Michael M. Swift,Brian N. Bershad,Henry M. Levy

DOI: https://doi.org/10.1145/1047915.1047919

2005-02-02

ACM Transactions on Computer Systems

Abstract:Despite decades of research in extensible operating system technology, extensions such as device drivers remain a significant cause of system failures. In Windows XP, for example, drivers account for 85% of recently reported failures.This article describes Nooks, a reliability subsystem that seeks to greatly enhance operating system (OS) reliability by isolating the OS from driver failures. The Nooks approach is practical: rather than guaranteeing complete fault tolerance through a new (and incompatible) OS or driver architecture, our goal is to prevent the vast majority of driver-caused crashes with little or no change to the existing driver and system code. Nooks isolates drivers within lightweight protection domains inside the kernel address space, where hardware and software prevent them from corrupting the kernel. Nooks also tracks a driver's use of kernel resources to facilitate automatic cleanup during recovery.To prove the viability of our approach, we implemented Nooks in the Linux operating system and used it to fault-isolate several device drivers. Our results show that Nooks offers a substantial increase in the reliability of operating systems, catching and quickly recovering from many faults that would otherwise crash the system. Under a wide range and number of fault conditions, we show that Nooks recovers automatically from 99% of the faults that otherwise cause Linux to crash.While Nooks was designed for drivers, our techniques generalize to other kernel extensions. We demonstrate this by isolating a kernel-mode file system and an in-kernel Internet service. Overall, because Nooks supports existing C-language extensions, runs on a commodity operating system and hardware, and enables automated recovery, it represents a substantial step beyond the specialized architectures and type-safe languages required by previous efforts directed at safe extensibility.

computer science, theory & methods

XIE Jun,ZHANG Tao,ZHANG Shi-geng,HUANG Hao

2005-01-01

Abstract:In traditional monolithic kernel operating systems, all kernel codes run within a common and shared address space, and any vulnerabilities in kernel or any untrusted modules loaded in kernel would compromise the whole system security. The development of a layered and separated secure kernel was described in this paper. Since the powers of kernel are partitioned, the vulnerabilities of kernel are confined, and arbitrarily tampering of kernel by malice codes was prevented. The prototype system is entirely developed from beginning for the i386 architecture.

Soo Yee Lim,Sidhartha Agrawal,Xueyuan Han,David Eyers,Dan O'Keeffe,Thomas Pasquier

2024-04-12

Abstract:Monolithic operating systems, where all kernel functionality resides in a single, shared address space, are the foundation of most mainstream computer systems. However, a single flaw, even in a non-essential part of the kernel (e.g., device drivers), can cause the entire operating system to fall under an attacker's control. Kernel hardening techniques might prevent certain types of vulnerabilities, but they fail to address a fundamental weakness: the lack of intra-kernel security that safely isolates different parts of the kernel. We survey kernel compartmentalization techniques that define and enforce intra-kernel boundaries and propose a taxonomy that allows the community to compare and discuss future work. We also identify factors that complicate comparisons among compartmentalized systems, suggest new ways to compare future approaches with existing work meaningfully, and discuss emerging research directions.

Cryptography and Security,Operating Systems

Xiaoguang Wang,Yong Qi,Zhi Wang,Yue Chen,Yajin Zhou

DOI: https://doi.org/10.1109/tdsc.2017.2675991

2019-01-01

Abstract:The OS kernel is critical to the security of a computer system. Many systems have been proposed to improve its security. A fundamental weakness of those systems is that page tables, the data structures that control the memory protection, are not isolated from the vulnerable kernel, and thus subject to tampering. To address that, researchers have relied on virtualization for reliable kernel memory protection. Unfortunately, such memory protection requires to monitor every update to the guest's page tables. This fundamentally conflicts with the recent advances in the hardware virtualization support. In this paper, we propose SecPod, an extensible framework for virtualization-based security systems that can provide both strong isolation and the compatibility with modern hardware. SecPod has two key techniques: paging delegation delegates and audits the kernel's paging operations to a secure space; execution trapping intercepts the (compromised) kernel's attempts to subvert SecPod by misusing privileged instructions. We have implemented a prototype of SecPod based on KVM. Our experiments show that SecPod is both effective and efficient.

