程龙,杨小虎

2004-01-01

Abstract:This paper illustrates a sandbox system on Linux operating system. Users can put untrusted or flawed programs running in the sandbox system,so they are isolated from other parts of the operating system. It protects the system from application exploits. Thus it greatly improves the system's security level. Deploying this sandbox system needs no modification to existing operating system kernel and applications,because it is implemented as a Linux kernel module.

Xie Jun,Huang Hao,Zhang Jia

DOI: https://doi.org/10.3969/j.issn.1000-386X.2006.12.005

2006-01-01

Abstract:In traditional monolithic kernel operating systems,all kernel codes run within a common and shared address space,and any vulnerabilities in kernel or any untrusted modules loaded in kernel would compromise the whole system's security.From the point of security,this paper describs a isolation mechanism for kernel modules,in which the most insecure parts of kernel are loaded as protection modules and are isolated from other parts of kernel by hardware protection mechanism.This mechanism can be used to strengthen existing monolithic kernel's reliability and security and provides a more credible platform for secuirty application softewares.

Xiaoguang Wang,Yong Qi,Zhi Wang,Yue Chen,Yajin Zhou

DOI: https://doi.org/10.1109/tdsc.2017.2675991

2019-01-01

Abstract:The OS kernel is critical to the security of a computer system. Many systems have been proposed to improve its security. A fundamental weakness of those systems is that page tables, the data structures that control the memory protection, are not isolated from the vulnerable kernel, and thus subject to tampering. To address that, researchers have relied on virtualization for reliable kernel memory protection. Unfortunately, such memory protection requires to monitor every update to the guest's page tables. This fundamentally conflicts with the recent advances in the hardware virtualization support. In this paper, we propose SecPod, an extensible framework for virtualization-based security systems that can provide both strong isolation and the compatibility with modern hardware. SecPod has two key techniques: paging delegation delegates and audits the kernel's paging operations to a secure space; execution trapping intercepts the (compromised) kernel's attempts to subvert SecPod by misusing privileged instructions. We have implemented a prototype of SecPod based on KVM. Our experiments show that SecPod is both effective and efficient.

Soo Yee Lim,Sidhartha Agrawal,Xueyuan Han,David Eyers,Dan O'Keeffe,Thomas Pasquier

2024-04-12

Abstract:Monolithic operating systems, where all kernel functionality resides in a single, shared address space, are the foundation of most mainstream computer systems. However, a single flaw, even in a non-essential part of the kernel (e.g., device drivers), can cause the entire operating system to fall under an attacker's control. Kernel hardening techniques might prevent certain types of vulnerabilities, but they fail to address a fundamental weakness: the lack of intra-kernel security that safely isolates different parts of the kernel. We survey kernel compartmentalization techniques that define and enforce intra-kernel boundaries and propose a taxonomy that allows the community to compare and discuss future work. We also identify factors that complicate comparisons among compartmentalized systems, suggest new ways to compare future approaches with existing work meaningfully, and discuss emerging research directions.

