure (KOMI) is presented for commercial-off-the-shelf (COTS) embedded systems. The kernel objects consist of certain critical kernel data structures and entry points of system calls, which are protected as first-class objects inside the system. KOMI provides specific runtime protections to different kernel objects: kernel data structures are protected by the periodic detection and recovery, the interception of arguments is used to protect vulnerable system calls. Both protection methods can provide not only consistency regulations but also recovery actions for the system. During its runtime deployment, once any system inconsistency has been detected, predefined recovery actions will be invoked. Since KOMI requires few modifications to kernel source code, it is easy to integrate into existing embedded systems. The evaluation experiment results indicate our prototype system can correctly detect the inconsistent kernel data structures caused by security attacks and also prevent kernel from exploits due to vulnerable system calls with acceptable penalty to the system performance. Moreover, KOMI is fully software-based without introducing any specific hardware and requires no modifications to system call APIs, therefore legacy applications can be also easily reused.