Odun-Ayo Isaac,Kennedy Okokpujie,Hannah Akinwumi,Jesse Juwe,Henry Otunuya,Oladapo Alagbe,Henry Otunuya and Oladapo Alagbe

DOI: https://doi.org/10.1088/1757-899X/1107/1/012052

2021-04-27

IOP Conference Series: Materials Science and Engineering

Abstract:The creation of Operating Systems (OSs) with Microkernels was in response to the various challenges presented by Operating Systems with Monolithic kernels. Microkernel based Operating Systems provides security and flexibility in the system. This paper reviews seven different microkernel-based Operating Systems: L4, GNU Hurd, Genode, L4re, NOVA, seL4, and Muen Separation Kernel. This analysis provides an understanding of the various trends in the Microkernel Based Operating Systems design. Research papers and official documentation of the individual microkernels served as data sources. The result in this paper shows that there has not been a significant variation in the underlying principle of minimality and how Microkernel Operating Systems approach the implementations of their inter-process communication (IPC), memory management, and scheduling.

Yijing Song,Huasheng Dai,Jinhu Jiang,Weihua Zhang

DOI: https://doi.org/10.1051/sands/2023007

2023-01-01

Abstract:With the trend of digitalization, intelligence, and networking sweeping the world, functional safety and cyber security are increasingly intertwined and overlapped, evolving into the issue of generalized functional safety. Traditional system reliability technology and network defense technology cannot provide quantifiable design implementation theories and methods. As the cornerstone of software systems, operating systems in particular are in need of efficient safety assurance. The DHR architecture is a mature and comprehensive solution, and it is necessary to implement an OS-level DHR architecture, for which the multi-kernel operating system is a good carrier. The multi-kernel operating system takes the kernel as the processing scenario element and constructs redundancy, heterogeneity, and dynamism on the kernel, so it has the generalized robustness of the DHR architecture. This article analyzes the significance and requirements of OS-level DHR architecture, and systematically explains how the multi-kernel operating system responds to the requirements of OS-level DHR architecture by analyzing the technical routes of multi-kernel operating systems and develops an operating system solution idea for the generalized functionally safety.

Kevin Elphinstone,Amirreza Zarrabi,Kent Mcleod,Gernot Heiser

DOI: https://doi.org/10.1145/3124680.3124727

2017-09-02

Abstract:In the paper, we argue that it is worthwhile to revisit building microkernel-based multiserver operating systems, and introduce a multiserver OS architecture. We argue that recent formal verification of microkernels provides a compelling platform for constructing general purpose systems, and that existing systems are not appropriate to take advantage of a formally verified microkernel. Our vision is of mostly-POSIX multiserver systems based on rump kernels, with a small set of fundamental services and frameworks. We expect the approach to provide a balance between componentisation, development effort, and legacy system compatibility. We present our initial efforts with a promising performance evaluation of a rump kernel running on seL4.

于淑英,黄皓,刘国斌

DOI: https://doi.org/10.3969/j.issn.1002-137x.2009.01.064

2009-01-01

Computer Science

Abstract:To avoid the security mechanism applied in operating systems being bypassed or tampered,this paper proposed the use of micro-kernel,multiserver architecture to assure the integrity of security kernel.Process isolation and message passing provided by the micro-kernel make the processes above isolated and protect the integrity of them effectively.Simplicity and modularity,the most obvious advantages of micro-kernel,laid an excellent base for the future formal verification.The prototype operating system,Nutos,was presented as an example on how to use these mechanisms to enforce security.It combined the multiserver architecture and the Flask security infrastructure to provide for flexibi-lity in security policies and integrity assurance for security sever and reference monitor.