Cryptography and Security,Operating Systems

Yinggang Guo,Zicheng Wang,Weiheng Bai,Qingkai Zeng,Kangjie Lu

DOI: https://doi.org/10.14722/ndss.2025.23328

2024-09-15

Abstract:The endless stream of vulnerabilities urgently calls for principled mitigation to confine the effect of exploitation. However, the monolithic architecture of commodity OS kernels, like the Linux kernel, allows an attacker to compromise the entire system by exploiting a vulnerability in any kernel component. Kernel compartmentalization is a promising approach that follows the least-privilege principle. However, existing mechanisms struggle with the trade-off on security, scalability, and performance, given the challenges stemming from mutual untrustworthiness among numerous and complex components. In this paper, we present BULKHEAD, a secure, scalable, and efficient kernel compartmentalization technique that offers bi-directional isolation for unlimited compartments. It leverages Intel's new hardware feature PKS to isolate data and code into mutually untrusted compartments and benefits from its fast compartment switching. With untrust in mind, BULKHEAD introduces a lightweight in-kernel monitor that enforces multiple important security invariants, including data integrity, execute-only memory, and compartment interface integrity. In addition, it provides a locality-aware two-level scheme that scales to unlimited compartments. We implement a prototype system on Linux v6.1 to compartmentalize loadable kernel modules (LKMs). Extensive evaluation confirms the effectiveness of our approach. As the system-wide impacts, BULKHEAD incurs an average performance overhead of 2.44% for real-world applications with 160 compartmentalized LKMs. While focusing on a specific compartment, ApacheBench tests on ipv6 show an overhead of less than 2%. Moreover, the performance is almost unaffected by the number of compartments, which makes it highly scalable.

Cryptography and Security,Operating Systems

Jingyu Hua,Kouichi Sakurai

DOI: https://doi.org/10.1145/2245276.2232011

2012-01-01

Abstract:In the present operating systems such as Linux, all the kernel modules, including unknown extensions, run in the same address space. They are granted the highest privilege and can access arbitrary memory without any limitation. This is at the root of kernel rootkits, which are malware seriously threatening the kernel integrity. In this paper, we present Barrier , a lightweight hypervisor designed for enhancing the kernel integrity of personal computers by isolating the kernel modules. Since this hypervisor is designed for the OS protection on PCs, it does not implement unnecessary virtualization features that are commonly found on the general-purpose hypervisors to support running multiple OS instances concurrently on the same server. As a result, it is much smaller and also much easier to use, especially for unprofessional users. Barrier leverages the hardware-supported memory virtualization to isolate the kernel modules into different address spaces. All the interactions across address spaces have to go through a strict mediation based on some predefined MAC rules. This greatly increases the attacker's hardness to compromise the kernel integrity. We have implemented a prototype of Barrier. The evaluation results show that Barrier can well protect the kernel integrity without bringing unaffordable performance overheads.

Abhinav Srivastava,Jonathon Giffin

DOI: https://doi.org/10.1145/2420950.2421012

2012-01-01

Abstract:Commodity operating system kernels isolate applications via separate memory address spaces provided by virtual memory management hardware. However, kernel memory is unified and mixes core kernel code with driver components of different provenance. Kernel-level malicious software exploits this lack of isolation between the kernel and its modules by illicitly modifying security-critical kernel data structures. In this paper, we design an access control policy and enforcement system that prevents kernel components with low trust from altering security-critical data used by the kernel to manage its own execution. Our policies are at the granularity of kernel variables and structure elements, and they can protect data structures dynamically allocated at runtime. Our hypervisor-based design uses memory page protection bits as part of its policy enforcement. The granularity difference between page-level protection and variable-level policies challenges the system's ability to remain performant. We develop kernel data-layout partitioning and reorganization techniques to maintain kernel performance in the presence of our protections. We show that our system can prevent malicious modifications to security-critical kernel data with small overhead. By offering protection for critical kernel data structures, we can detect unknown kernel-level malware and guarantee that security utilities relying on the integrity of kernel-level state remain accurate.

A.S. Tanenbaum,J.N. Herder,H. Bos

DOI: https://doi.org/10.1109/mc.2006.156

2006-05-01

Computer

Abstract:Microkernels long discarded as unacceptable because of their lower performance compared with monolithic kernels might be making a comeback in operating systems due to their potentially higher reliability, which many researchers now regard as more important than performance. Each of the four different attempts to improve operating system reliability focuses on preventing buggy device drivers from crashing the system. In the Nooks approach, each driver is individually hand wrapped in a software jacket to carefully control its interactions with the rest of the operating system, but it leaves all the drivers in the kernel. The paravirtual machine approach takes this one step further and moves the drivers to one or more machines distinct from the main one, taking away even more power from the drivers. Both of these approaches are intended to improve the reliability of existing (legacy) operating systems. In contrast, two other approaches replace legacy operating systems with more reliable and secure ones. The multiserver approach runs each driver and operating system component in a separate user process and allows them to communicate using the microkernel's IPC mechanism. Finally, Singularity, the most radical approach, uses a type-safe language, a single address space, and formal contracts to carefully limit what each module can do.

