start-ver=1.4
cd-journal=joma
no-vol=
cd-vols=
no-issue=
article-no=
start-page=417
end-page=431
dt-received=
dt-revised=
dt-accepted=
dt-pub-year=2025
dt-pub=20251015
dt-online=
en-article=
kn-article=
en-subject=
kn-subject=
en-title=
kn-title=Evaluation of a Startup Program Identification for Efficient and Accurate IoT Security Investigations
en-subtitle=
kn-subtitle=
en-abstract=
kn-abstract=Not all file in firmware are executed while using Internet of Things (IoT) devices and hundreds to approximately a thousand executable and linkable format files exist in one firmware. Therefore, security investigations without prioritization may lead to investigate programs that are not executed while using IoT devices first. This has resulted in inefficient security investigations. To perform efficient security investigations, we proposed a method that can identify programs executed during the startup process. However, only two firmware were used for the evaluation which can only evaluate one of the two startup sequences in the OpenWrt-based firmware. In addition, security investigations to validate whether the proposed method addresses the problem of inefficient security investigations were limited to OpenWrt-based firmware. In this study, we use more firmware data for evaluation and validation. We use nine firmware not used in previous studies including startup methods that have not previously been used for evaluation. In addition, we increase the number of firmware used for validation to 225. The evaluation results demonstrate that the proposed method can identify with only few false positives. The validation demonstrates that efficiency can be improved and prioritizing investigations by considering the proposed method result is worthwhile.
en-copyright=
kn-copyright=

en-aut-name=ShimamotoYuta
en-aut-sei=Shimamoto
en-aut-mei=Yuta
kn-aut-name=
kn-aut-sei=
kn-aut-mei=
aut-affil-num=1
ORCID=

en-aut-name=PhinyodomJiratchaya
en-aut-sei=Phinyodom
en-aut-mei=Jiratchaya
kn-aut-name=
kn-aut-sei=
kn-aut-mei=
aut-affil-num=2
ORCID=

en-aut-name=YoshimotoRyota
en-aut-sei=Yoshimoto
en-aut-mei=Ryota
kn-aut-name=
kn-aut-sei=
kn-aut-mei=
aut-affil-num=3
ORCID=

en-aut-name=UekawaHiroyuki
en-aut-sei=Uekawa
en-aut-mei=Hiroyuki
kn-aut-name=
kn-aut-sei=
kn-aut-mei=
aut-affil-num=4
ORCID=

en-aut-name=AkiyamaMitsuaki
en-aut-sei=Akiyama
en-aut-mei=Mitsuaki
kn-aut-name=
kn-aut-sei=
kn-aut-mei=
aut-affil-num=5
ORCID=

en-aut-name=YamauchiToshihiro
en-aut-sei=Yamauchi
en-aut-mei=Toshihiro
kn-aut-name=
kn-aut-sei=
kn-aut-mei=
aut-affil-num=6
ORCID=

affil-num=1
en-affil=Graduate School of Environmental, Life, Natural Science and Technology, Okayama University
kn-affil=

affil-num=2
en-affil=School of Engineering, Okayama University
kn-affil=

affil-num=3
en-affil=Graduate School of Environmental, Life, Natural Science and Technology, Okayama University
kn-affil=

affil-num=4
en-affil=NTT Social Informatics Laboratories
kn-affil=

affil-num=5
en-affil=NTT Social Informatics Laboratories
kn-affil=

affil-num=6
en-affil=Faculty of Environmental, Life, Natural Science and Technology, Okayama University
kn-affil=
en-keyword=Internet of Things
kn-keyword=Internet of Things
en-keyword=Firmware
kn-keyword=Firmware
en-keyword=Startup script
kn-keyword=Startup script
en-keyword=SysVinit
kn-keyword=SysVinit
END

start-ver=1.4
cd-journal=joma
no-vol=
cd-vols=
no-issue=
article-no=
start-page=213
end-page=231
dt-received=
dt-revised=
dt-accepted=
dt-pub-year=2025
dt-pub=20250314
dt-online=
en-article=
kn-article=
en-subject=
kn-subject=
en-title=
kn-title=RKPM: Restricted Kernel Page Mechanism to Mitigate Privilege Escalation Attacks
en-subtitle=
kn-subtitle=
en-abstract=
kn-abstract=Kernel memory corruption attacks against operating systems exploit kernel vulnerabilities to overwrite kernel data. Kernel address space layout randomization makes it difficult to identify kernel data by randomizing their virtual address space. Control flow integrity (CFI) prevents unauthorized kernel code execution by verifying kernel function calls. However, these countermeasures do not prohibit writing to kernel data. If the virtual address of privileged information is specified and CFI is circumvented, the privileged information can be modified by a kernel memory corruption attack. In this paper, we propose a restricted kernel page mechanism (RKPM) to mitigate kernel memory corruption attacks by introducing restricted kernel pages to protect the kernel data specified in the kernel. The RKPM focuses on the fact that kernel memory corruption attacks attempt to read the virtual addresses around the privileged information. The RKPM adopts page table mapping handling and a memory protection key to control the read and write restrictions of the restricted kernel pages. This allows us to mitigate kernel memory corruption attacks by capturing reads to the restricted kernel page before the privileged information is overwritten. As an evaluation of the RKPM, we confirmed that it can mitigate privilege escalation attacks on the latest Linux kernel. We also measured that there was a certain overhead in the kernel performance. This study enhances kernel security by mitigating privilege escalation attacks through the use of software or hardware based restricted kernel pages.
en-copyright=
kn-copyright=

en-aut-name=KuzunoHiroki
en-aut-sei=Kuzuno
en-aut-mei=Hiroki
kn-aut-name=
kn-aut-sei=
kn-aut-mei=
aut-affil-num=1
ORCID=

en-aut-name=YamauchiToshihiro
en-aut-sei=Yamauchi
en-aut-mei=Toshihiro
kn-aut-name=
kn-aut-sei=
kn-aut-mei=
aut-affil-num=2
ORCID=

affil-num=1
en-affil=Graduate School of Engineering, Kobe University
kn-affil=

affil-num=2
en-affil=Faculty of Environmental, Life, Natural Science and Technology, Okayama University
kn-affil=
END