start-ver=1.4 cd-journal=joma no-vol=12835 cd-vols= no-issue= article-no= start-page=64 end-page=73 dt-received= dt-revised= dt-accepted= dt-pub-year=2021 dt-pub=20210827 dt-online= en-article= kn-article= en-subject= kn-subject= en-title= kn-title=(Short Paper) Evidence Collection and Preservation System with Virtual Machine Monitoring en-subtitle= kn-subtitle= en-abstract= kn-abstract=In a system audit and verification, it is important to securely collect and preserve evidence of execution environments, execution processes, and program execution results. Evidence-based verification of program processes ensures their authenticity; for example, the processes include no altered/infected program library. This paper proposes a solution for collection of evidence on program libraries based on Virtual Machine Monitor (VMM). The solution can solve semantic gap by obtaining library file path names. This paper also shows a way to obtain hash values of library files from a guest OS. Furthermore, this paper provides examples of evidence on program xecution and the overhead of the solution. en-copyright= kn-copyright= en-aut-name=NakamuraToru en-aut-sei=Nakamura en-aut-mei=Toru kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=1 ORCID= en-aut-name=ItoHiroshi en-aut-sei=Ito en-aut-mei=Hiroshi kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=2 ORCID= en-aut-name=KiyomotoShinsaku en-aut-sei=Kiyomoto en-aut-mei=Shinsaku kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=3 ORCID= en-aut-name=YamauchiToshihiro en-aut-sei=Yamauchi en-aut-mei=Toshihiro kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=4 ORCID= affil-num=1 en-affil=KDDI Research, Inc. kn-affil= affil-num=2 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=3 en-affil=KDDI Research, Inc. kn-affil= affil-num=4 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= en-keyword=Virtual machine introspection kn-keyword=Virtual machine introspection en-keyword=Forensics kn-keyword=Forensics en-keyword=OS security kn-keyword=OS security END start-ver=1.4 cd-journal=joma no-vol=26 cd-vols= no-issue= article-no= start-page=396 end-page=405 dt-received= dt-revised= dt-accepted= dt-pub-year=2018 dt-pub=2018 dt-online= en-article= kn-article= en-subject= kn-subject= en-title= kn-title=Access Control Mechanism to Mitigate Cordova Plugin Attacks in Hybrid Applications en-subtitle= kn-subtitle= en-abstract= kn-abstract=Hybrid application frameworks such as Cordova are more and more popular to create platform-independent applications (apps) because they provide special APIs to access device resources in a platform-agonistic way. By using these APIs, hybrid apps can access device resources through JavaScript. In this paper, we present a novel app-repackaging attack that repackages hybrid apps with malicious code; this code can exploit Cordova's plugin interface to steal and tamper with device resources. We address this attack and cross-site scripting attacks against hybrid apps. Since these attacks need to use plugins to access device resources, we refer to both of these attacks as Cordova plugin attacks. We further demonstrate a defense against Cordova plugin attacks through the use of a novel runtime access control mechanism that restricts access based on the mobile user's judgement. Our mechanism is easy to introduce to existing Cordova apps, and allows developers to produce apps that are resistant to Cordova plugin attacks. Moreover, we evaluate the effectiveness and performance of our mechanism. en-copyright= kn-copyright= en-aut-name=KudoNaoki en-aut-sei=Kudo en-aut-mei=Naoki kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=1 ORCID= en-aut-name=YamauchiToshihiro en-aut-sei=Yamauchi en-aut-mei=Toshihiro kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=2 ORCID= en-aut-name=AustinThomas H. en-aut-sei=Austin en-aut-mei=Thomas H. kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=3 ORCID= affil-num=1 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=2 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=3 en-affil=San Jose State University kn-affil= en-keyword=hybrid Application kn-keyword=hybrid Application en-keyword=Android kn-keyword=Android en-keyword=Access Control kn-keyword=Access Control END start-ver=1.4 cd-journal=joma no-vol= cd-vols= no-issue= article-no= start-page=1063 end-page=1069 dt-received= dt-revised= dt-accepted= dt-pub-year=2017 dt-pub=20173 dt-online= en-article= kn-article= en-subject= kn-subject= en-title= kn-title=Access Control for Plugins in Cordova-Based Hybrid Applications en-subtitle= kn-subtitle= en-abstract= kn-abstract=Hybrid application frameworks such as Cordova allow mobile application (app) developers to create platformindependent apps. The code is written in JavaScript, with special APIs to access device resources in a platform-agnostic way. In this paper, we present a novel app-repackaging attack that repackages hybrid apps with malicious code; this code can exploit Cordovafs plugin interface to tamper with device resources. We further demonstrate a defense against this attack through the use of a novel runtime access control mechanism that restricts access based on the mobile userfs judgement. Our mechanism is easy to introduce to existing Cordova apps, and allows developers to produce apps that are resistant to app-repackaging attacks. en-copyright= kn-copyright= en-aut-name=KudoNaoki en-aut-sei=Kudo en-aut-mei=Naoki kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=1 ORCID= en-aut-name=YamauchiToshihiro en-aut-sei=Yamauchi en-aut-mei=Toshihiro kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=2 ORCID= en-aut-name=AustinThomas H. en-aut-sei=Austin en-aut-mei=Thomas H. kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=3 ORCID= affil-num=1 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=2 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=3 en-affil=San Jose State University kn-affil= END start-ver=1.4 cd-journal=joma no-vol= cd-vols= no-issue= article-no= start-page=1628 end-page=1633 dt-received= dt-revised= dt-accepted= dt-pub-year=2013 dt-pub=2013 dt-online= en-article= kn-article= en-subject= kn-subject= en-title= kn-title=Access Control to Prevent Attacks Exploiting Vulnerabilities of WebView in Android OS en-subtitle= kn-subtitle= en-abstract= kn-abstract=Android applications that using WebView can load and display web pages. Furthermore, by using the APIs provided in WebView, Android applications can interact with web pages. The interaction allows JavaScript code within the web pages to access resources on the Android device by using the Java object, which is registered into WebView. If this WebView feature were exploited by an attacker, JavaScript code could be used to launch attacks, such as stealing from or tampering personal information in the device. To address these threats, we propose a method that performs access control on the security-sensitive APIs at the Java object level. The proposed method uses static analysis to identify these security-sensitive APIs, detects threats at runtime, and notifies the user if threats are detected, thereby preventing attacks from web pages. en-copyright= kn-copyright= en-aut-name=YuJing en-aut-sei=Yu en-aut-mei=Jing kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=1 ORCID= en-aut-name=YamauchiToshihiro en-aut-sei=Yamauchi en-aut-mei=Toshihiro kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=2 ORCID= affil-num=1 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=2 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= en-keyword=Java kn-keyword=Java en-keyword=Androids kn-keyword=Androids en-keyword=Humanoid robots kn-keyword=Humanoid robots en-keyword=Web pages kn-keyword=Web pages en-keyword=Smart phones kn-keyword=Smart phones en-keyword=Assembly kn-keyword=Assembly en-keyword=Browsers kn-keyword=Browsers END start-ver=1.4 cd-journal=joma no-vol=E98D cd-vols= no-issue=4 article-no= start-page=807 end-page=811 dt-received= dt-revised= dt-accepted= dt-pub-year=2015 dt-pub=2015 dt-online= en-article= kn-article= en-subject= kn-subject= en-title= kn-title=Access Control to Prevent Malicious JavaScript Code Exploiting