Abstract
Despite a number of radical changes in how computer systems are used, the design principles behind the very core of the systems stack--an operating system kernel--has remained unchanged for decades.We run monolithic kernels developed with a combination ofan unsafe programming language, global sharing of data structures, opaque interfaces, and no explicit knowledge of kernel protocols. Today, the monolithic architecture of a kernel is the main factor undermining its security, and even worse, limiting its evolution towards a safer, more secure environment. Lack of isolation across kernel subsystems allows attackers to take control over the entire machine with a single kernel vulnerability. Furthermore, complex, semantically rich monolithic code with globally shared data structures and no explicit interfaces is not amenable to formal analysis and verification tools. Even after decades of work to make monolithic kernels more secure, over a hundred serious kernel vulnerabilities are still reported every year.
Modern kernels need decomposition as a practical means of confining the effects of individual attacks. Historically, decomposed kernels were prohibitively slow. Today, the complexity of a modern kernel prevents a trivial decomposition effort. We argue, however, that despite all odds modern kernels can be decomposed. Careful choice of communication abstractions and execution model, a general approach to decomposition, a path for incremental adoption, and automation through proper language tools can address complexity of decomposition and performance overheads of decomposed kernels. Our work on lightweight capability domains (LCDs) develops principles, mechanisms, and tools that enable incremental, practical decomposition of a modern operating system kerne.
- M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity - principles, implementations, and applications. In CCS, 2005. Google ScholarDigital Library
- K. Ashcraft and D. R. Engler. Using programmer-written compiler extensions to catch security holes. In IEEE Symposium on Security and Privacy, pages 143--159, 2002. Google ScholarDigital Library
- A. Belay, G. Prekas, A. Klimovic, S. Grossman, C. Kozyrakis, and E. Bugnion. IX: A protected dataplane operating system for high throughput and low latency. In OSDI, 2014. Google ScholarDigital Library
- B. Blackham and G. Heiser. Correct, fast, maintainable: choose any three! In APSys, page 13, 2012. Google ScholarDigital Library
- Bomberger, A.C. and Frantz, A.P. and Frantz, W.S. and Hardy, A.C. and Hardy, N. and Landau, C.R. and Shapiro, J.S. The KeyKOS nanokernel architecture. In Proceedings of the USENIX Workshop on Micro-Kernels and Other Kernel Architectures, pages 95--112, 1992. Google ScholarDigital Library
- S. Boyd-Wickizer and N. Zeldovich. Tolerating malicious device drivers in Linux. In USENIX ATC, pages 9--9, 2010. Google ScholarDigital Library
- Bromium. Bromium micro-virtualization, 2010. http://www.bromium.com/misc/BromiumMicrovirtualization.pdf.Google Scholar
- H. Chen, Y. Mao, X. Wang, D. Zhou, N. Zeldovich, and M. F. Kaashoek. Linux kernel vulnerabilities: state-of-the-art defenses and open problems. In APSys, pages 5:1--5:5, 2011. Google ScholarDigital Library
- S. Chiricescu, A. DeHon, D. Demange, S. Iyer, A. Kliger, G. Morrisett, B. C. Pierce, H. Reubenstein, J. M. Smith, G. T. Sullivan, et al. SAFE: A clean-slate architecture for secure systems. In Technologies for Homeland Security (HST), pages 570--576, 2013.Google ScholarCross Ref
- Coverity, Inc. Coverity SAVE, 2012. http://www.coverity.com/products/coverity-save.html.Google Scholar
- C. Cowan, C. Pu, D. Maier, H. Hinton, and J. Walpole. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In USENIX Security Symposium, 1998. Google ScholarDigital Library
- CVE Details. Vulnerabilities in the Linux kernel by year. http://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33.Google Scholar
- CVE Details. Vulnerabilities in the Linux kernel in 2014. http://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/year-2014/Linux-Linux-Kernel.html.Google Scholar
- W. de Bruijn and H. Bos. Beltway buffers: Avoiding the OS traffic jam. In INFOCOM, 2008.Google ScholarCross Ref
