Kernel Memory Leakage Detection for Intrusion Detection Systems (IDS)

Author

Lee HoFollow

Date of Award

5-2020

Culminating Project Type

Thesis

Degree Name

Information Assurance: M.S.

Department

Information Assurance and Information Systems

College

Herberger School of Business

First Advisor

Dennis C. Guster

Second Advisor

Erich P. Rice

Third Advisor

Balasubramanian Kasi

Creative Commons License

This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License.

Keywords and Subject Headings

Kernel Memory Leakage, Intrusion Detection Systems, IDS, Loadable Kernel Module, LKM, side-channel attack

Abstract

Data leakage from kernel memory occurs when the memory block is not released back to the kernel after the memory block is unoccupied. The data leaked is arbitrary and confidential data such as, encryption key and password may leak out. Meltdown and Spectre are methods from side channel attacks that takes advantage of this data leakage to gain confidential data (Graz University of Technology, 2018). This study is on how kernel memory leakage can be read as kernel memory is a protected memory area that even the root account of an operating system is unable to access (Ning, Qing, & Li, 2006). Reading kernel memory leakage is only a part of the solution to mitigate Meltdown and Spectre. To provide a solution, the leaked data from kernel memory must be of use to an Intruder Detection System (IDS) for alerts to determine if there is a possible attack on kernel memory to attain confidential data. As a result, kmemleak is used as a module created to provide a way to detect possible kernel memory leaks that is similar to a tracing garbage collector(gc) (The kernel development community, n.d.).

Recommended Citation

Ho, Lee, "Kernel Memory Leakage Detection for Intrusion Detection Systems (IDS)" (2020). Culminating Projects in Information Assurance. 98.
https://repository.stcloudstate.edu/msia_etds/98