Vulnerabilities of WebView in Android OS en-subtitle= kn-subtitle= en-abstract= kn-abstract=Android applications that using WebView can load and display web pages. Interaction with web pages allows JavaScript code within the web pages to access resources on the Android device by using the Java object, which is registered into WebView. If this WebView feature were exploited by an attacker, JavaScript code could be used to launch attacks, such as stealing from or tampering personal information in the device. To address these threats, we propose an access control on the security-sensitive APIs at the Java object level. The proposed access control uses static analysis to identify these security-sensitive APIs, detects threats at runtime, and notifies the user if threats are detected, thereby preventing attacks from web pages. en-copyright= kn-copyright= en-aut-name=YuJing en-aut-sei=Yu en-aut-mei=Jing kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=1 ORCID= en-aut-name=YamauchiToshihiro en-aut-sei=Yamauchi en-aut-mei=Toshihiro kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=2 ORCID= affil-num=1 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=2 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= en-keyword=Android kn-keyword=Android en-keyword=WebView kn-keyword=WebView en-keyword=static analysis kn-keyword=static analysis en-keyword=access control kn-keyword=access control END start-ver=1.4 cd-journal=joma no-vol=12583 cd-vols= no-issue= article-no= start-page= end-page= dt-received= dt-revised= dt-accepted= dt-pub-year=2020 dt-pub=20201209 dt-online= en-article= kn-article= en-subject= kn-subject= en-title= kn-title=Accessibility Service Utilization Rates in Android Applications Shared on Twitter en-subtitle= kn-subtitle= en-abstract= kn-abstract=The number of malware detected has been increasing annually, and 4.12% of malware reported in 2018 attacked Android phones. Therefore, preventing attacks by Android malware is critically important. Several previous studies have investigated the percentage of apps that utilize accessibility services and are distributed from Google Play, that have been reportedly used by Android malware. However, the Social Networking Services (SNSs) that are used to spread malware have distributed apps not only from Google Play but also from other sources. Therefore, apps distributed from within and outside of Google Play must be investigated to capture malware trends. In this study, we collected apps shared on Twitter in 2018, which is a representative SNS, and created a Twitter shared apps dataset. The dataset consists of 32,068 apps downloaded from the websites of URLs collected on Twitter. We clarified the proportion of apps that contained malware and proportion of apps utilizing accessibility services. We found that both, the percentage of malware and percentage of total apps using accessibility services have been increasing. Notably, the percentages of malware and un-suspicious apps using accessibility services were quite similar. Therefore, this problem cannot be solved by automatically blocking all apps that use accessibility services. Hence, specific countermeasures against malware using accessibility services will be increasingly important for online security in the future. en-copyright= kn-copyright= en-aut-name=IchiokaShuichi en-aut-sei=Ichioka en-aut-mei=Shuichi kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=1 ORCID= en-aut-name=PougetEstelle en-aut-sei=Pouget en-aut-mei=Estelle kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=2 ORCID= en-aut-name=MimuraTakao en-aut-sei=Mimura en-aut-mei=Takao kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=3 ORCID= en-aut-name=NakajimaJun en-aut-sei=Nakajima en-aut-mei=Jun kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=4 ORCID= en-aut-name=YamauchiToshihiro en-aut-sei=Yamauchi en-aut-mei=Toshihiro kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=5 ORCID= affil-num=1 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=2 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=3 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=4 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=5 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= en-keyword=Accessibility Service kn-keyword=Accessibility Service en-keyword=Android App kn-keyword=Android App en-keyword=Malware kn-keyword=Malware en-keyword=SNS kn-keyword=SNS END start-ver=1.4 cd-journal=joma no-vol=20 cd-vols= no-issue= article-no= start-page=461 end-page=473 dt-received= dt-revised= dt-accepted= dt-pub-year=2020 dt-pub=20200625 dt-online= en-article= kn-article= en-subject= kn-subject= en-title= kn-title=Additional kernel observer: privilege escalation attack prevention mechanism focusing on system call privilege changes en-subtitle= kn-subtitle= en-abstract= kn-abstract=Cyberattacks, especially attacks that exploit operating system vulnerabilities, have been increasing in recent years. In particular, if administrator privileges are acquired by an attacker through a privilege escalation attack, the attacker can operate the entire system and cause serious damage. In this paper, we propose an additional kernel observer (AKO) that prevents privilege escalation attacks that exploit operating system vulnerabilities. We focus on the fact that a process privilege can be changed only by specific system calls. AKO monitors privilege information changes during system call processing. If AKO detects a privilege change after system call processing, whereby the invoked system call does not originally change the process privilege, AKO regards the change as a privilege escalation attack and applies countermeasures against it. AKO can therefore prevent privilege escalation attacks. Introducing the proposed method in advance can prevent this type of attack by changing any process privilege that was not originally changed in a system call, regardless of the vulnerability type. In this paper, we describe the design and implementation of AKO for Linux x86 64-bit. Moreover, we show that AKO can be expanded to prevent the falsification of various data in the kernel space. Then, we present an expansion example that prevents the invalidation of Security-Enhanced Linux. Finally, our evaluation results show that AKO is effective against privilege escalation attacks, while maintaining low overhead. en-copyright= kn-copyright= en-aut-name=YamauchiToshihiro en-aut-sei=Yamauchi en-aut-mei=Toshihiro kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=1 ORCID= en-aut-name=AkaoYohei en-aut-sei=Akao en-aut-mei=Yohei kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=2 ORCID= en-aut-name=YoshitaniRyota en-aut-sei=Yoshitani en-aut-mei=Ryota kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=3 ORCID= en-aut-name=NakamuraYuichi en-aut-sei=Nakamura en-aut-mei=Yuichi kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=4 ORCID= en-aut-name=HashimotoMasaki en-aut-sei=Hashimoto en-aut-mei=Masaki kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=5 ORCID= affil-num=1 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=2 en-affil=Graduate School of Natural Science and Technology, Okayama University. NTT Communications Corporation kn-affil= affil-num=3 en-affil=raduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=4 en-affil=Hitachi Ltd. kn-affil= affil-num=5 en-affil=Graduate School of Information Security, Institute of Information Security kn-affil= en-keyword=Privilege escalation attack prevention kn-keyword=Privilege escalation attack prevention en-keyword=Operating system kn-keyword=Operating system en-keyword=Linux kernel vulnerabilities kn-keyword=Linux kernel vulnerabilities en-keyword=Non-control-data attack kn-keyword=Non-control-data attack en-keyword=System security kn-keyword=System security END start-ver=1.4 cd-journal=joma no-vol= cd-vols= no-issue= article-no= start-page=913 end-page=915 dt-received= dt-revised= dt-accepted= dt-pub-year=2021 dt-pub=2021 dt-online= en-article= kn-article= en-subject= kn-subject= en-title= kn-title=Analysis of commands of Telnet logs illegally connected to IoT devices en-subtitle= kn-subtitle= en-abstract= kn-abstract=Mirai