程龙,杨小虎

2004-01-01

Abstract:This paper illustrates a sandbox system on Linux operating system. Users can put untrusted or flawed programs running in the sandbox system,so they are isolated from other parts of the operating system. It protects the system from application exploits. Thus it greatly improves the system's security level. Deploying this sandbox system needs no modification to existing operating system kernel and applications,because it is implemented as a Linux kernel module.

Qian Zhenjiang,Liu Wei,Huang Hao

IF: 1.019

2014-01-01

Chinese Journal of Electronics

Abstract:Microkernel integrity is an important aspect of security for the whole microkernel system. Many of the research works on microkernel integrity focus on analysis and safeguards against the existing kernel attacks, and security enhancements for the vulnerabilities of system design and implementation aspects. The formal methods for operating system design and verification ensure the system's high level of security. The existing formalization work and research for operating system mainly focus on the code-level verification of program correctness. In this paper, we propose a formal abstraction model of microkernel in order to accurately describe the semantics of every kernel behavior, and achieve the description of the whole kernel. Based on the model we illustrate the microkernel integrity criterions and elaborate on the integrity mechanism. Meanwhile, we formally verify the completeness and consistency between the mechanism and the definition of the microkernel integrity. We use the self-implemented operating system VTOS (Verified trusted operating system) as an example to illustrate the design method for the microkernel integrity.

Xiaoguang Wang,Yong Qi,Zhi Wang,Yue Chen,Yajin Zhou

DOI: https://doi.org/10.1109/tdsc.2017.2675991

2019-01-01

Abstract:The OS kernel is critical to the security of a computer system. Many systems have been proposed to improve its security. A fundamental weakness of those systems is that page tables, the data structures that control the memory protection, are not isolated from the vulnerable kernel, and thus subject to tampering. To address that, researchers have relied on virtualization for reliable kernel memory protection. Unfortunately, such memory protection requires to monitor every update to the guest's page tables. This fundamentally conflicts with the recent advances in the hardware virtualization support. In this paper, we propose SecPod, an extensible framework for virtualization-based security systems that can provide both strong isolation and the compatibility with modern hardware. SecPod has two key techniques: paging delegation delegates and audits the kernel's paging operations to a secure space; execution trapping intercepts the (compromised) kernel's attempts to subvert SecPod by misusing privileged instructions. We have implemented a prototype of SecPod based on KVM. Our experiments show that SecPod is both effective and efficient.

XIE Jun,ZHANG Tao,ZHANG Shi-geng,HUANG Hao

2005-01-01

Abstract:In traditional monolithic kernel operating systems, all kernel codes run within a common and shared address space, and any vulnerabilities in kernel or any untrusted modules loaded in kernel would compromise the whole system security. The development of a layered and separated secure kernel was described in this paper. Since the powers of kernel are partitioned, the vulnerabilities of kernel are confined, and arbitrarily tampering of kernel by malice codes was prevented. The prototype system is entirely developed from beginning for the i386 architecture.

Yanyan Shen,Kevin Elphinstone

DOI: https://doi.org/10.1109/EDCC.2015.16

2015-01-01

Abstract:Trustworthy isolation is required to consolidate safety and security critical software systems on a single hardware platform. Recent advances in formally verifying correctness and isolation properties of a microkernel should enable mutually distrusting software to co-exist on the same platform with a high level of assurance of correct operation. However, commodity hardware is susceptible to transient faults triggered by cosmic rays, and alpha particle strikes, and thus may invalidate the isolation guarantees, or trigger failure in isolated applications. To increase trustworthiness of commodity hardware, we apply redundant execution techniques from the dependability community to a modern microkernel. We leverage the hardware redundancy provided by multicore processors to perform transient fault detection for applications and for the microkernel itself. This paper presents the mechanisms and framework for microkernel based systems to implement redundant execution for improved trustworthiness. It evaluates the performance of the resulting system on x86-64 and ARM platforms.