Abhinav Srivastava,Jonathon Giffin

DOI: https://doi.org/10.1145/2420950.2421012

2012-01-01

Abstract:Commodity operating system kernels isolate applications via separate memory address spaces provided by virtual memory management hardware. However, kernel memory is unified and mixes core kernel code with driver components of different provenance. Kernel-level malicious software exploits this lack of isolation between the kernel and its modules by illicitly modifying security-critical kernel data structures. In this paper, we design an access control policy and enforcement system that prevents kernel components with low trust from altering security-critical data used by the kernel to manage its own execution. Our policies are at the granularity of kernel variables and structure elements, and they can protect data structures dynamically allocated at runtime. Our hypervisor-based design uses memory page protection bits as part of its policy enforcement. The granularity difference between page-level protection and variable-level policies challenges the system's ability to remain performant. We develop kernel data-layout partitioning and reorganization techniques to maintain kernel performance in the presence of our protections. We show that our system can prevent malicious modifications to security-critical kernel data with small overhead. By offering protection for critical kernel data structures, we can detect unknown kernel-level malware and guarantee that security utilities relying on the integrity of kernel-level state remain accurate.

Sufyan Samara,Yuhong Zhao,Franz J. Rammig

DOI: https://doi.org/10.1007/978-3-642-15234-4_11

2010-01-01

Abstract:This paper presents a novel flexible, dependable, and reliable operating system design for distributed reconfigurable system on chip. The dependability and reliability are achieved by integrating online model checking technique. Each OS service has different implementations which are further partitioned into small blocks. This operating system design allows the OS service to be adapted at runtime according to the given resource requirements and response time. Such adaptable services may be required by real time safety-critical applications. The flexibility introduced in executing adaptable OS services also gives rise to a potential safety problem. Thus, online model checking is integrated to the operating system so as to improve the dependability, reliability, and fault tolerance of these adaptable OS services.

Kristis Makris,Kyung Dong Ryu

DOI: https://doi.org/10.1145/1272998.1273031

2007-06-01

ACM SIGOPS Operating Systems Review

Abstract:Continuously running systems require kernel software updates applied to them without downtime. Facilitating fast reboots, or delaying an update may not be a suitable solution in many environments, especially in pay-per-use high-performance computing clusters and mission critical systems. Such systems will not reap the benefits of new kernel features, and will continue to operate with kernel security holes unpatched, at least until the next scheduled maintenance downtime. To address these problems we developed an on-the-fly kernel updating system that enables commodity operating systems to gain adaptive and mutative capabilities without kernel recompilation or reboot. Our system, DynAMOS, employs a novel and efficient dynamic code instrumentation technique termed adaptive function cloning . Execution flow can be switched adaptively among multiple editions of functions, possibly concurrently running. This approach becomes the foundation for dynamic replacement of non-quiescent kernel subsystems when the timeliness of an update depends on synchronization of multiple kernel paths. We illustrate our experience by dynamically updating core subsystems of the Linux kernel.

English Else

Xie Jun,Huang Hao,Zhang Jia

DOI: https://doi.org/10.3969/j.issn.1000-386X.2006.12.005

2006-01-01

Abstract:In traditional monolithic kernel operating systems,all kernel codes run within a common and shared address space,and any vulnerabilities in kernel or any untrusted modules loaded in kernel would compromise the whole system's security.From the point of security,this paper describs a isolation mechanism for kernel modules,in which the most insecure parts of kernel are loaded as protection modules and are isolated from other parts of kernel by hardware protection mechanism.This mechanism can be used to strengthen existing monolithic kernel's reliability and security and provides a more credible platform for secuirty application softewares.

Jingyu Hua,Kouichi Sakurai

DOI: https://doi.org/10.1145/2245276.2232011

2012-01-01

Abstract:In the present operating systems such as Linux, all the kernel modules, including unknown extensions, run in the same address space. They are granted the highest privilege and can access arbitrary memory without any limitation. This is at the root of kernel rootkits, which are malware seriously threatening the kernel integrity. In this paper, we present Barrier , a lightweight hypervisor designed for enhancing the kernel integrity of personal computers by isolating the kernel modules. Since this hypervisor is designed for the OS protection on PCs, it does not implement unnecessary virtualization features that are commonly found on the general-purpose hypervisors to support running multiple OS instances concurrently on the same server. As a result, it is much smaller and also much easier to use, especially for unprofessional users. Barrier leverages the hardware-supported memory virtualization to isolate the kernel modules into different address spaces. All the interactions across address spaces have to go through a strict mediation based on some predefined MAC rules. This greatly increases the attacker's hardness to compromise the kernel integrity. We have implemented a prototype of Barrier. The evaluation results show that Barrier can well protect the kernel integrity without bringing unaffordable performance overheads.