is an active malware that targets and poses constant threats to IoT devices. IoT malware penetrates IoT devices illegally, makes them download other malware such as bots, and infects them. Therefore, to improve the security of IoT devices, it is important to analyze the behaviors of IoT malware and take countermeasures. In this study, to analyze the behaviors of IoT malware after entering IoT devices and propose new security functions for operating systems to prevent activities such as IoT malware infection, we analyze Telnet logs collected by a honeypot of IoT devices. Thereafter, we report the analysis results regarding IoT malware input commands. The results show that many commands related to shell execution, file download, changing file permissions, and file transfer, are often executed by IoT malware. en-copyright= kn-copyright= en-aut-name=YamauchiToshihiro en-aut-sei=Yamauchi en-aut-mei=Toshihiro kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=1 ORCID= en-aut-name=YoshimotoRyota en-aut-sei=Yoshimoto en-aut-mei=Ryota kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=2 ORCID= en-aut-name=BabaTakahiro en-aut-sei=Baba en-aut-mei=Takahiro kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=3 ORCID= en-aut-name=YoshiokaKatsunari en-aut-sei=Yoshioka en-aut-mei=Katsunari kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=4 ORCID= affil-num=1 en-affil=Graduate School of Natural Science and Technology Okayama University kn-affil= affil-num=2 en-affil=Graduate School of Natural Science and Technology Okayama University kn-affil= affil-num=3 en-affil=Graduate School of Natural Science and Technology Okayama University kn-affil= affil-num=4 en-affil=Graduate School of Environment and Information Sciences / Institute of Advanced Sciences Yokohama National University kn-affil= en-keyword=IoT kn-keyword=IoT en-keyword=malware kn-keyword=malware en-keyword=Telnet log kn-keyword=Telnet log END start-ver=1.4 cd-journal=joma no-vol=2008 cd-vols= no-issue= article-no= start-page=46 end-page=51 dt-received= dt-revised= dt-accepted= dt-pub-year=2008 dt-pub=2008 dt-online= en-article= kn-article= en-subject= kn-subject= en-title= kn-title=Design and Evaluation of a Bayesian-filter-based Image Spam Filtering Method en-subtitle= kn-subtitle= en-abstract= kn-abstract=In recent years, with the spread of the Internet, the number of spam e-mail has become one of the most serious problems. A recent report reveals that 91% of all e-mail exchanged in 2006 was spam. Using the Bayesian filter is a popular approach to distinguish between spam and legitimate e-mails. It applies the Bayes theory to identify spam. This filter proffers high filtering precision and is capable of detecting spam as per personal preferences. However, the number of image spam, which contains the spam message as an image, has been increasing rapidly. The Bayesian filter is not capable of distinguishing between image spam and legitimate e-mails since it learns from and examines only text data. Therefore, in this study, we propose an anti- image spam technique that uses image information such as file size. This technique can be easily implemented on the existing Bayesian filter. In addition, we report the results of the evaluations of this technique. en-copyright= kn-copyright= en-aut-name=UemuraMasahiro en-aut-sei=Uemura en-aut-mei=Masahiro kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=1 ORCID= en-aut-name=TabataToshihiro en-aut-sei=Tabata en-aut-mei=Toshihiro kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=2 ORCID= affil-num=1 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=2 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= en-keyword=image spam kn-keyword=image spam en-keyword=bayesian filter kn-keyword=bayesian filter en-keyword=image information kn-keyword=image information en-keyword=token kn-keyword=token END start-ver=1.4 cd-journal=joma no-vol=9 cd-vols= no-issue=1 article-no= start-page=1 end-page=10 dt-received= dt-revised= dt-accepted= dt-pub-year=2019 dt-pub=20190528 dt-online= en-article= kn-article= en-subject= kn-subject= en-title= kn-title=Design and implementation of hiding method for file manipulation of essential services by system call proxy using virtual machine monitor en-subtitle= kn-subtitle= en-abstract= kn-abstract= Security or system management software is essential for keeping systems secure. To deter attacks on essential services, hiding information related to essential services is helpful. This paper describes the design, the implementation, and the evaluation of a method to make files invisible to all services except their corresponding essential services and provides access methods to those files in a virtual machine (VM). In the proposed method, the virtual machine monitor (VMM) monitors the system call, which invoked by an essential process to access essential files, and requests proxy execution to the proxy process on another VM. The VMM returns the result and skips the execution of the original system call on the protection target VM. Thus, access to essential files by the essential service is skipped on the protection target VM, but the essential service can access the file content. en-copyright= kn-copyright= en-aut-name=SatoMasaya en-aut-sei=Sato en-aut-mei=Masaya kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=1 ORCID= en-aut-name=TaniguchiHideo en-aut-sei=Taniguchi en-aut-mei=Hideo kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=2 ORCID= en-aut-name=YamauchiToshihiro en-aut-sei=Yamauchi en-aut-mei=Toshihiro kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=3 ORCID= affil-num=1 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=2 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=3 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= en-keyword=virtual machine monitor kn-keyword=virtual machine monitor en-keyword=file manipulation kn-keyword=file manipulation en-keyword=system call proxy kn-keyword=system call proxy en-keyword=essential services kn-keyword=essential services END start-ver=1.4 cd-journal=joma no-vol=72 cd-vols= no-issue=5 article-no= start-page=1841 end-page=1861 dt-received= dt-revised= dt-accepted= dt-pub-year=2016 dt-pub=2016223 dt-online= en-article= kn-article= en-subject= kn-subject= en-title= kn-title=Evaluation and design of function for tracing diffusion of classified information for file operations with KVM en-subtitle= kn-subtitle= en-abstract= kn-abstract=Cases of classified information leakage have become increasingly common. To address this problem, we have developed a function for tracing the diffusion of classified information within an operating system. However, this function suffers from the following two problems: first, in order to introduce the function, the operating system's source code must be modified. Second, there is a risk that the function will be disabled when the operating system is attacked. Thus, we have designed a function for tracing the diffusion of classified information in a guest operating system by using a virtual machine monitor. By using a virtual machine monitor, we can introduce the proposed function in various environments without modifying the operating system's source code. In addition, attacks aimed at the proposed function are made more difficult, because the virtual machine monitor is isolated from the operating system. In this paper, we describe the implementation of the proposed function for file operations and child process creation in the guest operating system with a kernel-based virtual machine. Further, we demonstrate the traceability of diffusing classified information by file operations and child process creation. We also report the logical lines of code required to introduce the proposed function and performance overheads. en-copyright= kn-copyright= en-aut-name=FujiiShota en-aut-sei=Fujii en-aut-mei=Shota kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=1 ORCID= en-aut-name=SatoMasaya en-aut-sei=Sato en-aut-mei=Masaya kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=2 ORCID= en-aut-name=YamauchiToshihiro en-aut-sei=Yamauchi en-aut-mei=Toshihiro kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=3 ORCID= en-aut-name=TaniguchiHideo en-aut-sei=Taniguchi en-aut-mei=Hideo kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=4 ORCID= affil-num=1 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=2 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=3 en-affil= kn-affil= affil-num=4 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= en-keyword=Information Leak Prevention kn-keyword=Information Leak Prevention en-keyword=Virtualization kn-keyword=Virtualization en-keyword=Semantic Gap kn-keyword=Semantic Gap en-keyword=VMM kn-keyword=VMM END start-ver=1.4 cd-journal=joma no-vol= cd-vols= no-issue= article-no= start-page=352 end-page=358 dt-received= dt-revised= dt-accepted= dt-pub-year=2021 dt-pub=202111 dt-online= en-article= kn-article= en-subject= kn-subject= en-title= kn-title=Function for Tracing Diffusion of Classified Information to Support Multiple VMs with KVM en-subtitle= kn-subtitle= en-abstract= kn-abstract=To handle information leaks caused by administrative errors or mishandling, a function for tracing the diffusion of classified information using a virtual machine monitor (VMM) was proposed. However, the proposed function has not been investigated in cases in which virtual machines (VMs) allocated by multiple virtual central processing units (vCPUs) are to be monitored. In addition, cases in which multiple VMs are monitored have not been examined. In this study, we describe the support of multiple VMs for the proposed VMM-based tracing function. We also show how to deal with VMs allocated by multiple vCPUs. Furthermore, we report the evaluation results from assessing the traceability of the improved proposed method and its overhead for classified information when a VM with multiple vCPUs is monitored. en-copyright= kn-copyright= en-aut-name=OtaniKohei en-aut-sei=Otani en-aut-mei=Kohei kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=1 ORCID= en-aut-name=OkazakiToshiki en-aut-sei=Okazaki en-aut-mei=Toshiki kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=2 ORCID= en-aut-name=YamauchiToshihiro en-aut-sei=Yamauchi en-aut-mei=Toshihiro kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=3 ORCID= en-aut-name=MoriyamaHideaki en-aut-sei=Moriyama en-aut-mei=Hideaki kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=4 ORCID= en-aut-name=SatoMasaya en-aut-sei=Sato en-aut-mei=Masaya kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=5 ORCID= en-aut-name=TaniguchiHideo en-aut-sei=Taniguchi en-aut-mei=Hideo kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=6 ORCID= affil-num=1 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=2 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=3 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=4 en-affil=Department of Creative Engineering, National Institute of Technology, Ariake College kn-affil= affil-num=5 en-affil=Faculty of Computer Science and Systems Engineering, Okayama Prefectural University kn-affil= affil-num=6 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= en-keyword=Information leak prevention kn-keyword=Information leak prevention en-keyword=Virtualization kn-keyword=Virtualization en-keyword=VMM kn-keyword=VMM END start-ver=1.4 cd-journal=joma no-vol=2016 cd-vols= no-issue= article-no= start-page=219 end-page=234 dt-received= dt-revised= dt-accepted= dt-pub-year=2016 dt-pub=20160921 dt-online= en-article= kn-article= en-subject= kn-subject= en-title= kn-title=HeapRevolver: Delaying and Randomizing Timing of Release of Freed Memory Area to Prevent Use-After-Free Attacks en-subtitle= kn-subtitle= en-abstract= kn-abstract=Recently, there has been an increase in use-after-free (UAF) vulnerabilities, which are exploited using a dangling pointer that refers to a freed memory. Various methods to prevent UAF attacks have been proposed. However, only a few methods can effectively prevent UAF attacks during runtime with low overhead. In this paper, we propose HeapRevolver, which is a novel UAF attack-prevention method that delays and randomizes the timing of release of freed memory area by using a memory-reuse-prohibited library, which prohibits a freed memory area from being reused for a certain period. In this paper, we describe the design and implementation of HeapRevolver in Linux and Windows, and report its evaluation results. The results show that HeapRevolver can prevent attacks that exploit existing UAF vulnerabilities. In addition, the overhead is small. en-copyright= kn-copyright= en-aut-name=YamauchiToshihiro en-aut-sei=Yamauchi en-aut-mei=Toshihiro kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=1 ORCID= en-aut-name=IkegamiYuta en-aut-sei=Ikegami en-aut-mei=Yuta kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=2 ORCID= affil-num=1 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=2 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= en-keyword=Use-after-free (UAF) vulnerabilities kn-keyword=Use-after-free (UAF) vulnerabilities en-keyword=UAF attack-prevention kn-keyword=UAF attack-prevention en-keyword=Memory-reuse-prohibited library kn-keyword=Memory-reuse-prohibited library en-keyword=System security kn-keyword=System security END start-ver=1.4 cd-journal=joma no-vol= cd-vols= no-issue= article-no= start-page=338 end-page=349 dt-received= dt-revised= dt-accepted= dt-pub-year=2020 dt-pub=20200820 dt-online= en-article= kn-article= en-subject= kn-subject= en-title= kn-title=Improvement and Evaluation of a Function for Tracing the Diffusion of Classified Information on KVM en-subtitle= kn-subtitle= en-abstract= kn-abstract=The increasing amount of classified information currently being managed by personal computers has resulted in the leakage of such information to external computers, which is a major problem. To prevent such leakage, we previously proposed a function for tracing the diffusion of classified information in a guest operating system (OS) using a virtual machine monitor (VMM). The tracing function hooks a system call in the guest OS from the VMM, and acquiring the information. By analyzing the information on the VMM side, the tracing function makes it possible to notify the user of the diffusion of classified information. However, this function has a problem in that the administrator of the computer platform cannot grasp the transition of the diffusion of classified processes or file information. In this paper, we present the solution to this problem and report on its evaluation. en-copyright= kn-copyright= en-aut-name=MoriyamaHideaki en-aut-sei=Moriyama en-aut-mei=Hideaki kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=1 ORCID= en-aut-name=YamauchiToshihiro en-aut-sei=Yamauchi en-aut-mei=Toshihiro kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=2 ORCID= en-aut-name=SatoMasaya en-aut-sei=Sato en-aut-mei=Masaya kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=3 ORCID= en-aut-name=TaniguchiHideo en-aut-sei=Taniguchi en-aut-mei=Hideo kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=4 ORCID= affil-num=1 en-affil=National Institute of Technology, Ariake College kn-affil= affil-num=2 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=3 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=4 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= END start-ver=1.4 cd-journal=joma no-vol= cd-vols= no-issue= article-no= start-page=22 end-page=26 dt-received= dt-revised= dt-accepted= dt-pub-year=2016 dt-pub=201612 dt-online= en-article= kn-article= en-subject= kn-subject= en-title= kn-title=KRGuard: Kernel Rootkits Detection Method by Monitoring Branches Using Hardware Features en-subtitle= kn-subtitle= en-abstract= kn-abstract=Attacks on an operating system kernel using kernel rootkits pose a particularly serious threat. Detecting an attack is difficult when the operating system kernel is infected with a kernel rootkit. For this reason, handling an attack will be delayed causing an increase in the amount of damage done to a computer system. In this paper, we discuss KRGuard (Kernel Rootkits Guard), which is a new method to detect kernel rootkits that monitors branch records in the kernel space. Since many kernel