Liu Wei,Li Xun,Huang Wei,Huang Hao,Zhixian Chen

DOI: https://doi.org/10.1109/CSSS.2011.5973957

2011-01-01

Abstract:Kernel-level attacks can compromise the security of an operating system by tampering with key data and control flow in the kernel. Current approaches defend against these attacks by applying data integrity or control flow integrity control methods. However, they focus on only a certain aspect and cannot give a complete integrity monitoring solution. This paper tries our best to find out all resorts that violate the kernel integrity of operating system by analyzing what objects an action of the kernel relies on and affects. Then we examine all these objects to avoid them from being tamped with and also monitor whether the effect of an action of the kernel is the same as the semantics specified by the original design. Our operating system integrity surveillance system (OSISS) is implemented in a virtual machine monitor (VMM) and it can detect abnormity of an action by monitoring the data integrity and control flow integrity with acceptable performance loss. © 2011 IEEE.

Zhi-Xian Chen,Jun Cui,Wei Liu,Hao Huang

2010-01-01

Abstract:Kernel-level attacks or rootkits typically leverage security exploits to gain initial unauthorized privileged access to an operating system. Current approaches defend against these attacks by enforcing data-flow integrity and control-flow integrity. However, only taking a certain aspect into account cannot provide a complete integrity monitoring solution. In this paper, we present a lightweight in-kernel hypervisor (IKH) utilizing Intel VT hardware virtualization, for insuring the kernel integrity, which can bridge the semantic gap between hypervisor and monitored OS, meanwhile offer small code size for formal verification. We have developed a primitive prototype on Linux as a kernel module, which can avoid being tampered by malicious code and detect kernel-level rootkits or attacks by four protection mechanisms based on the hardware-assisted virtualization. Experiment results show the effectiveness and feasibility of IKH and tolerable overhead imposed.

Olivier Nicole,Matthieu Lemerre,Sébastien Bardin,Xavier Rival

DOI: https://doi.org/10.48550/arXiv.2003.08915

2020-03-19

Cryptography and Security

Abstract:Operating system kernels are the security keystone of most computer systems, as they provide the core protection mechanisms. Kernels are in particular responsible for their own security, i.e. they must prevent untrusted user tasks from reaching their level of privilege. We demonstrate that proving such absence of privilege escalation is a pre-requisite for any definitive security proof of the kernel. While prior OS kernel formal verifications were performed either on source code or crafted kernels, with manual or semi-automated methods requiring significant human efforts in annotations or proofs, we show that it is possible to compute such kernel security proofs using fully-automated methods and starting from the executable code of an existing microkernel with no modification, thus formally verifying absence of privilege escalation with high confidence for a low cost. We applied our method on two embedded microkernels, including the industrial kernel AnonymOS: with only 58 lines of annotation and less than 10 minutes of computation, our method finds a vulnerability in a first (buggy) version of AnonymOS and verifies absence of privilege escalation in a second (secure) version.

Xie Jun,Huang Hao,Zhang Jia

DOI: https://doi.org/10.3969/j.issn.1000-386X.2006.12.005

2006-01-01

Abstract:In traditional monolithic kernel operating systems,all kernel codes run within a common and shared address space,and any vulnerabilities in kernel or any untrusted modules loaded in kernel would compromise the whole system's security.From the point of security,this paper describs a isolation mechanism for kernel modules,in which the most insecure parts of kernel are loaded as protection modules and are isolated from other parts of kernel by hardware protection mechanism.This mechanism can be used to strengthen existing monolithic kernel's reliability and security and provides a more credible platform for secuirty application softewares.