computer science, software engineering, hardware & architecture

于淑英,黄皓,刘国斌

DOI: https://doi.org/10.3969/j.issn.1002-137x.2009.01.064

2009-01-01

Computer Science

Abstract:To avoid the security mechanism applied in operating systems being bypassed or tampered,this paper proposed the use of micro-kernel,multiserver architecture to assure the integrity of security kernel.Process isolation and message passing provided by the micro-kernel make the processes above isolated and protect the integrity of them effectively.Simplicity and modularity,the most obvious advantages of micro-kernel,laid an excellent base for the future formal verification.The prototype operating system,Nutos,was presented as an example on how to use these mechanisms to enforce security.It combined the multiserver architecture and the Flask security infrastructure to provide for flexibi-lity in security policies and integrity assurance for security sever and reference monitor.

Jianjun Shen,Sihan Qing,Qingni Shen

DOI: https://doi.org/10.1109/iaw.2006.1652123

2006-01-01

Abstract:We describe the Trium secure system architecture. It is based on Fiasco an implementation of the L4 microkernel interface - and L4Env - a programming environment for L4 systems. Compared to previous work on microkernel based secure systems, such as TMach and DTOS, Trium tries to minimize the trusted computing base (TCB) of a secure system by moving most functions of an operating system (OS) out of the TCB, and it emphasizes on the reuse of legacy software. We also try to achieve better isolation, privilege control and flexible configuration of system components, taking advantage of the specific features of the L4 microkernel as a second generation microkernel

Ahmed M. Azab,Kirk Swidowski,Rohan Bhutkar,Jia Ma,Wenbo Shen,Ruowen Wang,Peng Ning

DOI: https://doi.org/10.14722/ndss.2016.23009

2016-01-01

Abstract:Previous research on kernel monitoring and protection widely relies on higher privileged system components, such as hardware virtualization extensions, to isolate security tools from potential kernel attacks.These approaches increase both the maintenance effort and the code base size of privileged system components, which consequently increases the risk of having security vulnerabilities.SKEE, which stands for Secure Kernellevel Execution Environment, solves this fundamental problem.SKEE is a novel system that provides an isolated lightweight execution environment at the same privilege level of the kernel.SKEE is designed for commodity ARM platforms.Its main goal is to allow secure monitoring and protection of the kernel without active involvement of higher privileged software.SKEE provides a set of novel techniques to guarantee isolation.It creates a protected address space that is not accessible to the kernel, which is challenging to achieve when both the kernel and the isolated environment share the same privilege level.SKEE solves this challenge by preventing the kernel from managing its own memory translation tables.Hence, the kernel is forced to switch to SKEE to modify the system's memory layout.In turn, SKEE verifies that the requested modification does not compromise the isolation of the protected address space.Switching from the OS kernel to SKEE exclusively passes through a well-controlled switch gate.This switch gate is carefully designed so that its execution sequence is atomic and deterministic.These properties combined guarantee that a potentially compromised kernel cannot exploit the switching sequence to compromise the isolation.If the kernel attempts to violate these properties, it will only cause the system to fail without exposing the protected address space.SKEE exclusively controls access permissions of the entire OS memory.Hence, it prevents attacks that attempt to inject unverified code into the kernel.Moreover, it can be easily extended to intercept other system events in order to support various intrusion detection and integrity verification tools.This paper presents a SKEE prototype that runs on both 32-bit ARMv7 and 64-bit ARMv8 architectures.Performance evaluation results demonstrate that SKEE is a practical solution for real world systems.1 These authors contributed equally to this work I. INTRODUCTIONMany of the current commodity operating systems, like Linux, Windows, and FreeBSD, rely on monolithic kernels, which store security and access control policies in memory regions that are accessible to their whole code base.Hence, the security of the whole system relies on a large Trusted Computing Base (TCB) that includes the base kernel code in addition to potentially buggy device drivers.An exploit of a monolithic kernel would allow complete access to the entire system memory and resources.In addition, it can effectively bypass kernel level security protection mechanisms.Recent incidents [1], [2], [5], [28], [32], [53] show that exploiting the OS kernel is a real threat.Hence, there is a need for security tools that provide monitoring and protection of the kernel.These tools have to be properly isolated so that they are protected from potential kernel exploitation.