Jaemin Hong,Sunghwan Shim,Sanguk Park,Taewoo Kim,Jungwoo Kim,Junsoo Lee,Sukyoung Ryu,Jeehoon Kang

DOI: https://doi.org/10.1016/j.scico.2024.103152

IF: 1.039

2024-05-29

Science of Computer Programming

Abstract:Operating systems (OSs) suffer from pervasive memory bugs. Their primary source is shared mutable states, crucial to low-level control and efficiency. The safety of shared mutable states is not guaranteed by C/C++, in which legacy OSs are typically written. Recently, researchers have adopted Rust into OS development to implement clean-slate OSs with fewer memory bugs. Rust ensures the safety of shared mutable states that follow the "aliasing XOR mutability" discipline via its type system. With the success of Rust in clean-slate OSs, the industry has become interested in rewriting legacy OSs in Rust. However, one of the most significant obstacles to this goal is shared mutable states that are aliased AND mutable (A&M). While they are essential to the performance of legacy OSs, Rust does not guarantee their safety. Instead, programmers have identified A&M states with the same reasoning principle dubbed an A&M pattern and implemented its modular abstraction to facilitate safety reasoning. This paper investigates modular abstractions for A&M patterns in legacy OSs. We present modular abstractions for six A&M patterns in the xv6 OS. Our investigation of Linux and clean-slate Rust OSs shows that the patterns are practical, as all of them are utilized in Linux, and the abstractions are original, as none of them are found in the Rust OSs. Using the abstractions, we implemented xv6 Rust , a complete rewrite of xv6 in Rust. The abstractions incur no run-time overhead compared to xv6 while reducing the reasoning cost of xv6 Rust to the level of the clean-slate Rust OSs.

computer science, software engineering

Ruslan Nikolaev,Mincheol Sung,Binoy Ravindran

DOI: https://doi.org/10.1145/3381052.3381316

2020-02-21

Abstract:We present LibrettOS, an OS design that fuses two paradigms to simultaneously address issues of isolation, performance, compatibility, failure recoverability, and run-time upgrades. LibrettOS acts as a microkernel OS that runs servers in an isolated manner. LibrettOS can also act as a library OS when, for better performance, selected applications are granted exclusive access to virtual hardware resources such as storage and networking. Furthermore, applications can switch between the two OS modes with no interruption at run-time. LibrettOS has a uniquely distinguishing advantage in that, the two paradigms seamlessly coexist in the same OS, enabling users to simultaneously exploit their respective strengths (i.e., greater isolation, high performance). Systems code, such as device drivers, network stacks, and file systems remain identical in the two modes, enabling dynamic mode switching and reducing development and maintenance costs. To illustrate these design principles, we implemented a prototype of LibrettOS using rump kernels, allowing us to reuse existent, hardened NetBSD device drivers and a large ecosystem of POSIX/BSD-compatible applications. We use hardware (VM) virtualization to strongly isolate different rump kernel instances from each other. Because the original rumprun unikernel targeted a much simpler model for uniprocessor systems, we redesigned it to support multicore systems. Unlike kernel-bypass libraries such as DPDK, applications need not be modified to benefit from direct hardware access. LibrettOS also supports indirect access through a network server that we have developed. Applications remain uninterrupted even when network components fail or need to be upgraded. Finally, to efficiently use hardware resources, applications can dynamically switch between the indirect and direct modes based on their I/O load at run-time. [full abstract is in the paper]

Operating Systems

Hanfei Chen,Jingxiang Dong,Youxian Sun

DOI: https://doi.org/10.1109/wcica.2004.1342251

2004-01-01

Abstract:Design of ultra-reliable real-time fault-tolerant multiprocessor systems is complexity and time-consumed. Previous systems mainly rely on special hardware and special operating systems. Current commercial real time operating systems can't satisfy the requirement of ultra-reliable systems, we present the approach to the design of fault-tolerant operating system, which based on COTS software and hardware. By introducing the redundant mechanism on multiprocessor systems into the COTS operating system's kernel, our fault-tolerant operating system completely supports the ultra-reliable real time application.