A.S. Tanenbaum,J.N. Herder,H. Bos

DOI: https://doi.org/10.1109/mc.2006.156

2006-05-01

Computer

Abstract:Microkernels long discarded as unacceptable because of their lower performance compared with monolithic kernels might be making a comeback in operating systems due to their potentially higher reliability, which many researchers now regard as more important than performance. Each of the four different attempts to improve operating system reliability focuses on preventing buggy device drivers from crashing the system. In the Nooks approach, each driver is individually hand wrapped in a software jacket to carefully control its interactions with the rest of the operating system, but it leaves all the drivers in the kernel. The paravirtual machine approach takes this one step further and moves the drivers to one or more machines distinct from the main one, taking away even more power from the drivers. Both of these approaches are intended to improve the reliability of existing (legacy) operating systems. In contrast, two other approaches replace legacy operating systems with more reliable and secure ones. The multiserver approach runs each driver and operating system component in a separate user process and allows them to communicate using the microkernel's IPC mechanism. Finally, Singularity, the most radical approach, uses a type-safe language, a single address space, and formal contracts to carefully limit what each module can do.

computer science, software engineering, hardware & architecture

Chen Weidong,Wang Chao,Zhang Li,Xu Zheng,Xing Xishuang

DOI: https://doi.org/10.3969/j.issn.1000-386x.2013.03.080

2013-01-01

Abstract:Information security of server is encountering increasingly serious security menace.Viruses,worms,Trojans and other malicious programs impose the threat on the security of server system.The operating system has the needs to identify and control from kernel layer the subjects and objects imperilling the security.Mandatory access control has to be executed on files,registry,process,etc.in kernel layer.We study and address the implementation of operating system security kernel in terms of system resources and networks covert communication in this paper.The system has been applied to the corporate websites,various types of servers and other network security applications that have higher security requirement.The mandatory access control and each process,file,registry and network communications,etc.are all endued the appropriate security attributes systematically.Security attributes are set by the administrator strictly in accordance with the rules.Combined with the principle of least privilege and security auditing,security control is conducted at the application layer on the server or server cluster.

Ennan Zhai,Qingni Shen,Yonggang Wang,Tao Yang,Liping Ding,Sihan Qing

DOI: https://doi.org/10.1007/978-3-642-20291-9_38

2011-01-01

Abstract:Host compromise is a serious security problem for operating systems. Most previous solutions based on integrity protection models are difficult to use: on the other hand, usable integrity protection models can only provide limited protection. This paper presents SecGuard, a secure and practical integrity protection model. To ensure the security of systems. SecGuard provides provable guarantees for operating systems to defend against three categories of threats: network-based threat, IPC communication threat and contaminative file threat. To ensure practicability, SecGuard introduces several novel techniques. For example, SecGuard leverages the information of existing discretionary access control information to initialize integrity labels for subjects and objects in the system. We developed the prototype system of SecGuard based on Linux Security Modules framework (LSM), and evaluated the security and practicability of SecGuard.

LI Kang-jie,QIAN Zhen-jiang,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137x.2013.03.044

2013-01-01

Computer Science

Abstract:It is difficult to describe the correctness and security of the operate system(OS) by quantitative analysis.Formal method is the acknowledged standard one in design and verification for OS.Based on the operate system object semantics model(OSOSM),we designed and verified the interruption mechanism of microkernel architecture using formal method,which was realized on our self-implemented verified trusted operate system(VTOS).Meanwhile,we used the theorem prover Isabelle/HOL to formally describe the design process,and verify the integrality of the interruption mechanism of VTOS.Our research plays certain referential significance on formal design and verification of OS.

LI Xun,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137x.2011.12.015

2011-01-01

Computer Science

Abstract:Kernel-level attacks compromise operating system security by tampering with critical data and control flow in the kernel.Current approaches defend against these attacks by applying code integrity or control flow integrity control methods.However,they focus on only a certain aspect and cannot give a complete integrity monitoring solution.This paper analyzed the kernel integrity principle and got practical requirements to ensure kernel integrity.Critical data objects effect operating system function directly.Only certain code is able to modify critical data objects at certain conditions to ensure data integrity.All factors about code execution sequence are protected and monitored to ensure control flow integrity.Implementation in Xen VMM(Virtual Machine Monitor) using hardware virtualization,or referred to as HVM(Hardware Virtual Machine) is introduced to protect and monitor Linux kernel.Experiments show that the solution can detect and prevent attacks and bugs compromising the kernel.

