Preventing Kernel Hacks with HAKC

—Commodity operating system kernels remain mono- lithic for practical and historical reasons. All kernel code shares a single address space, executes with elevated processor privileges, and has largely unhindered access to all data, including data irrelevant to the completion of a specific task. Applying the principle of least privilege, which limits available resources only to those needed to perform a particular task, to com- partmentalize the kernel would realize major security gains, similar to microkernels yet without the major redesign effort. Here, we introduce a compartmentalization design, called a Hardware-Assisted Kernel Compartmentalization (HAKC), that approximates least privilege separation, while minimizing both developer effort and performance overhead. HAKC divides code and data into separate partitions, and specifies an access policy for each partition. Data is owned by a single partition, and a partition’s access-control policy is enforced at runtime, preventing unauthorized data access. When a partition needs to transfer control flow to outside itself, data ownership is transferred to the target, and transferred back upon return. The HAKC design allows for isolating code and data from the rest of the kernel, without utilizing any additional Trusted Computing Base while compartmentalized code is executing. Instead, HAKC relies on hardware for enforcement. web experiments on the Alexa

[1]  Nathan Burow,et al.  Keeping Safe Rust Safe with Galeed , 2021, ACSAC.

[2]  Jonathan M. Smith,et al.  μSCOPE: A Methodology for Analyzing Least-Privilege Compartmentalization in Large Software Artifacts , 2021, RAID.

[3]  Pierre Olivier,et al.  FlexOS: making OS isolation flexible , 2021, HotOS.

[4]  Zhongshu Gu,et al.  Glitching Demystified: Analyzing Control-flow-based Glitching Attacks and Defenses , 2021, 2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[5]  Giovanni Vigna,et al.  Conware: Automated Modeling of Hardware Peripherals , 2021, AsiaCCS.

[6]  Christian Rossow,et al.  Cali: Compiler-Assisted Library Isolation , 2021, AsiaCCS.

[7]  Jason Nieh,et al.  A Secure and Formally Verified Linux KVM Hypervisor , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[8]  Hamed Okhravi,et al.  A Cybersecurity Moonshot , 2021, IEEE Security & Privacy.

[9]  Daniel Hagimont,et al.  Mitigating vulnerability windows with hypervisor transplant , 2021, EuroSys.

[10]  Costin Raiciu,et al.  Unikraft: fast, specialized unikernels the easy way , 2021, EuroSys.

[11]  Peter Pietzuch,et al.  CubicleOS: a library OS with software componentisation for practical isolation , 2021, ASPLOS.

[12]  David Lie,et al.  In-Fat Pointer: Hardware-Assisted Tagged-Pointer Spatial Memory Safety Defense with Subobject Bound Granularity Protection , 2020 .

[13]  James R. Larus,et al.  Enclosure: language-based restriction of untrusted libraries , 2021, ASPLOS.

[14]  Ning Zhang,et al.  RusTEE: Developing Memory-Safe ARM TrustZone Applications , 2020, ACSAC.

[15]  Michael Schwarz,et al.  KASLR: Break It, Fix It, Repeat , 2020, AsiaCCS.

[16]  Michalis Polychronakis,et al.  xMP: Selective Memory Protection for Kernel and User Space , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[17]  Bryan C. Ward,et al.  One Giant Leap for Computer Security , 2020, IEEE Security & Privacy.

[18]  Stefan Lankes,et al.  Intra-unikernel isolation with Intel memory protection keys , 2020, VEE.

[19]  Trent Jaeger,et al.  Lightweight kernel isolation with virtualization and VM functions , 2020, VEE.

[20]  Sorin Lerner,et al.  Retrofitting Fine Grain Isolation in the Firefox Renderer (Extended Version) , 2020, USENIX Security Symposium.

[21]  Reza Mirzazade Farkhani,et al.  PTAuth: Temporal Memory Safety via Robust Points-to Authentication , 2020, USENIX Security Symposium.

