Letting applications operate through attacks launched from compromised drivers

Abstract

With the rapid prevalence of E-Commerce, MMO and social networking, the demand on service availability and continuity is increasingly crucial to production servers or data centers. Hence, software failure recovery systems are thoroughly studied. However, stimulated by significant commercial revenue, attackers begin trying to evade the existing auditing/recovering techniques by manipulating the service applications through the compromised kernel. Nowadays, device drivers account for more than half (could be as high as 70%) of the source code of most commodity operating system kernels, with much more exploitable vulnerabilities than other kernel code [2]. This renders the attackers the opportunity to exploit the driver vulnerability and leverage the kernel privilege of the compromised drivers. With the unrestricted access to the whole (kernel/user) memory address space, successful attackers can launch denial of service attack by incurring driver fault, manipulating critical code/data or even the metadata of the service application process.