rootkits make branches that differ from the usual branches in the kernel space, KRGuard can detect these differences by using hardware features of commodity processors. Our evaluation shows that KRGuard can detect kernel rootkits with small overhead. en-copyright= kn-copyright= en-aut-name=AkaoYohei en-aut-sei=Akao en-aut-mei=Yohei kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=1 ORCID= en-aut-name=YamauchiToshihiro en-aut-sei=Yamauchi en-aut-mei=Toshihiro kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=2 ORCID= affil-num=1 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=2 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= en-keyword=Security kn-keyword=Security en-keyword=operating system kn-keyword=operating system en-keyword=kernel rootkit kn-keyword=kernel rootkit en-keyword=last branch record kn-keyword=last branch record END start-ver=1.4 cd-journal=joma no-vol=E100.D cd-vols= no-issue=10 article-no= start-page=2377 end-page=2381 dt-received= dt-revised= dt-accepted= dt-pub-year=2017 dt-pub=20171001 dt-online= en-article= kn-article= en-subject= kn-subject= en-title= kn-title=Kernel Rootkits Detection Method by Monitoring Branches Using Hardware Features en-subtitle= kn-subtitle= en-abstract= kn-abstract=An operating system is an essential piece of software that manages hardware and software resources. Thus, attacks on an operating system kernel using kernel rootkits pose a particularly serious threat. Detecting an attack is difficult when the operating system kernel is infected with a kernel rootkit. For this reason, handling an attack will be delayed causing an increase in the amount of damage done to a computer system. In this paper, we propose Kernel Rootkits Guard (KRGuard), which is a new method to detect kernel rootkits that monitors branch records in the kernel space. Since many kernel rootkits make branches that differ from the usual branches in the kernel space, KRGuard can detect these differences by using the hardware features of commodity processors. Our evaluation shows that KRGuard can detect kernel rootkits that involve new branches in the system call handler processing with small overhead. en-copyright= kn-copyright= en-aut-name=YamauchiToshihiro en-aut-sei=Yamauchi en-aut-mei=Toshihiro kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=1 ORCID= en-aut-name=AkaoYohei en-aut-sei=Akao en-aut-mei=Yohei kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=2 ORCID= affil-num=1 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=2 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= en-keyword=kernel rootkit detection kn-keyword=kernel rootkit detection en-keyword= last branch record kn-keyword= last branch record en-keyword=operating system kn-keyword=operating system en-keyword=system security kn-keyword=system security END start-ver=1.4 cd-journal=joma no-vol= cd-vols= no-issue= article-no= start-page=97 end-page=116 dt-received= dt-revised= dt-accepted= dt-pub-year=2020 dt-pub=20200826 dt-online= en-article= kn-article= en-subject= kn-subject= en-title= kn-title=MKM: Multiple Kernel Memory for Protecting Page Table Switching Mechanism Against Memory Corruption en-subtitle= kn-subtitle= en-abstract= kn-abstract=Countermeasures against kernel vulnerability attacks on an operating system (OS) are highly important kernel features. Some kernels adopt several kernel protection methods such as mandatory access control, kernel address space layout randomization, control flow integrity, and kernel page table isolation; however, kernel vulnerabilities can still be exploited to execute attack codes and corrupt kernel memory. To accomplish this, adversaries subvert kernel protection methods and invoke these kernel codes to avoid administrator privileges restrictions and gain complete control of the target host. To prevent such subversion, we present Multiple Kernel Memory (MKM), which offers a novel security mechanism using an alternative design for kernel memory separation that was developed to reduce the kernel attack surface and mitigate the effects of illegal data manipulation in the kernel memory. The proposed MKM is capable of isolating kernel memory and dedicates the trampoline page table for a gateway of page table switching and the security page table for kernel protection methods. The MKM encloses the vulnerable kernel code in the kernel page table. The MKM mechanism achieves complete separation of the kernel code execution range of the virtual address space on each page table. It ensures that vulnerable kernel code does not interact with different page tables. Thus, the page table switching of the trampoline and the kernel protection methods of the security page tables are protected from vulnerable kernel code in other page tables. An evaluation of MKM indicates that it protects the kernel code and data on the trampoline and security page tables from an actual kernel vulnerabilities that lead to kernel memory corruption. In addition, the performance results show that the overhead is 0.020ƒĘs to 0.5445ƒĘs, in terms of the system call latency and the application overhead average is 196.27 ƒĘs to 6,685.73 ƒĘs , for each download access of 100,000 Hypertext Transfer Protocol sessions. en-copyright= kn-copyright= en-aut-name=KuzunoHiroki en-aut-sei=Kuzuno en-aut-mei=Hiroki kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=1 ORCID= en-aut-name=YamauchiToshihiro en-aut-sei=Yamauchi en-aut-mei=Toshihiro kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=2 ORCID= affil-num=1 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=2 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= END start-ver=1.4 cd-journal=joma no-vol= cd-vols= no-issue= article-no= start-page=635 end-page=641 dt-received= dt-revised= dt-accepted= dt-pub-year=2016 dt-pub=201611 dt-online= en-article= kn-article= en-subject= kn-subject= en-title= kn-title=Memory Access Monitoring and Disguising of Process Information to Avoid Attacks to Essential Services en-subtitle= kn-subtitle= en-abstract= kn-abstract=To prevent attacks on essential software and to mitigate damage, an attack avoiding method that complicates process identification from attackers is proposed. This method complicates the identification of essential services by replacing process information with dummy information. However, this method allows attackers to identify essential processes by detecting changes in process information. To address this problems and provide more complexity to process identification, this paper proposes a memory access monitoring by using a virtual machine monitor. By manipulating the page access permission, a virtual machine monitor detects page access, which includes process information, and replaces it with dummy information. This paper presents the design, implementation, and evaluation of the proposed method. en-copyright= kn-copyright= en-aut-name=SatoMasaya en-aut-sei=Sato en-aut-mei=Masaya kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=1 ORCID= en-aut-name=YamauchiToshihiro en-aut-sei=Yamauchi en-aut-mei=Toshihiro kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=2 ORCID= en-aut-name=TaniguchiHideo en-aut-sei=Taniguchi en-aut-mei=Hideo kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=3 ORCID= affil-num=1 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=2 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=3 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= en-keyword=avoidance kn-keyword=avoidance en-keyword=process information kn-keyword=process information en-keyword=virtualization kn-keyword=virtualization END start-ver=1.4 cd-journal=joma no-vol=E100.D cd-vols= no-issue=10 article-no= start-page=2295 end-page=2306 dt-received= dt-revised= dt-accepted= dt-pub-year=2017 dt-pub=2017 dt-online= en-article= kn-article= en-subject= kn-subject= en-title= kn-title=Mitigating Use-After-Free Attacks Using Memory-Reuse-Prohibited Library en-subtitle= kn-subtitle= en-abstract= kn-abstract=Recently, there has been an increase in use-after-free (UAF) vulnerabilities, which are exploited using a dangling pointer that refers to a freed memory. In particular, large-scale