Zihan Yang,Zeyu Mi,Yubin Xia

DOI: https://doi.org/10.1109/sose.2019.00044

2019-01-01

Abstract:The prevalence of Cloud Computing has appealed many users to put their business into low-cost and flexible cloud servers instead of bare-metal machines. Most virtual machines in the cloud run commodity operating system(e.g., linux), and the complexity of such operating systems makes them more bug-prone and easier to be compromised. To mitigate the security threats, previous works attempt to mediate and filter system calls, transform all unpopular paths into popular paths, or implement a nested kernel along with the untrusted outter kernel to enforce certain security policies. However, such solutions only enforce read-only protection or assume that popular paths in the kernel to contain almost no bug, which is not always the case in the real world. To overcome their shortcomings and combine their advantages as much as possible, we propose a hardware-assisted isolation mechanism that isolates untrusted part of the kernel. To achieve isolation, we prepare multiple restricted Extended Page Table (EPT) during boot time, each of which has certain critical data unmapped from it so that the code executing in the isolated environment could not access sensitive data. We leverage the VMFUNC instruction already available in recent Intel processors to directly switch to another pre-defined EPT inside guest virtual machine without trapping into the underlying hypervisor, which is faster than the traditional trap-and-emulate procedure. The semantic gap is minimized and real-time check is achieved by allowing EPT violations to be converted to Virtualization Exception (VE), which could be handled inside guest kernel in non-root mode. Our preliminary evaluation shows that with hardware virtualization feature, we are able to run the untrusted code in an isolated environment with negligible overhead.

Liang DENG,Qing-Kai ZENG

DOI: https://doi.org/10.13328/j.cnki.jos.005017

2016-01-01

Abstract:In commodity OS, the OS kernel runs in the highest privilege layer to manage hardware resources and provides system services. Thus, security-sensitive applications are vulnerable to compromises the underlying untrusted kernel. In this paper, an approach named AppFort is proposed to protect applications from an untrusted OS kernel. To address the high overheads of existing solutions, AppFort makes use of the unique combination of an x86 hardware feature (operand address size), kernel code integrity protection and kernel control flow integrity protection, to intercept and verify both hardware and software operations of the untrusted kernel. As a result, AppFort efficiently protects application's memory, control flows and file I/O, even if the kernel is fully compromised. Experimental results demonstrate that AppFort only incurs very small overhead, which is much better than previous work.

Jianbao Ren,Yong Qi,Yuehua Dai,Xiaoguang Wang,Yi Shi

DOI: https://doi.org/10.1145/2817817.2731199

2015-01-01

Abstract:Malicious OS kernel can easily access user's private data in main memory and pries human-machine interaction data, even one that employs privacy enforcement based on application level or OS level. This paper introduces AppSec, a hypervisor-based safe execution environment, to protect both the memory data and human-machine interaction data of security sensitive applications from the untrusted OS transparently. AppSec provides several security mechanisms on an untrusted OS. AppSec introduces a safe loader to check the code integrity of application and dynamic shared objects. During runtime, AppSec protects application and dynamic shared objects from being modified and verifies kernel memory accesses according to application's intention. AppSec provides a devices isolation mechanism to prevent the human-machine interaction devices being accessed by compromised kernel. On top of that, AppSec further provides a privileged-based window system to protect application's X resources. The major advantages of AppSec are threefold. First, AppSec verifies and protects all dynamic shared objects during runtime. Second, AppSec mediates kernel memory access according to application's intention but not encrypts all application's data roughly. Third, AppSec provides a trusted I/O path from end-user to application. A prototype of AppSec is implemented and shows that AppSec is efficient and practical.