- P. Derrin, D. Elkaduwe, and K. Elphinstone. seL4 reference manual. Technical report, ERTOS NICTA. http://www.ertos.nicta.com/research/sel4/sel4-refman.pdf.Google Scholar
- D. Elkaduwe. A principled approach to kernel memory management. PhD thesis, University of New South Wales, 2010.Google Scholar
- K. Elphinstone and G. Heiser. From L3 to seL4 what have we learnt in 20 years of L4 microkernels? In SOSP, pages 133--150, 2013. Google ScholarDigital Library
- D. Engler, B. Chelf, A. Chou, and S. Hallem. Checking system rules using system-specific, programmer-written compiler extensions. In OSDI, pages 1--1, 2000. Google ScholarDigital Library
- U. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G. C. Necula. XFI: Software guards for system address spaces. In OSDI, pages 75--88, 2006. Google ScholarDigital Library
- Feske, N. and Helmuth, C. Design of the Bastei OS architecture. Techn. Univ., Fakultät Informatik, 2007.Google Scholar
- B. Ford, G. Back, G. Benson, J. Lepreau, A. Lin, and O. Shivers. The flux OSKit: A substrate for kernel and language research. In SOSP, pages 38--51, 1997. Google ScholarDigital Library
- T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: a virtual machine-based platform for trusted computing. In SOSP, pages 193--206, 2003. Google ScholarDigital Library
- A. Gefflaut, T. Jaeger, Y. Park, J. Liedtke, K. J. Elphinstone, V. Uhlig, J. E. Tidswell, L. Deller, and L. Reuther. The SawMill multiserver approach. In Proceedings of the 9th workshop on ACM SIGOPS European workshop: beyond the PC: new challenges for the operating system, pages 109--114. ACM, 2000. Google ScholarDigital Library
- J. Giacomoni, T. Moseley, and M. Vachharajani. FastForward for efficient pipeline parallelism: a cache-optimized concurrent lock-free queue. In PPoPP, pages 43--52, 2008. Google ScholarDigital Library
- Gu, L., Vaynberg, A., Ford, B., Shao, Z., and Costanzo, D. CertiKOS: a certified kernel for secure cloud computing. In APSys, page 3, 2011. Google ScholarDigital Library
- T. Harris, M. Abadi, R. Isaacs, and R. McIlroy. AC: composable asynchronous IO for native languages. ACM SIGPLAN Notices, 46(10):903--920, 2011. Google ScholarDigital Library
- Härtig, H. Security architectures revisited. In Proceedings of the 10th workshop on ACM SIGOPS European workshop, pages 16--23. ACM, 2002. Google ScholarDigital Library
- C. Hawblitzel, J. Howell, J. R. Lorch, A. Narayan, B. Parno, D. Zhang, and B. Zill. Ironclad apps: End-to-end security via automated fullsystem verification. In OSDI, 2014. Google ScholarDigital Library
- Heiser, G. and Elphinstone, K. and Kuz, I. and Klein, G. and Petters, S.M. Towards trustworthy computing systems: taking microkernels to the next level. ACM SIGOPS Operating Systems Review, 41(4):3--11, 2007. Google ScholarDigital Library
- Herder, J.N. and Bos, H. and Gras, B. and Homburg, P. and Tanenbaum, A.S. MINIX 3: A highly reliable, self-repairing operating system. ACM SIGOPS Operating Systems Review, 40(3):80--89, 2006. Google ScholarDigital Library
- Hohmuth, M. and Peter, M. and Härtig, H. and Shapiro, J.S. Reducing TCB size by using untrusted components: small kernels versus virtualmachine monitors. In Proceedings of the 11th workshop on ACM SIGOPS European workshop, page 22. ACM, 2004. Google ScholarDigital Library
- Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, and Dan Boneh. On the effectiveness of address-space randomization. In CCS, pages 298--307, 2004. Google ScholarDigital Library
- INTEGRITY Real-Time Operating System. http://www.ghs.com/products/rtos/integrity.html.Google Scholar
- Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., and others. seL4: formal verification of an OS kernel. In SOSP, pages 207--220. ACM, 2009. Google ScholarDigital Library
- M. Krohn, E. Kohler, and M. F. Kaashoek. Events can make sense. In USENIX ATC, pages 7:1--7:14, 2007. Google ScholarDigital Library
- A. Landau, M. Ben-Yehuda, and A. Gordon. SplitX: Split guest/hypervisor execution on multi-core. In WIOV, 2011. Google ScholarDigital Library
