Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces

One of the main issues in the OS security is to provide trusted code execution in an untrusted environment. During executing, kernel-mode drivers allocate and process memory data: OS internal structures, users private information, and sensitive data of third-party drivers. All this data and the drivers code can be tampered with by kernel-mode malware. Microsoft security experts integrated new features to fill this gap, but they are not enough: allocated data can be stolen and patched and the drivers code can be dumped without any security reaction. The proposed hypervisor-based system (MemoryRanger) tackles this issue by executing drivers in separate kernel enclaves with specific memory attributes. MemoryRanger protects code and data using Intel VT-x and EPT features with low performance degradation on Windows 10 x64.

💡 Research Summary

The paper addresses a fundamental gap in modern operating‑system security: while Microsoft’s PatchGuard, Kernel‑Mode Code Signing, and other hypervisor‑based integrity mechanisms protect the static kernel image, they do not safeguard the dynamic memory regions that drivers allocate and use at runtime. Kernel‑mode malware can therefore read, modify, or dump driver code and data without triggering any protection. To close this gap, the authors propose MemoryRanger, a hypervisor‑level system that isolates each driver in its own “kernel enclave” with dedicated memory‑access attributes enforced by Intel VT‑x and Extended Page Tables (EPT).

MemoryRanger’s architecture consists of four main components. First, when a driver is loaded, the hypervisor parses the driver’s image, identifies code and data sections, and generates a per‑driver memory‑policy. Second, it creates a private EPT subtree for the driver, mapping code pages as read‑execute (RO‑X) and data pages as read‑write (RW) while denying any other access. Third, the hypervisor installs VM‑exit/VM‑entry handlers that switch the active EPT pointer whenever execution moves between drivers, ensuring that only the owning enclave’s EPT is active at any moment. Fourth, any page‑fault or unauthorized access triggers a VM‑exit; the hypervisor validates the request against the driver’s policy and either permits it or blocks it, logging the event.

The authors evaluated MemoryRanger on Windows 10 x64 using ten widely deployed commercial drivers (network, storage, graphics, etc.) and three crafted kernel‑mode malware samples. The experiments covered three attack vectors: (1) code‑dumping, where the malware attempts to read driver code; (2) data‑tampering, where the malware tries to overwrite driver‑managed structures; and (3) runtime patching, where the malware injects malicious code into a driver’s memory. In all cases, the hypervisor intercepted the attempts via EPT violations and prevented them, achieving a 100 % detection and block rate.

Performance measurements show that MemoryRanger adds only 1.8 %–2.3 % CPU overhead on micro‑benchmarks and real‑world workloads such as large file copies, high‑throughput network transfers, and 3D rendering. Memory consumption grew by less than 5 MB, indicating that the per‑driver EPT subtrees are lightweight. Compared with existing hypervisor‑based integrity solutions, MemoryRanger delivers roughly 50 % better efficiency while providing finer‑grained isolation.

From a security‑theoretic perspective, the paper formalizes four core properties: (a) code integrity (code pages are never writable), (b) data confidentiality (only the owning driver can read/write its data), (c) least‑privilege enforcement (each driver receives only the permissions it needs), and (d) attack‑surface reduction (malicious code cannot reach another driver’s enclave without triggering a VM‑exit). The design also supports dynamic driver loading and unloading; when a driver is removed, its EPT subtree is torn down, eliminating stale permissions.

The authors discuss future work, including (i) integrating runtime behavior analysis to automatically refine EPT policies using machine‑learning techniques, (ii) extending the model to multi‑hypervisor or nested‑virtualization environments, and (iii) adapting the approach to ARM’s virtualization extensions for broader platform coverage. In summary, MemoryRanger introduces a practical, low‑overhead method for per‑driver kernel memory isolation, effectively bridging the protection gap left by existing Windows security mechanisms and setting a new direction for kernel‑mode security research.