research-article

Lightweight Capability Domains: Towards Decomposing the Linux Kernel

Authors:
Charles Jacobsen

University of Utah, Salt Lake City, UT

University of Utah, Salt Lake City, UT
View Profile

,
Muktesh Khole

Microsoft Corporation, Redmond, WA

Microsoft Corporation, Redmond, WA
View Profile

,
Sarah Spall

University of Utah, Salt Lake City, UT

University of Utah, Salt Lake City, UT
View Profile

,
Scotty Bauer

University of Utah, Salt Lake City, UT

University of Utah, Salt Lake City, UT
View Profile

,
Anton Burtsev

University of Utah, Salt Lake City, UT

University of Utah, Salt Lake City, UT
View Profile

Authors Info & Claims

ACM SIGOPS Operating Systems Review Volume 49 Issue 2December 2015pp 44–50https://doi.org/10.1145/2883591.2883601

Published:20 January 2016Publication History

ACM SIGOPS Operating Systems Review

Abstract

Despite a number of radical changes in how computer systems are used, the design principles behind the very core of the systems stack--an operating system kernel--has remained unchanged for decades.We run monolithic kernels developed with a combination ofan unsafe programming language, global sharing of data structures, opaque interfaces, and no explicit knowledge of kernel protocols. Today, the monolithic architecture of a kernel is the main factor undermining its security, and even worse, limiting its evolution towards a safer, more secure environment. Lack of isolation across kernel subsystems allows attackers to take control over the entire machine with a single kernel vulnerability. Furthermore, complex, semantically rich monolithic code with globally shared data structures and no explicit interfaces is not amenable to formal analysis and verification tools. Even after decades of work to make monolithic kernels more secure, over a hundred serious kernel vulnerabilities are still reported every year.

Modern kernels need decomposition as a practical means of confining the effects of individual attacks. Historically, decomposed kernels were prohibitively slow. Today, the complexity of a modern kernel prevents a trivial decomposition effort. We argue, however, that despite all odds modern kernels can be decomposed. Careful choice of communication abstractions and execution model, a general approach to decomposition, a path for incremental adoption, and automation through proper language tools can address complexity of decomposition and performance overheads of decomposed kernels. Our work on lightweight capability domains (LCDs) develops principles, mechanisms, and tools that enable incremental, practical decomposition of a modern operating system kerne.

