Xiaoguang Wang,Yong Qi,Zhi Wang,Yue Chen,Yajin Zhou

DOI: https://doi.org/10.1109/tdsc.2017.2675991

2019-01-01

Abstract:The OS kernel is critical to the security of a computer system. Many systems have been proposed to improve its security. A fundamental weakness of those systems is that page tables, the data structures that control the memory protection, are not isolated from the vulnerable kernel, and thus subject to tampering. To address that, researchers have relied on virtualization for reliable kernel memory protection. Unfortunately, such memory protection requires to monitor every update to the guest's page tables. This fundamentally conflicts with the recent advances in the hardware virtualization support. In this paper, we propose SecPod, an extensible framework for virtualization-based security systems that can provide both strong isolation and the compatibility with modern hardware. SecPod has two key techniques: paging delegation delegates and audits the kernel's paging operations to a secure space; execution trapping intercepts the (compromised) kernel's attempts to subvert SecPod by misusing privileged instructions. We have implemented a prototype of SecPod based on KVM. Our experiments show that SecPod is both effective and efficient.

程龙,杨小虎

2004-01-01

Abstract:This paper illustrates a sandbox system on Linux operating system. Users can put untrusted or flawed programs running in the sandbox system,so they are isolated from other parts of the operating system. It protects the system from application exploits. Thus it greatly improves the system's security level. Deploying this sandbox system needs no modification to existing operating system kernel and applications,because it is implemented as a Linux kernel module.

XIE Jun,ZHANG Tao,ZHANG Shi-geng,HUANG Hao

2005-01-01

Abstract:In traditional monolithic kernel operating systems, all kernel codes run within a common and shared address space, and any vulnerabilities in kernel or any untrusted modules loaded in kernel would compromise the whole system security. The development of a layered and separated secure kernel was described in this paper. Since the powers of kernel are partitioned, the vulnerabilities of kernel are confined, and arbitrarily tampering of kernel by malice codes was prevented. The prototype system is entirely developed from beginning for the i386 architecture.

Soo Yee Lim,Sidhartha Agrawal,Xueyuan Han,David Eyers,Dan O'Keeffe,Thomas Pasquier

2024-04-12

Abstract:Monolithic operating systems, where all kernel functionality resides in a single, shared address space, are the foundation of most mainstream computer systems. However, a single flaw, even in a non-essential part of the kernel (e.g., device drivers), can cause the entire operating system to fall under an attacker's control. Kernel hardening techniques might prevent certain types of vulnerabilities, but they fail to address a fundamental weakness: the lack of intra-kernel security that safely isolates different parts of the kernel. We survey kernel compartmentalization techniques that define and enforce intra-kernel boundaries and propose a taxonomy that allows the community to compare and discuss future work. We also identify factors that complicate comparisons among compartmentalized systems, suggest new ways to compare future approaches with existing work meaningfully, and discuss emerging research directions.

Cryptography and Security,Operating Systems

Yinggang Guo,Zicheng Wang,Weiheng Bai,Qingkai Zeng,Kangjie Lu

DOI: https://doi.org/10.14722/ndss.2025.23328

2024-09-15

Abstract:The endless stream of vulnerabilities urgently calls for principled mitigation to confine the effect of exploitation. However, the monolithic architecture of commodity OS kernels, like the Linux kernel, allows an attacker to compromise the entire system by exploiting a vulnerability in any kernel component. Kernel compartmentalization is a promising approach that follows the least-privilege principle. However, existing mechanisms struggle with the trade-off on security, scalability, and performance, given the challenges stemming from mutual untrustworthiness among numerous and complex components. In this paper, we present BULKHEAD, a secure, scalable, and efficient kernel compartmentalization technique that offers bi-directional isolation for unlimited compartments. It leverages Intel's new hardware feature PKS to isolate data and code into mutually untrusted compartments and benefits from its fast compartment switching. With untrust in mind, BULKHEAD introduces a lightweight in-kernel monitor that enforces multiple important security invariants, including data integrity, execute-only memory, and compartment interface integrity. In addition, it provides a locality-aware two-level scheme that scales to unlimited compartments. We implement a prototype system on Linux v6.1 to compartmentalize loadable kernel modules (LKMs). Extensive evaluation confirms the effectiveness of our approach. As the system-wide impacts, BULKHEAD incurs an average performance overhead of 2.44% for real-world applications with 160 compartmentalized LKMs. While focusing on a specific compartment, ApacheBench tests on ipv6 show an overhead of less than 2%. Moreover, the performance is almost unaffected by the number of compartments, which makes it highly scalable.

