SecPT: Providing Efficient Page Table Protection based on SMAP Feature in an Untrusted Commodity Kernel

Page tables are one of the key data structures in OS(Operating System) kernel. It plays an extremely important role in the memory access and protection. However, the page tables are fundamental weakness of operating system because they share the same address space with the vulnerable kernel, and thus subject to kernel data-only attack. To solve that, researchers have relied on the self-protection in the same kernel privilege level without introducing higher privilege layer for efficient world switch and effective page table protection. It needs to intercept and verify every update to kernel page tables. To improve the performance, it is required to reduce the time consumed for each interception as much as possible. In this paper, we propose an architecture to provide efficient page table protection based on Supervisor-mode Access Prevention (SMAP) hardware feature and Kernel Page Table Isolation (KPTI) from an untrusted kernel. SecPT maintains the kernel page tables which are actually used by the kernel in the protection domain and prevents the compromised kernel from subverting page table protection by abusing some privileged instructions. We have realized a prototype of the SecPT. The experimental results show that SecPT provides both effective and efficient page table protection.