Jianjun Shen,Sihan Qing,Qingni Shen

DOI: https://doi.org/10.1109/iaw.2006.1652123

2006-01-01

Abstract:We describe the Trium secure system architecture. It is based on Fiasco an implementation of the L4 microkernel interface - and L4Env - a programming environment for L4 systems. Compared to previous work on microkernel based secure systems, such as TMach and DTOS, Trium tries to minimize the trusted computing base (TCB) of a secure system by moving most functions of an operating system (OS) out of the TCB, and it emphasizes on the reuse of legacy software. We also try to achieve better isolation, privilege control and flexible configuration of system components, taking advantage of the specific features of the L4 microkernel as a second generation microkernel

Shangwu Dong,Yan Xiong,Wenchao Huang,Lu Ma

DOI: https://doi.org/10.1109/bigcom51056.2020.00022

2020-01-01

Abstract:Android operating system has been getting widely used in these years. At the meantime, lots of security issues have been exposed. Not only the softwares running on it are suffering great losses, but the operating system itself is also becoming a target for attackers. Especially kernel-level rootkits have a bad influence on the system security. Some attackers can use this method to get the root privilege by exploiting these vulnerabilities. It's high time we should take measures to enhance protection for Android kernel. In this paper, we propose a kernel integrity measuring system named KIMS on the TrustZone Architecture. The key idea is to build a safe and isolated environment for kernel measuring provided by the secure world in the TrustZone. And with the high privilege of secure world, KIMS can monitor the operating system kernel and detect whether it is destroyed. Then we build the prototype using the Hikey960 board to evaluate our design. The experiments show that our system can execute kernel integrity measurement when a malicious behaviour detected. And it has a relatively small performance overhead.

Jianbao Ren,Yong Qi,Yuehua Dai,Xiaoguang Wang,Yi Shi

DOI: https://doi.org/10.1145/2817817.2731199

2015-01-01

Abstract:Malicious OS kernel can easily access user's private data in main memory and pries human-machine interaction data, even one that employs privacy enforcement based on application level or OS level. This paper introduces AppSec, a hypervisor-based safe execution environment, to protect both the memory data and human-machine interaction data of security sensitive applications from the untrusted OS transparently. AppSec provides several security mechanisms on an untrusted OS. AppSec introduces a safe loader to check the code integrity of application and dynamic shared objects. During runtime, AppSec protects application and dynamic shared objects from being modified and verifies kernel memory accesses according to application's intention. AppSec provides a devices isolation mechanism to prevent the human-machine interaction devices being accessed by compromised kernel. On top of that, AppSec further provides a privileged-based window system to protect application's X resources. The major advantages of AppSec are threefold. First, AppSec verifies and protects all dynamic shared objects during runtime. Second, AppSec mediates kernel memory access according to application's intention but not encrypts all application's data roughly. Third, AppSec provides a trusted I/O path from end-user to application. A prototype of AppSec is implemented and shows that AppSec is efficient and practical.