Zhi-Xian Chen,Jun Cui,Wei Liu,Hao Huang

2010-01-01

Abstract:Kernel-level attacks or rootkits typically leverage security exploits to gain initial unauthorized privileged access to an operating system. Current approaches defend against these attacks by enforcing data-flow integrity and control-flow integrity. However, only taking a certain aspect into account cannot provide a complete integrity monitoring solution. In this paper, we present a lightweight in-kernel hypervisor (IKH) utilizing Intel VT hardware virtualization, for insuring the kernel integrity, which can bridge the semantic gap between hypervisor and monitored OS, meanwhile offer small code size for formal verification. We have developed a primitive prototype on Linux as a kernel module, which can avoid being tampered by malicious code and detect kernel-level rootkits or attacks by four protection mechanisms based on the hardware-assisted virtualization. Experiment results show the effectiveness and feasibility of IKH and tolerable overhead imposed.

Wen-Zhi Chen,Zhi-Peng Zhang,Jian-Hua Yang,Qin-Ming He

DOI: https://doi.org/10.1109/ISME.2010.172

2010-01-01

Abstract:Cerberus is a tiny x86 virtual machine monitor. It allows security sensitive codes to be executed in an isolated circumstance. The codes could attest their integrity to a remote party by a two-step attestation provided by Cerberus. Cerberus does not require the security sensitive applications to be modified or recompiled to run on it. These applications are packaged with the operating systems as virtual appliances (VA). The on-disk VA files are read-only to simplify the attestation process. Any storage file is sealed to the corresponding secure domain. Cerberus leveraged the nested paging technology to isolate the memory regions efficiently. And it also introduced a novel secure display sharing technology. It can guarantee the security property even when the attackers get control of everything but the core hardware infrastructures. Our performance experiment results show that the overhead introduced by Cerberus is less than 5%.

Tun Wang,Yu Tian

DOI: https://doi.org/10.1155/2022/9304019

2022-04-21

Wireless Communications and Mobile Computing

Abstract:At present, the application of the embedded microkernel operating system in military and civil fields has begun to take shape, but it has not yet formed a unified method and standard. Due to its high performance, low frequency, and high reliability, dual-core embedded processors are getting the attention of many chip manufacturers. Compatibility has been favored by many telecom equipment manufacturers and embedded high-end application integrators, but the dual-core embedded processor needs a new real-time operating system to support it, so that it can give full play to the high performance of the dual-core. It paves the way for the application of its processor in the embedded field, but the design of embedded AI engine is not transparent to it; so, it needs the support of operating system. The user code is used to be in the operating system processor environment; so, it can be used on dual core processor first. In the real-time operating system that supports dual-core processors, the part that needs to be modified is mainly concentrated in the kernel part; so, the core design is the key point to support dual-core processors. This article is to seize this key point to carry out in-depth research. The difference and influence of hardware architecture between dual-core processor and single-core processor are the primary content of the study. Through the research of the dual-core processor architecture, the general abstraction of the dual-core processor architecture is obtained, which is the starting point of the follow-up research. This paper mainly studies the design of embedded AI engine based on the microkernel operating system, extracts the security requirements of the operating system, designs and implements the operating system from the perspective of formal verification, and considers the verification problem under the background of RTOS development, so as to avoid using too many complex data structures and algorithms in the system design and reduce the difficulty of experimental verification. In this paper, we use the spatiotemporal data model, data sharing security in the cloud environment, symmetric encryption scheme, and Paillier homomorphic encryption method to study the design of embedded AI engine based on the microkernel operating system. According to the idea of microkernel architecture, the kernel is divided into four main modules: task processing, semaphore, message queue, interrupt, and exception processing, and the lock mechanism to prevent reentrancy in software is analyzed separately. Three core function modules, initialization, process grinding, and interrupt processing, are extracted from the microkernel operating system to form the formal verification area of the operating system. At the same time, the system syntax and semantics of related rights are separated, and the main rationalization rules are described. The results show that the core of the microkernel operating system in five states adopts the microkernel architecture in the dual core environment. The microkernel architecture is a compact system kernel with good adjustability. Based on the analysis of the microkernel operating system, the internal structure of each module in the kernel is summarized, and the modules are modified according to the machine characteristics of the dual core processor; it corresponds to adding modules to meet the characteristics of dual core architecture. Kernel design is a systematic theoretical research process. This paper only uncovers the tip of the iceberg of real-time operating system kernel design on dual-core embedded processors. It is necessary to understand the kernel more deeply and master the kernel in the future work and study.