[22]  Jan-Erik Ekberg,et al.  Camouflage: Hardware-assisted CFI for the ARM Linux kernel , 2019, 2020 57th ACM/IEEE Design Automation Conference (DAC).

[23]  Stephen McCamant,et al.  Program-mandering: Quantitative Privilege Separation , 2019, CCS.

[24]  Stefan Lankes,et al.  Exploring Rust for Unikernel Development , 2019, PLOS@SOSP.

[25]  Kun Sun,et al.  OCRAM-Assisted Sensitive Data Protection on ARM-Based Platform , 2019, ESORICS.

[26]  Jan-Erik Ekberg,et al.  Protecting the stack with PACed canaries , 2019, SysTEX '19.

[27]  Soyeon Park,et al.  libmpk: Software Abstraction for Intel Memory Protection Keys (Intel MPK) , 2019, USENIX Annual Technical Conference.

[28]  Ahmad-Reza Sadeghi,et al.  SANCTUARY: ARMing TrustZone with User-space Enclaves , 2019, NDSS.

[29]  Kui Wang,et al.  PAC it up: Towards Pointer Integrity using ARM Pointer Authentication , 2018, USENIX Security Symposium.

[30]  Dan Williams,et al.  Unikernels as Processes , 2018, SoCC.

[31]  Ashay Rane,et al.  MicroStache: A Lightweight Execution Context for In-Process Safe Region Isolation , 2018, RAID.

[32]  Michael Hamburg,et al.  Meltdown: Reading Kernel Memory from User Space , 2018, USENIX Security Symposium.

[33]  Ahmad-Reza Sadeghi,et al.  IMIX: In-Process Memory Isolation EXtension , 2018, USENIX Security Symposium.

[34]  André DeHon,et al.  Protecting the Stack with Metadata Policies and Tagged Hardware , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[35]  Remi Badonnel,et al.  Unikernel-based approach for software-defined security in cloud infrastructures , 2018, NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium.

[36]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[37]  Jörg Ott,et al.  FADES: Fine-Grained Edge Offloading with Unikernels , 2017, HotConNet@SIGCOMM.

[38]  Xi Chen,et al.  No Need to Hide: Protecting Safe Regions on Commodity Hardware , 2017, EuroSys.

[39]  Roberto Maria Avanzi,et al.  The QARMA Block Cipher Family. Almost MDS Matrices Over Rings With Zero Divisors, Nearly Symmetric Even-Mansour Constructions With Non-Involutory Central Rounds, and Search Heuristics for Low-Latency S-Boxes , 2017, IACR Trans. Symmetric Cryptol..

[40]  Peter Druschel,et al.  Light-Weight Contexts: An OS Abstraction for Safety and Performance , 2016, OSDI.

[41]  Patrick Th. Eugster,et al.  Enforcing Least Privilege Memory Views for Multithreaded Applications , 2016, CCS.

[42]  Chunxiao Xing,et al.  On the Performance of Intel SGX , 2016, 2016 13th Web Information Systems and Applications Conference (WISA).

[43]  Yunheung Paek,et al.  HDFI: Hardware-Assisted Data-Flow Isolation , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[44]  Trent Jaeger,et al.  Fine-Grained Control-Flow Integrity for Kernel Software , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[45]  Yue Chen,et al.  Design and Implementation of SecPod, A Framework for Virtualization-Based Security Systems , 2015, IEEE Transactions on Dependable and Secure Computing.

[46]  Jon Crowcroft,et al.  Jitsu: Just-In-Time Summoning of Unikernels , 2015, NSDI.

[47]  Will Dietz,et al.  Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege Separation , 2015, ASPLOS.

[48]  Anil Kurmus,et al.  A Tale of Two Kernels: Towards Ending Kernel Hardening Wars with Split Kernel , 2014, CCS.

[49]  Peter G. Neumann,et al.  The CHERI capability model: Revisiting RISC in an age of risk , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[50]  Chris Fallin,et al.  Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[51]  Andrew W. Appel,et al.  Portable Software Fault Isolation , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[52]  Don Marti,et al.  OSv - Optimizing the Operating System for Virtual Machines , 2014, USENIX Annual Technical Conference.