programs such as browsers often include many dangling pointers, and UAF vulnerabilities are frequently exploited by drive-by download attacks. Various methods to prevent UAF attacks have been proposed. However, only a few methods can effectively prevent UAF attacks during runtime with low overhead. In this paper, we propose HeapRevolver, which is a novel UAF attackprevention method that delays and randomizes the timing of release of freed memory area by using a memory-reuse-prohibited library, which prohibits a freed memory area from being reused for a certain period. The first condition for reuse is that the total size of the freed memory area is beyond the designated size. The threshold for the conditions of reuse of the freed memory area can be randomized by HeapRevolver. Furthermore, we add a second condition for reuse in which the freed memory area is merged with an adjacent freed memory area before release. Furthermore, HeapRevolver can be applied without modifying the target programs. In this paper, we describe the design and implementation of HeapRevolver in Linux and Windows, and report its evaluation results. The results show that HeapRevolver can prevent attacks that exploit existing UAF vulnerabilities. In addition, the overhead is small. en-copyright= kn-copyright= en-aut-name=YamauchiToshihiro en-aut-sei=Yamauchi en-aut-mei=Toshihiro kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=1 ORCID= en-aut-name=IkegamiYuta en-aut-sei=Ikegami en-aut-mei=Yuta kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=2 ORCID= en-aut-name=BanYuya en-aut-sei=Ban en-aut-mei=Yuya kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=3 ORCID= affil-num=1 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=2 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=3 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= END start-ver=1.4 cd-journal=joma no-vol= cd-vols= no-issue= article-no= start-page=398 end-page=404 dt-received= dt-revised= dt-accepted= dt-pub-year=2018 dt-pub=201811 dt-online= en-article= kn-article= en-subject= kn-subject= en-title= kn-title=Mitigating Use-after-Free Attack Using Library Considering Size and Number of Freed Memory en-subtitle= kn-subtitle= en-abstract= kn-abstract=Use-after-free (UAF) vulnerabilities, which are abused by exploiting a dangling pointer that refers to a freed memory, execute an arbitrary code. The vulnerability is caused by bug in a program. In particular, it is contained in a large scale program such as browser. HeapRevolver [1] [2], which prohibits freed memory area from being reused for a certain period, has been proposed. HeapRevolver in Windows uses the number of the freed memory areas for prohibiting as a trigger to release the freed memory area. In other words, HeapRevolver uses the number of the freed memory areas as a threshold for releasing. However, when the size of individual freed memory areas is large, the HeapRevolver on Windows increases the memory overhead. In this paper, we propose improved HeapRevolver for Windows considering the size and number of the freed memory areas. Improved HeapRevolver enables to prohibit the reuse of the certain number of the freed memory areas at any time via the size and number of the freed memory areas as a threshold. The evaluation results show that the improved HeapRevolver can prevent attacks that exploiting UAF vulnerabilities. In particular, when the size of individual freed memory areas is small in the programs, it is effective to decrease the attack success rate. en-copyright= kn-copyright= en-aut-name=BanYuya en-aut-sei=Ban en-aut-mei=Yuya kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=1 ORCID= en-aut-name=YamauchiToshihiro en-aut-sei=Yamauchi en-aut-mei=Toshihiro kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=2 ORCID= affil-num=1 en-affil= kn-affil= affil-num=2 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= en-keyword=Security kn-keyword=Security en-keyword=Use-After-Free kn-keyword=Use-After-Free en-keyword=dangling pointer kn-keyword=dangling pointer en-keyword=memory allocation kn-keyword=memory allocation END start-ver=1.4 cd-journal=joma no-vol=9 cd-vols= no-issue= article-no= start-page=111651 end-page=111665 dt-received= dt-revised= dt-accepted= dt-pub-year=2021 dt-pub=2021 dt-online= en-article= kn-article= en-subject= kn-subject= en-title= kn-title=Mitigation of Kernel Memory Corruption Using Multiple Kernel Memory Mechanism en-subtitle= kn-subtitle= en-abstract= kn-abstract=Operating systems adopt kernel protection methods (e.g., mandatory access control, kernel address space layout randomization, control flow integrity, and kernel page table isolation) as essential countermeasures to reduce the likelihood of kernel vulnerability attacks. However, kernel memory corruption can still occur via the execution of malicious kernel code at the kernel layer. This is because the vulnerable kernel code and the attack target kernel code or kernel data are located in the same kernel address space. To gain complete control of a host, adversaries focus on kernel code invocations, such as function pointers that rely on the starting points of the kernel protection methods. To mitigate such subversion attacks, this paper presents multiple kernel memory (MKM), which employs an alternative design for kernel address space separation. The MKM mechanism focuses on the isolation granularity of the kernel address space during each execution of the kernel code. MKM provides two kernel address spaces, namely, i) the trampoline kernel address space, which acts as the gateway feature between user and kernel modes and ii) the security kernel address space, which utilizes the localization of the kernel protection methods (i.e., kernel observation). Additionally, MKM achieves the encapsulation of the vulnerable kernel code to prevent access to the kernel code invocations of the separated kernel address space. The evaluation results demonstrated that MKM can protect the kernel code and kernel data from a proof-of-concept kernel vulnerability that could lead to kernel memory corruption. In addition, the performance results of MKM indicate that the system call overhead latency ranges from 0.020 ƒĘs to 0.5445 ƒĘs, while the web application benchmark ranges from 196.27 ƒĘs to 6, 685.73 ƒĘs for each download access of 100,000 Hypertext Transfer Protocol sessions. MKM attained a 97.65% system benchmark score and a 99.76% kernel compilation time. en-copyright= kn-copyright= en-aut-name=KuzunoHiroki en-aut-sei=Kuzuno en-aut-mei=Hiroki kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=1 ORCID= en-aut-name=YamauchiToshihiro en-aut-sei=Yamauchi en-aut-mei=Toshihiro kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=2 ORCID= affil-num=1 en-affil=1Intelligent Systems Laboratory, SECOM Company Ltd. kn-affil= affil-num=2 en-affil=2Graduate School of Natural Science and Technology, Okayama University kn-affil= en-keyword=Memory corruption kn-keyword=Memory corruption en-keyword=kernel vulnerability kn-keyword=kernel vulnerability en-keyword=system security kn-keyword=system security en-keyword=operating system kn-keyword=operating system END start-ver=1.4 cd-journal=joma no-vol=313 cd-vols= no-issue= article-no= start-page=238 end-page=248 dt-received= dt-revised= dt-accepted= dt-pub-year=2021 dt-pub=20210808 dt-online= en-article= kn-article= en-subject= kn-subject= en-title= kn-title=Physical Memory Management with Two Page Sizes in Tender OS en-subtitle= kn-subtitle= en-abstract= kn-abstract=Physical memory capacity has increased owing to large-scale integration. In addition, memory footprints have increased in size, as multiple programs are executed on a single computer. Many operating systems manage physical memory by paging a 4 KB page. Therefore, the number of entries in the virtual address translation table for virtual to physical increases along with the size of the memory footprints. This cause a decrease in the translation lookaside buffer (TLB) hit ratio, resulting in the performance degradation of the application. To address this problem, we propose the implementation of physical memory management with