References

M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity - principles, implementations, and applications. In CCS, 2005. Google ScholarDigital Library
K. Ashcraft and D. R. Engler. Using programmer-written compiler extensions to catch security holes. In IEEE Symposium on Security and Privacy, pages 143--159, 2002. Google ScholarDigital Library
A. Belay, G. Prekas, A. Klimovic, S. Grossman, C. Kozyrakis, and E. Bugnion. IX: A protected dataplane operating system for high throughput and low latency. In OSDI, 2014. Google ScholarDigital Library
B. Blackham and G. Heiser. Correct, fast, maintainable: choose any three! In APSys, page 13, 2012. Google ScholarDigital Library
Bomberger, A.C. and Frantz, A.P. and Frantz, W.S. and Hardy, A.C. and Hardy, N. and Landau, C.R. and Shapiro, J.S. The KeyKOS nanokernel architecture. In Proceedings of the USENIX Workshop on Micro-Kernels and Other Kernel Architectures, pages 95--112, 1992. Google ScholarDigital Library
S. Boyd-Wickizer and N. Zeldovich. Tolerating malicious device drivers in Linux. In USENIX ATC, pages 9--9, 2010. Google ScholarDigital Library
Bromium. Bromium micro-virtualization, 2010. http://www.bromium.com/misc/BromiumMicrovirtualization.pdf.Google Scholar
H. Chen, Y. Mao, X. Wang, D. Zhou, N. Zeldovich, and M. F. Kaashoek. Linux kernel vulnerabilities: state-of-the-art defenses and open problems. In APSys, pages 5:1--5:5, 2011. Google ScholarDigital Library
S. Chiricescu, A. DeHon, D. Demange, S. Iyer, A. Kliger, G. Morrisett, B. C. Pierce, H. Reubenstein, J. M. Smith, G. T. Sullivan, et al. SAFE: A clean-slate architecture for secure systems. In Technologies for Homeland Security (HST), pages 570--576, 2013.Google ScholarCross Ref
Coverity, Inc. Coverity SAVE, 2012. http://www.coverity.com/products/coverity-save.html.Google Scholar
C. Cowan, C. Pu, D. Maier, H. Hinton, and J. Walpole. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In USENIX Security Symposium, 1998. Google ScholarDigital Library
CVE Details. Vulnerabilities in the Linux kernel by year. http://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33.Google Scholar
CVE Details. Vulnerabilities in the Linux kernel in 2014. http://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/year-2014/Linux-Linux-Kernel.html.Google Scholar
W. de Bruijn and H. Bos. Beltway buffers: Avoiding the OS traffic jam. In INFOCOM, 2008.Google ScholarCross Ref
P. Derrin, D. Elkaduwe, and K. Elphinstone. seL4 reference manual. Technical report, ERTOS NICTA. http://www.ertos.nicta.com/research/sel4/sel4-refman.pdf.Google Scholar
D. Elkaduwe. A principled approach to kernel memory management. PhD thesis, University of New South Wales, 2010.Google Scholar
K. Elphinstone and G. Heiser. From L3 to seL4 what have we learnt in 20 years of L4 microkernels? In SOSP, pages 133--150, 2013. Google ScholarDigital Library
D. Engler, B. Chelf, A. Chou, and S. Hallem. Checking system rules using system-specific, programmer-written compiler extensions. In OSDI, pages 1--1, 2000. Google ScholarDigital Library
U. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G. C. Necula. XFI: Software guards for system address spaces. In OSDI, pages 75--88, 2006. Google ScholarDigital Library
Feske, N. and Helmuth, C. Design of the Bastei OS architecture. Techn. Univ., Fakultät Informatik, 2007.Google Scholar
B. Ford, G. Back, G. Benson, J. Lepreau, A. Lin, and O. Shivers. The flux OSKit: A substrate for kernel and language research. In SOSP, pages 38--51, 1997. Google ScholarDigital Library
T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: a virtual machine-based platform for trusted computing. In SOSP, pages 193--206, 2003. Google ScholarDigital Library
A. Gefflaut, T. Jaeger, Y. Park, J. Liedtke, K. J. Elphinstone, V. Uhlig, J. E. Tidswell, L. Deller, and L. Reuther. The SawMill multiserver approach. In Proceedings of the 9th workshop on ACM SIGOPS European workshop: beyond the PC: new challenges for the operating system, pages 109--114. ACM, 2000. Google ScholarDigital Library
J. Giacomoni, T. Moseley, and M. Vachharajani. FastForward for efficient pipeline parallelism: a cache-optimized concurrent lock-free queue. In PPoPP, pages 43--52, 2008. Google ScholarDigital Library
Gu, L., Vaynberg, A., Ford, B., Shao, Z., and Costanzo, D. CertiKOS: a certified kernel for secure cloud computing. In APSys, page 3, 2011. Google ScholarDigital Library
T. Harris, M. Abadi, R. Isaacs, and R. McIlroy. AC: composable asynchronous IO for native languages. ACM SIGPLAN Notices, 46(10):903--920, 2011. Google ScholarDigital Library
Härtig, H. Security architectures revisited. In Proceedings of the 10th workshop on ACM SIGOPS European workshop, pages 16--23. ACM, 2002. Google ScholarDigital Library
C. Hawblitzel, J. Howell, J. R. Lorch, A. Narayan, B. Parno, D. Zhang, and B. Zill. Ironclad apps: End-to-end security via automated fullsystem verification. In OSDI, 2014. Google ScholarDigital Library
Heiser, G. and Elphinstone, K. and Kuz, I. and Klein, G. and Petters, S.M. Towards trustworthy computing systems: taking microkernels to the next level. ACM SIGOPS Operating Systems Review, 41(4):3--11, 2007. Google ScholarDigital Library
Herder, J.N. and Bos, H. and Gras, B. and Homburg, P. and Tanenbaum, A.S. MINIX 3: A highly reliable, self-repairing operating system. ACM SIGOPS Operating Systems Review, 40(3):80--89, 2006. Google ScholarDigital Library
Hohmuth, M. and Peter, M. and Härtig, H. and Shapiro, J.S. Reducing TCB size by using untrusted components: small kernels versus virtualmachine monitors. In Proceedings of the 11th workshop on ACM SIGOPS European workshop, page 22. ACM, 2004. Google ScholarDigital Library
Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, and Dan Boneh. On the effectiveness of address-space randomization. In CCS, pages 298--307, 2004. Google ScholarDigital Library
INTEGRITY Real-Time Operating System. http://www.ghs.com/products/rtos/integrity.html.Google Scholar
Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., and others. seL4: formal verification of an OS kernel. In SOSP, pages 207--220. ACM, 2009. Google ScholarDigital Library
M. Krohn, E. Kohler, and M. F. Kaashoek. Events can make sense. In USENIX ATC, pages 7:1--7:14, 2007. Google ScholarDigital Library
A. Landau, M. Ben-Yehuda, and A. Gordon. SplitX: Split guest/hypervisor execution on multi-core. In WIOV, 2011. Google ScholarDigital Library
S. Larsen, P. Sarangam, R. Huggahalli, and S. Kulkarni. Architectural breakdown of end-to-end latency in a TCP/IP network. Int. J. Parallel Program., 37(6):556--571, Dec. 2009. Google ScholarDigital Library
H. Lim, D. Han, D. G. Andersen, and M. Kaminsky. MICA: A holistic approach to fast in-memory key-value storage. In NSDI, pages 429--444, 2014. Google ScholarDigital Library
LynuxWorks. Desktop virtualization and secure client virtualization based on military-grade technology.Google Scholar
D. Molka, D. Hackenberg, and R. Schöne. Main memory and cache performance of Intel Sandy Bridge and AMD Bulldozer. In Workshop on Memory Systems Performance and Correctness, pages 4:1--4:10, 2014. Google ScholarDigital Library
D. Molka, D. Hackenberg, R. Schone, and M. S. Muller. Memory performance and cache coherency effects on an Intel Nehalem multiprocessor system. In PACT, pages 261--270. IEEE, 2009. Google ScholarDigital Library
Moritz Jodeit and Martin Johns. USB device drivers: A stepping stone into your kernel. In European Conference on Computer Network Defense, 2010. Google ScholarDigital Library
T. Mueller. Virtualised USB fuzzing for vulnerabilities. 2010. https://muelli.cryptobitch.de/paper/2010-usb-fuzzing.pdf.Google Scholar
S. Peter, J. Li, I. Zhang, D. R. Ports, D. Woos, A. Krishnamurthy, T. Anderson, and T. Roscoe. Arrakis: The operating system is the control plane. In OSDI, 2014. Google ScholarDigital Library
Bypassing StackGuard and StackShield. Phrack Magazine. Volume 0xa. Issue 0x38.Google Scholar
R. Roemer, E. Buchanan, H. Shacham, and S. Savage. Return-oriented programming: Systems, languages, and applications. ACM Trans. Inf. Syst. Secur., 15(1):2:1--2:34, Mar. 2012. http://doi.acm.org/10. 1145/2133375.2133377. Google ScholarDigital Library
Rutkowska, J. and Wojtczuk, R. Qubes OS architecture. Invisible Things Lab Tech Rep, 2010.Google Scholar
A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In SOSP, pages 335--350, 2007. Google ScholarDigital Library
H. Shacham. The geometry of innocent flesh on the bone: returninto-libc without function calls (on the x86). In CCS, pages 552--561, 2007. Google ScholarDigital Library
L. Soares and M. Stumm. FlexSC: flexible system call scheduling with exception-less system calls. In OSDI, pages 1--8, 2010. Google ScholarDigital Library
M. Stiegler. The E language in a walnut, 2000. http://www. skyhunter.com/marcs/ewalnut.html.Google Scholar
M. M. Swift, S. Martin, H. M. Levy, and S. J. Eggers. Nooks: An architecture for reliable device drivers. In Proceedings of the 10th workshop on ACM SIGOPS European workshop, pages 102--107. ACM, 2002. Google ScholarDigital Library
XenClient. http://www.citrix.com/products/xenclient/ how-it-works.html.Google Scholar
J. Yang and C. Hawblitzel. Safe to the last instruction: automated verification of a type-safe operating system. In ACM Sigplan Notices, volume 45, pages 99--110. ACM, 2010. Google ScholarDigital Library