Tun Wang,Yu Tian

DOI: https://doi.org/10.1155/2022/9304019

2022-04-21

Wireless Communications and Mobile Computing

Abstract:At present, the application of the embedded microkernel operating system in military and civil fields has begun to take shape, but it has not yet formed a unified method and standard. Due to its high performance, low frequency, and high reliability, dual-core embedded processors are getting the attention of many chip manufacturers. Compatibility has been favored by many telecom equipment manufacturers and embedded high-end application integrators, but the dual-core embedded processor needs a new real-time operating system to support it, so that it can give full play to the high performance of the dual-core. It paves the way for the application of its processor in the embedded field, but the design of embedded AI engine is not transparent to it; so, it needs the support of operating system. The user code is used to be in the operating system processor environment; so, it can be used on dual core processor first. In the real-time operating system that supports dual-core processors, the part that needs to be modified is mainly concentrated in the kernel part; so, the core design is the key point to support dual-core processors. This article is to seize this key point to carry out in-depth research. The difference and influence of hardware architecture between dual-core processor and single-core processor are the primary content of the study. Through the research of the dual-core processor architecture, the general abstraction of the dual-core processor architecture is obtained, which is the starting point of the follow-up research. This paper mainly studies the design of embedded AI engine based on the microkernel operating system, extracts the security requirements of the operating system, designs and implements the operating system from the perspective of formal verification, and considers the verification problem under the background of RTOS development, so as to avoid using too many complex data structures and algorithms in the system design and reduce the difficulty of experimental verification. In this paper, we use the spatiotemporal data model, data sharing security in the cloud environment, symmetric encryption scheme, and Paillier homomorphic encryption method to study the design of embedded AI engine based on the microkernel operating system. According to the idea of microkernel architecture, the kernel is divided into four main modules: task processing, semaphore, message queue, interrupt, and exception processing, and the lock mechanism to prevent reentrancy in software is analyzed separately. Three core function modules, initialization, process grinding, and interrupt processing, are extracted from the microkernel operating system to form the formal verification area of the operating system. At the same time, the system syntax and semantics of related rights are separated, and the main rationalization rules are described. The results show that the core of the microkernel operating system in five states adopts the microkernel architecture in the dual core environment. The microkernel architecture is a compact system kernel with good adjustability. Based on the analysis of the microkernel operating system, the internal structure of each module in the kernel is summarized, and the modules are modified according to the machine characteristics of the dual core processor; it corresponds to adding modules to meet the characteristics of dual core architecture. Kernel design is a systematic theoretical research process. This paper only uncovers the tip of the iceberg of real-time operating system kernel design on dual-core embedded processors. It is necessary to understand the kernel more deeply and master the kernel in the future work and study.

computer science, information systems,telecommunications,engineering, electrical & electronic

Kevin Elphinstone,Yanyan Shen

DOI: https://doi.org/10.1109/DSN.2013.6575328

2013-01-01

Abstract:Advances in formal software verification has produced an operating system that is guaranteed mathematically to be correct and enforce access isolation. Such an operating system could potentially consolidate safety and security critical software on a single device where previously multiple devices were used. One of the barriers to consolidation on commodity hardware is the lack of hardware dependability features. A hardware fault triggered by cosmic rays, alpha particle strikes, etc. potentially invalidates the strong mathematical guarantees. This paper discusses improving the trustworthiness of commodity hardware to enable a verified microkernel to be used in some situations previously needing separate computers. We explore leveraging multicore processors to provide redundancy, and report the results of our initial performance investigation.

Odun-Ayo Isaac,Kennedy Okokpujie,Hannah Akinwumi,Jesse Juwe,Henry Otunuya,Oladapo Alagbe,Henry Otunuya and Oladapo Alagbe

DOI: https://doi.org/10.1088/1757-899X/1107/1/012052

2021-04-27

IOP Conference Series: Materials Science and Engineering

Abstract:The creation of Operating Systems (OSs) with Microkernels was in response to the various challenges presented by Operating Systems with Monolithic kernels. Microkernel based Operating Systems provides security and flexibility in the system. This paper reviews seven different microkernel-based Operating Systems: L4, GNU Hurd, Genode, L4re, NOVA, seL4, and Muen Separation Kernel. This analysis provides an understanding of the various trends in the Microkernel Based Operating Systems design. Research papers and official documentation of the individual microkernels served as data sources. The result in this paper shows that there has not been a significant variation in the underlying principle of minimality and how Microkernel Operating Systems approach the implementations of their inter-process communication (IPC), memory management, and scheduling.