two page sizes: 4 KB and 4 MB. This allows us to expand range of addresses to be translated by a single TLB entry, thereby improving the TLB hit rate. This paper describes the design and implementation of the physical memory management mechanism that manages physical memory using two page sizes on The ENduring operating system for Distributed EnviRonment (Tender OS). Our results showed that when the page size is 4 MB, the processing time of the memory allocation can be reduced by as much as approximately 99.7%, and the processing time for process creation can be reduced by as much as approximately 51%, and the processing time of the memory operation could be reduced by as much as 91.9%. en-copyright= kn-copyright= en-aut-name=KusunokiKoki en-aut-sei=Kusunoki en-aut-mei=Koki kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=1 ORCID= en-aut-name=YamauchiToshihiro en-aut-sei=Yamauchi en-aut-mei=Toshihiro kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=2 ORCID= en-aut-name=TaniguchiHideo en-aut-sei=Taniguchi en-aut-mei=Hideo kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=3 ORCID= affil-num=1 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=2 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=3 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= END start-ver=1.4 cd-journal=joma no-vol= cd-vols= no-issue= article-no= start-page=1885 end-page=1892 dt-received= dt-revised= dt-accepted= dt-pub-year=2016 dt-pub=201644 dt-online= en-article= kn-article= en-subject= kn-subject= en-title= kn-title=Plate : persistent memory management for nonvolatile main memory en-subtitle= kn-subtitle= en-abstract= kn-abstract=Over the past few years, nonvolatile memory has actively been researched and developed. Therefore, studying operating system (OS) designs predicated on the main memory in the form of a nonvolatile memory and studying methods to manage persistent data in a virtual memory are crucial to encourage the widespread use of nonvolatile memory in the future. However, the main memory in most computers today is volatile, and replacing highcapacity main memory with nonvolatile memory is extremely cost-prohibitive. This paper proposes an OS structure for nonvolatile main memory. The proposed OS structure consists of three functions to study and develop OSs for nonvolatile main memory computers. First, a structure, which is called plate, is proposed whereby persistent data are managed assuming that nonvolatile main memory is present in a computer. Second, we propose a persistent-data mechanism to make a volatile memory function as nonvolatile main memory, which serves as a basis for the development of OSs for computers with nonvolatile main memory. Third, we propose a continuous operation control using the persistent-data mechanism and plates. This paper describes the design and implementation of the OS structure based on the three functions on The ENduring operating system for Distributed EnviRonment and describes the evaluation results of the proposed functions. en-copyright= kn-copyright= en-aut-name=YamauchiToshihiro en-aut-sei=Yamauchi en-aut-mei=Toshihiro kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=1 ORCID= en-aut-name=YamamotoYuta en-aut-sei=Yamamoto en-aut-mei=Yuta kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=2 ORCID= en-aut-name=NagaiKengo en-aut-sei=Nagai en-aut-mei=Kengo kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=3 ORCID= en-aut-name=MatonoTsukasa en-aut-sei=Matono en-aut-mei=Tsukasa kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=4 ORCID= en-aut-name=InamotoShinji en-aut-sei=Inamoto en-aut-mei=Shinji kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=5 ORCID= en-aut-name=IchikawaMasaya en-aut-sei=Ichikawa en-aut-mei=Masaya kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=6 ORCID= en-aut-name=GotoMasataka en-aut-sei=Goto en-aut-mei=Masataka kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=7 ORCID= en-aut-name=TaniguchiHideo en-aut-sei=Taniguchi en-aut-mei=Hideo kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=8 ORCID= affil-num=1 en-affil=Okayama University, Okayama, Japan kn-affil= affil-num=2 en-affil=Okayama University, Okayama, Japan kn-affil= affil-num=3 en-affil=Okayama University, Okayama, Japan kn-affil= affil-num=4 en-affil=Kyushu University, Fukuoka, Japan kn-affil= affil-num=5 en-affil=Kyushu University, Fukuoka, Japan kn-affil= affil-num=6 en-affil=Kyushu University, Fukuoka, Japan kn-affil= affil-num=7 en-affil=Kyushu University, Fukuoka, Japan kn-affil= affil-num=8 en-affil=Okayama University, Okayama, Japan kn-affil= en-keyword=Operating system kn-keyword=Operating system en-keyword=Persistent mechanism kn-keyword=Persistent mechanism en-keyword=Nonvolatile main memory kn-keyword=Nonvolatile main memory en-keyword=Memory management kn-keyword=Memory management END start-ver=1.4 cd-journal=joma no-vol=E99.D cd-vols= no-issue=12 article-no= start-page=2943 end-page=2955 dt-received= dt-revised= dt-accepted= dt-pub-year=2016 dt-pub=2016 dt-online= en-article= kn-article= en-subject= kn-subject= en-title= kn-title=Rule-Based Sensor Data Aggregation System for M2M Gateways en-subtitle= kn-subtitle= en-abstract= kn-abstract=To reduce the server load and communication costs of machine-to-machine (M2M) systems, sensor data are aggregated in M2M gateways. Aggregation logic is typically programmed in the C language and embedded into the firmware. However, developing aggregation programs is difficult for M2M service providers because it requires gatewayspecific knowledge and consideration of resource issues, especially RAM usage. In addition, modification of aggregation logic requires the application of firmware updates, which are risky. We propose a rule-based sensor data aggregation system, called the complex sensor data aggregator (CSDA), for M2M gateways. The functions comprising the data aggregation process are subdivided into the categories of filtering, statistical calculation, and concatenation. The proposed CSDA supports this aggregation process in three steps: the input, periodic data processing, and output steps. The behaviors of these steps are configured by an XML-based rule. The rule is stored in the data area of flash ROM and is updatable through the Internet without the need for a firmware update. In addition, in order to keep within the memory limit specified by the M2M gatewayfs manufacturer, the number of threads and the size of the working memory are static after startup, and the size of the working memory can be adjusted by configuring the sampling setting of a buffer for sensor data input. The proposed system is evaluated in an M2M gateway experimental environment. Results show that developing CSDA configurations is much easier than using C because the configuration decreases by 10%. In addition, the performance evaluation demonstrates the proposed systemfs ability to operate on M2M gateways. en-copyright= kn-copyright= en-aut-name=NakamuraYuichi en-aut-sei=Nakamura en-aut-mei=Yuichi kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=1 ORCID= en-aut-name=MoriguchiAkira en-aut-sei=Moriguchi en-aut-mei=Akira kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=2 ORCID= en-aut-name=IrieMasanori en-aut-sei=Irie en-aut-mei=Masanori kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=3 ORCID= en-aut-name=KinoshitaTaizo en-aut-sei=Kinoshita en-aut-mei=Taizo kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=4 ORCID= en-aut-name=YamauchiToshihiro en-aut-sei=Yamauchi en-aut-mei=Toshihiro kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=5 ORCID= affil-num=1 en-affil=Hitachi, Ltd. kn-affil= affil-num=2 en-affil=Hitachi Solutions, Ltd. kn-affil= affil-num=3 en-affil=Hitachi Solutions, Ltd. kn-affil= affil-num=4 en-affil=Hitachi, Ltd. kn-affil= affil-num=5 en-affil=Graduate School of Natural Science and Technology at Okayama University kn-affil= en-keyword=M2M gateway kn-keyword=M2M gateway en-keyword=sensor data aggregation kn-keyword=sensor data aggregation en-keyword=in memory processing kn-keyword=in memory processing en-keyword=IoT(the Internet of Things) kn-keyword=IoT(the Internet of Things) END