Cryptography and Security,Operating Systems

Jingyu Hua,Kouichi Sakurai

DOI: https://doi.org/10.1145/2245276.2232011

2012-01-01

Abstract:In the present operating systems such as Linux, all the kernel modules, including unknown extensions, run in the same address space. They are granted the highest privilege and can access arbitrary memory without any limitation. This is at the root of kernel rootkits, which are malware seriously threatening the kernel integrity. In this paper, we present Barrier , a lightweight hypervisor designed for enhancing the kernel integrity of personal computers by isolating the kernel modules. Since this hypervisor is designed for the OS protection on PCs, it does not implement unnecessary virtualization features that are commonly found on the general-purpose hypervisors to support running multiple OS instances concurrently on the same server. As a result, it is much smaller and also much easier to use, especially for unprofessional users. Barrier leverages the hardware-supported memory virtualization to isolate the kernel modules into different address spaces. All the interactions across address spaces have to go through a strict mediation based on some predefined MAC rules. This greatly increases the attacker's hardness to compromise the kernel integrity. We have implemented a prototype of Barrier. The evaluation results show that Barrier can well protect the kernel integrity without bringing unaffordable performance overheads.

Abhinav Srivastava,Jonathon Giffin

DOI: https://doi.org/10.1145/2420950.2421012

2012-01-01

Abstract:Commodity operating system kernels isolate applications via separate memory address spaces provided by virtual memory management hardware. However, kernel memory is unified and mixes core kernel code with driver components of different provenance. Kernel-level malicious software exploits this lack of isolation between the kernel and its modules by illicitly modifying security-critical kernel data structures. In this paper, we design an access control policy and enforcement system that prevents kernel components with low trust from altering security-critical data used by the kernel to manage its own execution. Our policies are at the granularity of kernel variables and structure elements, and they can protect data structures dynamically allocated at runtime. Our hypervisor-based design uses memory page protection bits as part of its policy enforcement. The granularity difference between page-level protection and variable-level policies challenges the system's ability to remain performant. We develop kernel data-layout partitioning and reorganization techniques to maintain kernel performance in the presence of our protections. We show that our system can prevent malicious modifications to security-critical kernel data with small overhead. By offering protection for critical kernel data structures, we can detect unknown kernel-level malware and guarantee that security utilities relying on the integrity of kernel-level state remain accurate.

Zihan Yang,Zeyu Mi,Yubin Xia

DOI: https://doi.org/10.1109/sose.2019.00044

2019-01-01

Abstract:The prevalence of Cloud Computing has appealed many users to put their business into low-cost and flexible cloud servers instead of bare-metal machines. Most virtual machines in the cloud run commodity operating system(e.g., linux), and the complexity of such operating systems makes them more bug-prone and easier to be compromised. To mitigate the security threats, previous works attempt to mediate and filter system calls, transform all unpopular paths into popular paths, or implement a nested kernel along with the untrusted outter kernel to enforce certain security policies. However, such solutions only enforce read-only protection or assume that popular paths in the kernel to contain almost no bug, which is not always the case in the real world. To overcome their shortcomings and combine their advantages as much as possible, we propose a hardware-assisted isolation mechanism that isolates untrusted part of the kernel. To achieve isolation, we prepare multiple restricted Extended Page Table (EPT) during boot time, each of which has certain critical data unmapped from it so that the code executing in the isolated environment could not access sensitive data. We leverage the VMFUNC instruction already available in recent Intel processors to directly switch to another pre-defined EPT inside guest virtual machine without trapping into the underlying hypervisor, which is faster than the traditional trap-and-emulate procedure. The semantic gap is minimized and real-time check is achieved by allowing EPT violations to be converted to Virtualization Exception (VE), which could be handled inside guest kernel in non-root mode. Our preliminary evaluation shows that with hardware virtualization feature, we are able to run the untrusted code in an isolated environment with negligible overhead.