[53]  William W. Streilein,et al.  Finding Focus in the Blur of Moving-Target Techniques , 2014, IEEE Security & Privacy.

[54]  Anil Madhavapeddy,et al.  Unikernels: Rise of the Virtual Library Operating System , 2013 .

[55]  Godmar Back,et al.  VirtuOS: an operating system with kernel virtualization , 2013, SOSP.

[56]  Jon Crowcroft,et al.  Unikernels: library operating systems for the cloud , 2013, ASPLOS '13.

[57]  Donald E. Porter,et al.  Rethinking the library OS from the top down , 2011, ASPLOS XVI.

[58]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[59]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[60]  Milo M. K. Martin,et al.  Hardbound: architectural support for spatial safety of the C programming language , 2008, ASPLOS.

[61]  Adrian Perrig,et al.  Turtles all the way down: research challenges in user-based attestation , 2007, WRAITS '08.

[62]  Krste Asanovic,et al.  Mondrix: memory isolation for linux using mondriaan memory protection , 2005, SOSP '05.

[63]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[64]  Erik D. Demaine,et al.  Tetris is hard, even to approximate , 2002, Int. J. Comput. Geom. Appl..

[65]  Krste Asanovic,et al.  Mondrian memory protection , 2002, ASPLOS X.

[66]  Dawson R. Engler,et al.  Exokernel: an operating system architecture for application-level resource management , 1995, SOSP.

[67]  Dan Hildebrand,et al.  An Architectural Overview of QNX , 1992, USENIX Workshop on Microkernels and Other Kernel Architectures.

[68]  Vinod Ganapathy,et al.  Faastlane: Accelerating Function-as-a-Service Workflows , 2021, USENIX Annual Technical Conference.

[69]  Kevin Boos,et al.  Theseus: an Experiment in Operating System Structure and State Management , 2020, OSDI.

[70]  Jared M. Smith,et al.  PKU Pitfalls: Attacks on PKU-based Memory Isolation Systems , 2020, USENIX Security Symposium.

[71]  Stefan Mangard,et al.  Donky: Domain Keys - Efficient In-Process Isolation for RISC-V and x86 , 2020, USENIX Security Symposium.

[72]  Gerd Zellweger,et al.  RedLeaf: Isolation and Communication in a Safe Operating System , 2020, OSDI.

[73]  Sandboxing The Road to Less Trusted Code Lowering the Barrier to In-Process , 2020 .

[74]  Yubin Xia,et al.  Harmonizing Performance and Isolation in Microkernels with Efficient Intra-kernel Isolation and Communication , 2020, USENIX Annual Technical Conference.

[75]  Yu Qin,et al.  Minimal Kernel: An Operating System Architecture for TEE to Resist Board Level Physical Attacks , 2019, RAID.

[76]  Aftab Hussain,et al.  LXDs: Towards Isolation of Kernel Subsystems , 2019, USENIX ATC.

[77]  Peter Druschel,et al.  ERIM: Secure, Efficient In-process Isolation with Protection Keys (MPK) , 2019, USENIX Security Symposium.

[78]  Michael L. Scott,et al.  Hodor: Intra-Process Isolation for High-Throughput Data Plane Libraries , 2019, USENIX Annual Technical Conference.

[79]  Saurabh Bagchi,et al.  ACES: Automatic Compartments for Embedded Systems , 2018, USENIX Security Symposium.

[80]  Yubin Xia,et al.  Deconstructing Xen , 2017, NDSS.

[81]  BY anIL maDhaVaPeDDY,et al.  What if all the software layers in a virtual appliance were compiled within the same safe , high-level language framework ? , 2013 .

[82]  Donghai Tian,et al.  Practical Protection of Kernel Integrity for Commodity OS from Untrusted Extensions , 2011, NDSS.

[83]  Andrew Warfield,et al.  Safe Hardware Access with the Xen Virtual Machine Monitor , 2007 .