Yizhou Shan,Sumukh Hallymysore,Yutong Huang,Yilun Chen,Yiying Zhang

DOI: https://doi.org/10.1145/3127479.3131617

2017-01-01

Abstract:Recently, there is an emerging trend to move towards a disaggregated hardware architecture that breaks monolithic servers into independent hardware components that are connected to a fast, scalable network [1, 2]. The disaggregated architecture offers several benefits over traditional monolithic server model, including better resource utilization, ease of hardware deployment, and support for heterogeneity. Our vision of the future disaggregated architecture is that each component will have its own controller to manage its hardware and can communicate with other components through a fast network.

Yinggang Guo,Zicheng Wang,Weiheng Bai,Qingkai Zeng,Kangjie Lu

DOI: https://doi.org/10.14722/ndss.2025.23328

2024-09-15

Abstract:The endless stream of vulnerabilities urgently calls for principled mitigation to confine the effect of exploitation. However, the monolithic architecture of commodity OS kernels, like the Linux kernel, allows an attacker to compromise the entire system by exploiting a vulnerability in any kernel component. Kernel compartmentalization is a promising approach that follows the least-privilege principle. However, existing mechanisms struggle with the trade-off on security, scalability, and performance, given the challenges stemming from mutual untrustworthiness among numerous and complex components. In this paper, we present BULKHEAD, a secure, scalable, and efficient kernel compartmentalization technique that offers bi-directional isolation for unlimited compartments. It leverages Intel's new hardware feature PKS to isolate data and code into mutually untrusted compartments and benefits from its fast compartment switching. With untrust in mind, BULKHEAD introduces a lightweight in-kernel monitor that enforces multiple important security invariants, including data integrity, execute-only memory, and compartment interface integrity. In addition, it provides a locality-aware two-level scheme that scales to unlimited compartments. We implement a prototype system on Linux v6.1 to compartmentalize loadable kernel modules (LKMs). Extensive evaluation confirms the effectiveness of our approach. As the system-wide impacts, BULKHEAD incurs an average performance overhead of 2.44% for real-world applications with 160 compartmentalized LKMs. While focusing on a specific compartment, ApacheBench tests on ipv6 show an overhead of less than 2%. Moreover, the performance is almost unaffected by the number of compartments, which makes it highly scalable.

Cryptography and Security,Operating Systems

Alexandru Paler

2024-10-17

Abstract:A quantum operating system (QCOS) is a classic software running on classic hardware. The QCOS is preparing, starting, controlling and managing quantum computations. The reliable execution of fault-tolerant quantum computations will require the QCOS to be as reliable and fault-tolerant as the computation itself. In the following, we discuss why a QCOS should be architected according to the following principles: 1) using a microkernel; 2) the components are working in an aggregated, non-stacked manner and communicate by message passing; 3) the components are executed by default on supercomputers, unless there are very good reasons not to. These principles can guarantee that the execution of error-corrected, fault-tolerant quantum computation is not vulnerable to the failures of the QCOS.

Quantum Physics

Hsuan-Chi Kuo,Akshith Gunasekaran,Yeongjin Jang,Sibin Mohan,Rakesh B. Bobba,David Lie,Jesse Walker

DOI: https://doi.org/10.48550/arXiv.1903.06889

2019-03-16

Abstract:We present, MultiK, a Linux-based framework 1 that reduces the attack surface for operating system kernels by reducing code bloat. MultiK "orchestrates" multiple kernels that are specialized for individual applications in a transparent manner. This framework is flexible to accommodate different kernel code reduction techniques and, most importantly, run the specialized kernels with near-zero additional runtime overheads. MultiK avoids the overheads of virtualization and runs natively on the system. For instance, an Apache instance is shown to run on a kernel that has (a) 93.68% of its code reduced, (b) 19 of 23 known kernel vulnerabilities eliminated and (c) with negligible performance overheads (0.19%). MultiK is a framework that can integrate with existing code reduction and OS security techniques. We demonstrate this by using D-KUT and S-KUT -- two methods to profile and eliminate unwanted kernel code. The whole process is transparent to the user applications because MultiK does not require a recompilation of the application.

Operating Systems