Jianbao Ren,Yong Qi,Yuehua Dai,Xiaoguang Wang,Yi Shi

DOI: https://doi.org/10.1145/2817817.2731199

2015-01-01

Abstract:Malicious OS kernel can easily access user's private data in main memory and pries human-machine interaction data, even one that employs privacy enforcement based on application level or OS level. This paper introduces AppSec, a hypervisor-based safe execution environment, to protect both the memory data and human-machine interaction data of security sensitive applications from the untrusted OS transparently. AppSec provides several security mechanisms on an untrusted OS. AppSec introduces a safe loader to check the code integrity of application and dynamic shared objects. During runtime, AppSec protects application and dynamic shared objects from being modified and verifies kernel memory accesses according to application's intention. AppSec provides a devices isolation mechanism to prevent the human-machine interaction devices being accessed by compromised kernel. On top of that, AppSec further provides a privileged-based window system to protect application's X resources. The major advantages of AppSec are threefold. First, AppSec verifies and protects all dynamic shared objects during runtime. Second, AppSec mediates kernel memory access according to application's intention but not encrypts all application's data roughly. Third, AppSec provides a trusted I/O path from end-user to application. A prototype of AppSec is implemented and shows that AppSec is efficient and practical.

Zhi-Xian Chen,Jun Cui,Wei Liu,Hao Huang

2010-01-01

Abstract:Kernel-level attacks or rootkits typically leverage security exploits to gain initial unauthorized privileged access to an operating system. Current approaches defend against these attacks by enforcing data-flow integrity and control-flow integrity. However, only taking a certain aspect into account cannot provide a complete integrity monitoring solution. In this paper, we present a lightweight in-kernel hypervisor (IKH) utilizing Intel VT hardware virtualization, for insuring the kernel integrity, which can bridge the semantic gap between hypervisor and monitored OS, meanwhile offer small code size for formal verification. We have developed a primitive prototype on Linux as a kernel module, which can avoid being tampered by malicious code and detect kernel-level rootkits or attacks by four protection mechanisms based on the hardware-assisted virtualization. Experiment results show the effectiveness and feasibility of IKH and tolerable overhead imposed.

CHEN Zhu-Hong,CUI Chao-Yuan,WANG Ru-Jing,ZHOU Ji-Dong

DOI: https://doi.org/10.3969/j.issn.1003-3254.2013.07.015

2013-01-01

Abstract:As the foundation of cloud computing,virtualization technology’s security problems are gained more and more attention of the specialists with the development of cloud computing.This paper presents a virtual machine system kernel intrusion detection system,which use the introspection technology provided by Xen hypervisor to get internal states of kernel of the virtual machine.To achieve the goal of monitoring the kernel and preventing it from being compromised.This system can effectively defend the case of attack that dynamically modifies the kernel code and kernel unchanged data structure.

