Secure virtual architecture: a safe execution environment for commodity operating systems

This paper describes an efficient and robust approach to provide a safe execution environment for an entire operating system, such as Linux, and all its applications. The approach, which we call Secure Virtual Architecture (SVA), defines a virtual, low-level, typed instruction set suitable for executing all code on a system, including kernel and application code. SVA code is translated for execution by a virtual machine transparently, offline or online. SVA aims to enforce fine-grained (object level) memory safety, control-flow integrity, type safety for a subset of objects, and sound analysis. A virtual machine implementing SVA achieves these goals by using a novel approach that exploits properties of existing memory pools in the kernel and by preserving the kernel's explicit control over memory, including custom allocators and explicit deallocation. Furthermore, the safety properties can be encoded compactly as extensions to the SVA type system, allowing the (complex) safety checking compiler to be outside the trusted computing base. SVA also defines a set of OS interface operations that abstract all privileged hardware instructions, allowing the virtual machine to monitor all privileged operations and control the physical resources on a given hardware platform. We have ported the Linux kernel to SVA, treating it as a new architecture, and made only minimal code changes (less than 300 lines of code) to the machine-independent parts of the kernel and device drivers. SVA is able to prevent 4 out of 5 memory safety exploits previously reported for the Linux 2.4.22 kernel for which exploit code is available, and would prevent the fifth one simply by compiling an additional kernel library.

[1]  Vikram S. Adve,et al.  Automatic pool allocation: improving performance by controlling data structure layout in the heap , 2005, PLDI '05.

[2]  David C. Sehr,et al.  On the importance of points-to analysis and other memory disambiguation methods for C programs , 2001, PLDI '01.

[3]  Úlfar Erlingsson,et al.  The Inlined Reference Monitor Approach to Security Policy Enforcement , 2004 .

[4]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[5]  Dinakar Dhurjati,et al.  Memory safety without garbage collection for embedded applications , 2005, TECS.

[6]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[7]  Margo I. Seltzer,et al.  Dealing with disaster: surviving misbehaved kernel extensions , 1996, OSDI '96.

[8]  Bjarne Steensgaard,et al.  Points-to analysis in almost linear time , 1996, POPL '96.

[9]  Aaron B. Brown,et al.  A Decompositional Approach to Computer System Performance Evaluation , 1997 .

[10]  James R. Larus,et al.  Language support for fast and reliable message-based communication in singularity OS , 2006, EuroSys.

[11]  David Walker,et al.  A type system for expressive security policies , 2000, POPL '00.

[12]  Vikram S. Adve,et al.  Making context-sensitive points-to analysis with heap cloning practical for the real world , 2007, PLDI '07.

[13]  Vikram S. Adve,et al.  A Virtual Instruction Set Interface for Operating System Kernels , 2022 .

[14]  Dinakar Dhurjati,et al.  Enforcing Alias Analysis for Weakly Typed Languages , 2005 .

[15]  Deyu Hu,et al.  Implementing Multiple Protection Domains in Java , 1998, USENIX Annual Technical Conference.

[16]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[17]  George C. Necula,et al.  Safe kernel extensions without run-time checking , 1996, OSDI '96.

[18]  Dinakar Dhurjati,et al.  SAFECode: enforcing alias analysis for weakly typed languages , 2005, PLDI '06.

[19]  Tom Saulpaugh,et al.  Inside the JavaOS operating system , 1999 .

[20]  George C. Necula,et al.  The design and implementation of a certifying compiler , 1998, PLDI.

[21]  Brian N. Bershad,et al.  Improving the reliability of commodity operating systems , 2005, TOCS.

[22]  James R. Larus,et al.  Singularity Design Motivation , 2004 .

[23]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy software , 2005, TOPL.

[24]  Andrew Warfield,et al.  Xen and the art of virtualization , 2003, SOSP '03.

[25]  George C. Necula,et al.  SafeDrive: safe and recoverable extensions using language-based techniques , 2006, OSDI '06.

[26]  Jay Lepreau,et al.  The Flux OSKit: a substrate for kernel and language research , 1997, SOSP.

[27]  Vikram S. Adve,et al.  LLVA: a low-level virtual instruction set architecture , 2003, Proceedings. 36th Annual IEEE/ACM International Symposium on Microarchitecture, 2003. MICRO-36..

[28]  Michael Golm,et al.  The JX Operating System , 2002, USENIX Annual Technical Conference, General Track.

[29]  Wilson C. Hsieh,et al.  The KaffeOS Java runtime system , 2005, TOPL.

[30]  Herbert Bos,et al.  Safe kernel programming in the OKE , 2002, 2002 IEEE Open Architectures and Network Programming Proceedings. OPENARCH 2002 (Cat. No.02EX571).

[31]  Robert K. Cunningham,et al.  A taxonomy of computer worms , 2003, WORM '03.

[32]  Vikram S. Adve,et al.  LLVA: A Low-level Virtual Instruction Set Architecture , 2003, MICRO.

[33]  Steven McCanne,et al.  The BSD Packet Filter: A New Architecture for User-level Packet Capture , 1993, USENIX Winter.

[34]  Dinakar Dhurjati,et al.  Backwards-compatible array bounds checking for C with very low overhead , 2006, ICSE.

[35]  Dawson R. Engler,et al.  Bugs as deviant behavior: a general approach to inferring errors in systems code , 2001, SOSP.

[36]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[37]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[38]  Todd M. Austin,et al.  Efficient detection of all pointer and array access errors , 1994, PLDI '94.

[39]  James Cheney,et al.  Region-based memory management in cyclone , 2002, PLDI '02.

[40]  Thorsten von Eicken,et al.  JRes: a resource accounting interface for Java , 1998, OOPSLA '98.

[41]  Mark P. Jones,et al.  A principled approach to operating system construction in Haskell , 2005, ICFP '05.

[42]  Paul H. J. Kelly,et al.  Backwards-Compatible Bounds Checking for Arrays and Pointers in C Programs , 1997, AADEBUG.

[43]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[44]  Brian N. Bershad,et al.  Recovering device drivers , 2004, TOCS.