start-ver=1.4 cd-journal=joma no-vol=23 cd-vols= no-issue= article-no= start-page=107 end-page=117 dt-received= dt-revised= dt-accepted= dt-pub-year=2009 dt-pub=2009 dt-online= en-article= kn-article= en-subject= kn-subject= en-title= kn-title=SEEdit: SELinux Security Policy Configuration System with Higher Level Language en-subtitle= kn-subtitle= en-abstract= kn-abstract=Security policy for SELinux is usually created by customizing a sample policy called refpolicy. However, describing and verifying security policy configurations is difficult because in refpolicy, there are more than 100,000 lines of configurations, thousands of elements such as permissions, macros and labels. The memory footprint of refpolicy which is around 5MB, is also a problem for resource constrained devices. We propose a security policy configuration system SEEdit which facilitates creating security policy by a higher level language called SPDL and SPDL tools. SPDL reduces the number of permissions by integrated permissions and removes label configurations. SPDL tools generate security policy configurations from access logs and tool userfs knowledge about applications. Experimental results on an embedded system and a PC system show that practical security policies are created by SEEdit, i.e., describing configurations is semiautomated, created security policies are composed of less than 500 lines of configurations, 100 configuration elements, and thememory footprint in the embedded system is less than 500KB. en-copyright= kn-copyright= en-aut-name=NakamuraYuichi en-aut-sei=Nakamura en-aut-mei=Yuichi kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=1 ORCID= en-aut-name=SameshimaYoshiki en-aut-sei=Sameshima en-aut-mei=Yoshiki kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=2 ORCID= en-aut-name=TabataToshihiro en-aut-sei=Tabata en-aut-mei=Toshihiro kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=3 ORCID= affil-num=1 en-affil=Hitachi Software Engineering Co., Ltd. kn-affil= affil-num=2 en-affil=Hitachi Software Engineering Co., Ltd. kn-affil= affil-num=3 en-affil=Okayama University kn-affil= en-keyword=security kn-keyword=security en-keyword=security policy kn-keyword=security policy en-keyword=configuration kn-keyword=configuration en-keyword=SELinux kn-keyword=SELinux END start-ver=1.4 cd-journal=joma no-vol=20 cd-vols= no-issue= article-no= start-page=833 end-page=847 dt-received= dt-revised= dt-accepted= dt-pub-year=2021 dt-pub=20210119 dt-online= en-article= kn-article= en-subject= kn-subject= en-title= kn-title=Web access monitoring mechanism via Android WebView for threat analysis en-subtitle= kn-subtitle= en-abstract= kn-abstract=Many Android apps employ WebView, a component that enables the display of web content in the apps without redirecting users to web browser apps. However, WebView might also be used for cyberattacks. Moreover, to the best of our knowledge, although some countermeasures based on access control have been reported for attacks exploiting WebView, no mechanism for monitoring web access via WebView has been proposed and no analysis results focusing on web access via WebView are available. In consideration of this limitation, we propose a web access monitoring mechanism for Android WebView to analyze web access via WebView and clarify attacks exploiting WebView. In this paper, we present the design and implementation of this mechanism by modifying Chromium WebView without any modifications to the Android framework or Linux kernel. The evaluation results of the performance achieved on introducing the proposed mechanism are also presented here. Moreover, the result of threat analysis of displaying a fake virus alert while browsing websites on Android is discussed to demonstrate the effectiveness of the proposed mechanism. en-copyright= kn-copyright= en-aut-name=ImamuraYuta en-aut-sei=Imamura en-aut-mei=Yuta kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=1 ORCID= en-aut-name=OritoRintaro en-aut-sei=Orito en-aut-mei=Rintaro kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=2 ORCID= en-aut-name=UekawaHiroyuki en-aut-sei=Uekawa en-aut-mei=Hiroyuki kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=3 ORCID= en-aut-name=ChaikaewKritsana en-aut-sei=Chaikaew en-aut-mei=Kritsana kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=4 ORCID= en-aut-name=LeelaprutePattara en-aut-sei=Leelaprute en-aut-mei=Pattara kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=5 ORCID= en-aut-name=SatoMasaya en-aut-sei=Sato en-aut-mei=Masaya kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=6 ORCID= en-aut-name=YamauchiToshihiro en-aut-sei=Yamauchi en-aut-mei=Toshihiro kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=7 ORCID= affil-num=1 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=2 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=3 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= affil-num=4 en-affil=Faculty of Engineering, Kasetsart University kn-affil= affil-num=5 en-affil=Faculty of Engineering, Kasetsart University kn-affil= affil-num=6 en-affil=Graduate School of Natural Science and Technology kn-affil= affil-num=7 en-affil=Graduate School of Natural Science and Technology, Okayama University kn-affil= en-keyword=Android kn-keyword=Android en-keyword=WebView kn-keyword=WebView en-keyword=Web access monitoring kn-keyword=Web access monitoring en-keyword=Web security kn-keyword=Web security en-keyword=Threat analysis kn-keyword=Threat analysis en-keyword=Fake virus alert kn-keyword=Fake virus alert END start-ver=1.4 cd-journal=joma no-vol= cd-vols= no-issue= article-no= start-page=1 end-page= dt-received= dt-revised= dt-accepted= dt-pub-year=2018 dt-pub=2018129 dt-online= en-article= kn-article= en-subject= kn-subject= en-title= kn-title=Web access monitoring mechanism for Android webview en-subtitle= kn-subtitle= en-abstract= kn-abstract=In addition to conventional web browsers, WebView is used to display web content on Android. WebView is a component that enables the display of web content in mobile applications, and is extensively used. As WebView displays web content without having to redirect the user to web browsers, there is the possibility that unauthorized web access may be performed secretly via Web-View, and information in Android may be stolen or tampered with. Therefore, it is necessary to monitor and analyze web access via WebView, particularly because attacks exploiting WebView have been reported. However, there is no mechanism for monitoring web access viaWebView. In this work, the goals are to monitor web access via WebView and to analyze mobile applications using Web-View. To achieve these goals, we propose a web access monitoring mechanism for Android WebView. In this paper, the design and implementation of a mechanism that does not require any modifications to the Android Framework and Linux kernel are presented for the Chromium Android System WebView app. In addition, this paper presents evaluation results for the proposed mechanism. en-copyright= kn-copyright= en-aut-name=ImamuraYuta en-aut-sei=Imamura en-aut-mei=Yuta kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=1 ORCID= en-aut-name=UekawaHiroyuki en-aut-sei=Uekawa en-aut-mei=Hiroyuki kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=2 ORCID= en-aut-name=IshiharaYasuhiro en-aut-sei=Ishihara en-aut-mei=Yasuhiro kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=3 ORCID= en-aut-name=SatoMasaya en-aut-sei=Sato en-aut-mei=Masaya kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=4 ORCID= en-aut-name=YamauchiToshihiro en-aut-sei=Yamauchi en-aut-mei=Toshihiro kn-aut-name= kn-aut-sei= kn-aut-mei= aut-affil-num=5 ORCID= affil-num=1 en-affil=Okayama University, Okayama, Japan kn-affil= affil-num=2 en-affil=Okayama University, Okayama, Japan kn-affil= affil-num=3 en-affil=Okayama University, Okayama, Japan kn-affil= affil-num=4 en-affil=Okayama University, Okayama, Japan kn-affil= affil-num=5 en-affil=Okayama University Okayama, Japan kn-affil= en-keyword=Android kn-keyword=Android en-keyword= WebView kn-keyword= WebView en-keyword=Web access monitoring kn-keyword=Web access monitoring END