LI Xiao-Qing,ZHAO Xiao-Dong,ZENG Qing-Kai

DOI: https://doi.org/10.3724/sp.j.1001.2012.04131

2012-01-01

Journal of Software

Abstract:A one-way isolation execution model based on hardware virtualization is proposed.In this model, the security application based on self-requirements can be divided into two parts: host process and security sensitive module (SSM).Isolated execution manager named SSMVisor, as the core component of isolation execution model, provides a one-way isolation execution environment for SSMs, not only to ensure security, but also to allow SSMs to call outside functions.As security application's trusted computing base (TCB) only includes SSMs and SSMVisor, without operating system and the security unrelated module of the applications, the size of security application's TCB is reduced effectively.A prototype system is not only compatible with the original operating system, but also light-weight.Experimental results show that the performance overhead of prototype system is very low, about 6.5%.

Liang DENG,Qing-Kai ZENG

DOI: https://doi.org/10.13328/j.cnki.jos.005017

2016-01-01

Abstract:In commodity OS, the OS kernel runs in the highest privilege layer to manage hardware resources and provides system services. Thus, security-sensitive applications are vulnerable to compromises the underlying untrusted kernel. In this paper, an approach named AppFort is proposed to protect applications from an untrusted OS kernel. To address the high overheads of existing solutions, AppFort makes use of the unique combination of an x86 hardware feature (operand address size), kernel code integrity protection and kernel control flow integrity protection, to intercept and verify both hardware and software operations of the untrusted kernel. As a result, AppFort efficiently protects application's memory, control flows and file I/O, even if the kernel is fully compromised. Experimental results demonstrate that AppFort only incurs very small overhead, which is much better than previous work.

LI Xun,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137x.2011.12.015

2011-01-01

Computer Science

Abstract:Kernel-level attacks compromise operating system security by tampering with critical data and control flow in the kernel.Current approaches defend against these attacks by applying code integrity or control flow integrity control methods.However,they focus on only a certain aspect and cannot give a complete integrity monitoring solution.This paper analyzed the kernel integrity principle and got practical requirements to ensure kernel integrity.Critical data objects effect operating system function directly.Only certain code is able to modify critical data objects at certain conditions to ensure data integrity.All factors about code execution sequence are protected and monitored to ensure control flow integrity.Implementation in Xen VMM(Virtual Machine Monitor) using hardware virtualization,or referred to as HVM(Hardware Virtual Machine) is introduced to protect and monitor Linux kernel.Experiments show that the solution can detect and prevent attacks and bugs compromising the kernel.

HE Jin,FAN Ming-yu,WANG Guang-wei

DOI: https://doi.org/10.3969/j.issn.1001-0548.2015.06.017

2015-01-01

Abstract:Kernel-level rootkits attacks pose a deadly threat to kernel integrity, and kernel rootkits is currently a research focus, primarily focused on kernel-level rootkits detection and rootkits protection. However, these studies are always flawed: the rootkits protection presents a single protected mode; kernel-level rootkits detection can only do the detection use, even if the kernel has been found to be attacked, there is no method to solve. Give this situation, we design a two-mode protection operation system (TWPos), this is, a kernel-level integrity protection method along with detection and protection capability, even if the kernel is already under attack, TWPos also recoveries kernel integrity. The experiments show that TWPos is a comprehensive and effective protection system without sacrificing system performance for the price, and is compatible with a variety of OS systems.

Shangwu Dong,Yan Xiong,Wenchao Huang,Lu Ma

DOI: https://doi.org/10.1109/bigcom51056.2020.00022

2020-01-01

Abstract:Android operating system has been getting widely used in these years. At the meantime, lots of security issues have been exposed. Not only the softwares running on it are suffering great losses, but the operating system itself is also becoming a target for attackers. Especially kernel-level rootkits have a bad influence on the system security. Some attackers can use this method to get the root privilege by exploiting these vulnerabilities. It's high time we should take measures to enhance protection for Android kernel. In this paper, we propose a kernel integrity measuring system named KIMS on the TrustZone Architecture. The key idea is to build a safe and isolated environment for kernel measuring provided by the secure world in the TrustZone. And with the high privilege of secure world, KIMS can monitor the operating system kernel and detect whether it is destroyed. Then we build the prototype using the Hikey960 board to evaluate our design. The experiments show that our system can execute kernel integrity measurement when a malicious behaviour detected. And it has a relatively small performance overhead.