computer science, information systems,telecommunications,engineering, electrical & electronic

Hsuan-Chi Kuo,Akshith Gunasekaran,Yeongjin Jang,Sibin Mohan,Rakesh B. Bobba,David Lie,Jesse Walker

DOI: https://doi.org/10.48550/arXiv.1903.06889

2019-03-16

Abstract:We present, MultiK, a Linux-based framework 1 that reduces the attack surface for operating system kernels by reducing code bloat. MultiK "orchestrates" multiple kernels that are specialized for individual applications in a transparent manner. This framework is flexible to accommodate different kernel code reduction techniques and, most importantly, run the specialized kernels with near-zero additional runtime overheads. MultiK avoids the overheads of virtualization and runs natively on the system. For instance, an Apache instance is shown to run on a kernel that has (a) 93.68% of its code reduced, (b) 19 of 23 known kernel vulnerabilities eliminated and (c) with negligible performance overheads (0.19%). MultiK is a framework that can integrate with existing code reduction and OS security techniques. We demonstrate this by using D-KUT and S-KUT -- two methods to profile and eliminate unwanted kernel code. The whole process is transparent to the user applications because MultiK does not require a recompilation of the application.

Operating Systems

D. Tian,Dongyan Xu,Arslan Khan

DOI: https://doi.org/10.1109/SP46215.2023.10179285

2023-05-01

Abstract:Embedded systems comprise of low-power microcontrollers and constitute computing systems from IoT nodes to supercomputers. Unfortunately, due to the low power constraint, the security of these systems is often overlooked, leaving a huge attack surface. For instance, an attacker compromising a user task can access any kernel data structure. Existing work has applied compartmentalization to reduce the attack surface, but these systems either incur a high runtime overhead or require major modifications to existing firmware. In this paper, we present Embedded Compartmentalizer (EC), a comprehensive and automatic compartmentalization toolchain for Real-Time Operating Systems (RTOSs) and baremetal firmware. EC provides the Embedded Compartmentalizer Compiler (ECC) to automatically partition firmware into different compartments and enforces memory protection among them using the Embedded Compartmentalizer Kernel (ECK), a formally verified microkernel implementing a novel architecture for compartmentalizing firmware using intra-kernel isolation. Our evaluation shows that EC is 1.2x faster than state-of-the-art systems and can achieve up to 96.2% ROP gadget reduction in firmwares. EC provides a low-cost, practical, and effective compartmentalization solution for embedded systems with memory protection and debug hardware extension.

Engineering,Computer Science

CHEN Zhiping,LEI Hang,YANG Xia,LI Huan

DOI: https://doi.org/10.3969/j.issn.1000-3428.2007.01.028

2007-01-01

Abstract:Based on research and analysis of traditional embedded operating system security theories and technologies, combining with characteristics of embedded operating system, this paper puts forward a security kernel frame fit for embedded operating system: ESK(embedded security kernel). It has the characteristics as follows: self-determination configuring security attributions, mandatory access control, security signs and multi-strategy determinant. Through the reconstruction of Win CE operating system, the validity of the security kernel frame is validated.