Index Terms

Lightweight Capability Domains: Towards Decomposing the Linux Kernel
1. Security and privacy
  1. Systems security
    1. Operating systems security
2. Software and its engineering
  1. Software creation and management
    1. Designing software
  2. Software organization and properties
    1. Contextual software domains
      1. Operating systems
    2. Extra-functional properties
      1. Interoperability

Recommendations

Lightweight capability domains: towards decomposing the Linux kernel
PLOS '15: Proceedings of the 8th Workshop on Programming Languages and Operating Systems

Despite a number of radical changes in how computer systems are used, the design principles behind the very core of the systems stack---an operating system kernel---has remained unchanged for decades. We run monolithic kernels developed with a ...
Read More
Dynamic Loader Oriented Programming on Linux
ROOTS: Proceedings of the 1st Reversing and Offensive-oriented Trends Symposium

Memory corruptions are still the most prominent venue to attack otherwise secure programs. In order to make exploitation of software bugs more difficult, defenders introduced a vast number of post corruption security mitigations, such as w⊕x memory, ...
Read More
A detailed performance analysis of UDP/IP, TCP/IP, and M-VIA network protocols using Linux/SimOS

This paper presents a performance study of UDP/IP, TCP/IP, and M-VIA using Linux/SimOS. Linux/SimOS is a Linux operating system port to a complete machine simulator SimOS. A complete machine simulator includes all the system components, such as CPU, ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM SIGOPS Operating Systems Review Volume 49, Issue 2
Special Topics
December 2015
79 pages
ISSN:0163-5980
DOI:10.1145/2883591
Editors:
Jeanna Neefe Matthews
Clarkson University, Potsdam, NY
,
Thomas Bressoud
Denison University, Granville, OH
Issue’s Table of Contents
Copyright © 2016 Authors
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 20 January 2016
Check for updates
Author Tags
Linux
decomposition
microkernels
Qualifiers
- research-article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 11
  Total Citations
  View Citations
- 329
  Total Downloads
- Downloads (Last 12 months)7
- Downloads (Last 6 weeks)0
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Lightweight Capability Domains: Towards Decomposing the Linux Kernel

ACM SIGOPS Operating Systems Review

Abstract

References

Cited By

Index Terms

Recommendations

Lightweight capability domains: towards decomposing the Linux kernel

Dynamic Loader Oriented Programming on Linux

A detailed performance analysis of UDP/IP, TCP/IP, and M-VIA network protocols using Linux/SimOS