于淑英,黄皓,刘国斌

DOI: https://doi.org/10.3969/j.issn.1002-137x.2009.01.064

2009-01-01

Computer Science

Abstract:To avoid the security mechanism applied in operating systems being bypassed or tampered,this paper proposed the use of micro-kernel,multiserver architecture to assure the integrity of security kernel.Process isolation and message passing provided by the micro-kernel make the processes above isolated and protect the integrity of them effectively.Simplicity and modularity,the most obvious advantages of micro-kernel,laid an excellent base for the future formal verification.The prototype operating system,Nutos,was presented as an example on how to use these mechanisms to enforce security.It combined the multiserver architecture and the Flask security infrastructure to provide for flexibi-lity in security policies and integrity assurance for security sever and reference monitor.

Xian Chen,Wenzhi Chen,Peng Long,Zhongyong Lu,Zonghui Wang

DOI: https://doi.org/10.1109/cbd.2013.32

2013-01-01

Abstract:For the ability to explore the memory's fullest potential, memory de-duplication has been widely experimented with in current main stream virtualization platforms. A lot of work has been done to improve the efficiency of memory de-duplication, while too little attention was paid to the introduced security issues which have been proved by prior work. To deal with this security risk and efficiently manage the memory we start our work in this paper. We first conduct extensive experiments on different OS platforms to study the realistic situation of page sharing. By analyzing the results we find: 1) Page sharing is contributed mostly by self-sharing (nearly 90%), and the self-sharing rate varies significantly between Linux and Windows OS platforms. Compared with self-sharing the inter-VM sharing rate is extremely low, under 1% in most cases. 2) Page size has a larger influence on Linux platform than Windows platform, so sub-page de-duplication proposed in prior work may achieve better performance on Linux platform. On the basis of above findings we propose a group-based secure page sharing model (or GSKSM), in which we consider both VM processes and normal processes. We have successfully implemented it in Linux kernel 3.6.6, and the experiment results show it works well with negligible overhead. Finally based on GSKSM we further present an efficient memory management approach (or SEMMA), which combines GSKSM and balloon technique to efficiently manage the memory, and the preliminary experiment result is satisfactory.

Chi Zhang,Hui He,Xiaoguang Wang,Yichen Li,Xin Gao,Yong Qi

DOI: https://doi.org/10.1109/wisa.2016.48

2016-01-01

Abstract:Software memory disclosure attacks, such as buffer over-read, often work quietly and may cause leakage of secrets. The well-known OpenSSL Heartbleed vulnerability leaked out millions of servers' private keys, and caused most of Internet services insecure during that time. Existing solutions are either hard to apply to large code bases, or too heavyweight (e.g. by involving a hypervisor software or a modified operating system kernel). We propose SecSeg, an easy-to-use and lightweight system which leverages the traditional x86 segmentation mechanism to isolate the secrets from the remaining data. Software developers can prevent the secrets from being leaked out by simply declaring the secret variables with secure keyword. And our customized compiler will automatically separate the secrets from the remaining ones with an isolated hardware segment. Any legal instructions that have to visit the secrets will be automatically instrumented to special machine instructions which have access to the isolated segment. We have implemented an early SecSeg prototype with an open source compiler framework - the LLVM Compiler Infrastructure. The prototype proves that SecSeg is both secure and efficient.

Xie Jun

2005-01-01

Abstract:Many secure operating systems have some privileged processes or trusted processes which are always at risk of being hijacked by various attacks such as the buffer overflow attack.Once they are hijacked,the security of the whole system would be damaged.In this paper,a multi-protection domains process model is described which provides fine-grained kernel level protection for codes and data within process address space.The fine-grained internal protection of process can effectively prevent attackers from hijacking the whole process by damaging the process's data or codes.This paper offers two designs for this model and a prototype implementation of one of them.