- S. Larsen, P. Sarangam, R. Huggahalli, and S. Kulkarni. Architectural breakdown of end-to-end latency in a TCP/IP network. Int. J. Parallel Program., 37(6):556--571, Dec. 2009. Google ScholarDigital Library
- H. Lim, D. Han, D. G. Andersen, and M. Kaminsky. MICA: A holistic approach to fast in-memory key-value storage. In NSDI, pages 429--444, 2014. Google ScholarDigital Library
- LynuxWorks. Desktop virtualization and secure client virtualization based on military-grade technology.Google Scholar
- D. Molka, D. Hackenberg, and R. Schöne. Main memory and cache performance of Intel Sandy Bridge and AMD Bulldozer. In Workshop on Memory Systems Performance and Correctness, pages 4:1--4:10, 2014. Google ScholarDigital Library
- D. Molka, D. Hackenberg, R. Schone, and M. S. Muller. Memory performance and cache coherency effects on an Intel Nehalem multiprocessor system. In PACT, pages 261--270. IEEE, 2009. Google ScholarDigital Library
- Moritz Jodeit and Martin Johns. USB device drivers: A stepping stone into your kernel. In European Conference on Computer Network Defense, 2010. Google ScholarDigital Library
- T. Mueller. Virtualised USB fuzzing for vulnerabilities. 2010. https://muelli.cryptobitch.de/paper/2010-usb-fuzzing.pdf.Google Scholar
- S. Peter, J. Li, I. Zhang, D. R. Ports, D. Woos, A. Krishnamurthy, T. Anderson, and T. Roscoe. Arrakis: The operating system is the control plane. In OSDI, 2014. Google ScholarDigital Library
- Bypassing StackGuard and StackShield. Phrack Magazine. Volume 0xa. Issue 0x38.Google Scholar
- R. Roemer, E. Buchanan, H. Shacham, and S. Savage. Return-oriented programming: Systems, languages, and applications. ACM Trans. Inf. Syst. Secur., 15(1):2:1--2:34, Mar. 2012. http://doi.acm.org/10. 1145/2133375.2133377. Google ScholarDigital Library
- Rutkowska, J. and Wojtczuk, R. Qubes OS architecture. Invisible Things Lab Tech Rep, 2010.Google Scholar
- A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In SOSP, pages 335--350, 2007. Google ScholarDigital Library
- H. Shacham. The geometry of innocent flesh on the bone: returninto-libc without function calls (on the x86). In CCS, pages 552--561, 2007. Google ScholarDigital Library
- L. Soares and M. Stumm. FlexSC: flexible system call scheduling with exception-less system calls. In OSDI, pages 1--8, 2010. Google ScholarDigital Library
- M. Stiegler. The E language in a walnut, 2000. http://www. skyhunter.com/marcs/ewalnut.html.Google Scholar
- M. M. Swift, S. Martin, H. M. Levy, and S. J. Eggers. Nooks: An architecture for reliable device drivers. In Proceedings of the 10th workshop on ACM SIGOPS European workshop, pages 102--107. ACM, 2002. Google ScholarDigital Library
- XenClient. http://www.citrix.com/products/xenclient/ how-it-works.html.Google Scholar
- J. Yang and C. Hawblitzel. Safe to the last instruction: automated verification of a type-safe operating system. In ACM Sigplan Notices, volume 45, pages 99--110. ACM, 2010. Google ScholarDigital Library
Index Terms
- Lightweight Capability Domains: Towards Decomposing the Linux Kernel
Recommendations
Lightweight capability domains: towards decomposing the Linux kernel
PLOS '15: Proceedings of the 8th Workshop on Programming Languages and Operating SystemsDespite a number of radical changes in how computer systems are used, the design principles behind the very core of the systems stack---an operating system kernel---has remained unchanged for decades. We run monolithic kernels developed with a ...
Dynamic Loader Oriented Programming on Linux
ROOTS: Proceedings of the 1st Reversing and Offensive-oriented Trends SymposiumMemory corruptions are still the most prominent venue to attack otherwise secure programs. In order to make exploitation of software bugs more difficult, defenders introduced a vast number of post corruption security mitigations, such as w⊕x memory, ...
A detailed performance analysis of UDP/IP, TCP/IP, and M-VIA network protocols using Linux/SimOS
This paper presents a performance study of UDP/IP, TCP/IP, and M-VIA using Linux/SimOS. Linux/SimOS is a Linux operating system port to a complete machine simulator SimOS. A complete machine simulator includes all the system components, such as CPU, ...
Comments