BULKHEAD: Secure, Scalable, and Efficient Kernel Compartmentalization with PKS

Yinggang Guo, Zicheng Wang, Weiheng Bai, Qingkai Zeng, Kangjie Lu
{"title":"BULKHEAD: Secure, Scalable, and Efficient Kernel Compartmentalization with PKS","authors":"Yinggang Guo, Zicheng Wang, Weiheng Bai, Qingkai Zeng, Kangjie Lu","doi":"arxiv-2409.09606","DOIUrl":null,"url":null,"abstract":"The endless stream of vulnerabilities urgently calls for principled\nmitigation to confine the effect of exploitation. However, the monolithic\narchitecture of commodity OS kernels, like the Linux kernel, allows an attacker\nto compromise the entire system by exploiting a vulnerability in any kernel\ncomponent. Kernel compartmentalization is a promising approach that follows the\nleast-privilege principle. However, existing mechanisms struggle with the\ntrade-off on security, scalability, and performance, given the challenges\nstemming from mutual untrustworthiness among numerous and complex components. In this paper, we present BULKHEAD, a secure, scalable, and efficient kernel\ncompartmentalization technique that offers bi-directional isolation for\nunlimited compartments. It leverages Intel's new hardware feature PKS to\nisolate data and code into mutually untrusted compartments and benefits from\nits fast compartment switching. With untrust in mind, BULKHEAD introduces a\nlightweight in-kernel monitor that enforces multiple important security\ninvariants, including data integrity, execute-only memory, and compartment\ninterface integrity. In addition, it provides a locality-aware two-level scheme\nthat scales to unlimited compartments. We implement a prototype system on Linux\nv6.1 to compartmentalize loadable kernel modules (LKMs). Extensive evaluation\nconfirms the effectiveness of our approach. As the system-wide impacts,\nBULKHEAD incurs an average performance overhead of 2.44% for real-world\napplications with 160 compartmentalized LKMs. While focusing on a specific\ncompartment, ApacheBench tests on ipv6 show an overhead of less than 2%.\nMoreover, the performance is almost unaffected by the number of compartments,\nwhich makes it highly scalable.","PeriodicalId":501333,"journal":{"name":"arXiv - CS - Operating Systems","volume":"46 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-09-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Operating Systems","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2409.09606","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0

Abstract

The endless stream of vulnerabilities urgently calls for principled mitigation to confine the effect of exploitation. However, the monolithic architecture of commodity OS kernels, like the Linux kernel, allows an attacker to compromise the entire system by exploiting a vulnerability in any kernel component. Kernel compartmentalization is a promising approach that follows the least-privilege principle. However, existing mechanisms struggle with the trade-off on security, scalability, and performance, given the challenges stemming from mutual untrustworthiness among numerous and complex components. In this paper, we present BULKHEAD, a secure, scalable, and efficient kernel compartmentalization technique that offers bi-directional isolation for unlimited compartments. It leverages Intel's new hardware feature PKS to isolate data and code into mutually untrusted compartments and benefits from its fast compartment switching. With untrust in mind, BULKHEAD introduces a lightweight in-kernel monitor that enforces multiple important security invariants, including data integrity, execute-only memory, and compartment interface integrity. In addition, it provides a locality-aware two-level scheme that scales to unlimited compartments. We implement a prototype system on Linux v6.1 to compartmentalize loadable kernel modules (LKMs). Extensive evaluation confirms the effectiveness of our approach. As the system-wide impacts, BULKHEAD incurs an average performance overhead of 2.44% for real-world applications with 160 compartmentalized LKMs. While focusing on a specific compartment, ApacheBench tests on ipv6 show an overhead of less than 2%. Moreover, the performance is almost unaffected by the number of compartments, which makes it highly scalable.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
BULKHEAD:利用 PKS 实现安全、可扩展和高效的内核分隔
层出不穷的漏洞迫切需要有原则的缓解措施来限制漏洞利用的效果。然而,商品操作系统内核(如 Linux 内核)的单体架构允许攻击者利用任何内核组件中的漏洞入侵整个系统。内核分隔是一种很有前途的方法,它遵循权限最小原则。然而,现有的机制在安全性、可扩展性和性能之间难以取舍,因为众多复杂的组件之间存在互不信任的问题。在本文中,我们介绍了一种安全、可扩展和高效的内核分区技术--BULKHEAD,它可为无限分区提供双向隔离。它利用英特尔的新硬件功能 PKS 将数据和代码隔离到互不信任的分区中,并受益于其快速的分区切换。考虑到不信任因素,BULKHEAD 引入了轻量级内核监控器,可执行多个重要的安全变量,包括数据完整性、只执行内存和隔间接口完整性。此外,它还提供了一种本地感知的两级方案,可扩展到无限的隔间。我们在 Linuxv6.1 上实现了一个原型系统,用于分割可加载内核模块(LKM)。广泛的评估证实了我们方法的有效性。作为对整个系统的影响,BULKHEAD 在实际应用中使用 160 个分隔的 LKM 时,平均性能开销为 2.44%。此外,性能几乎不受分区数量的影响,因此具有很强的可扩展性。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
Analysis of Synchronization Mechanisms in Operating Systems Skip TLB flushes for reused pages within mmap's eBPF-mm: Userspace-guided memory management in Linux with eBPF BULKHEAD: Secure, Scalable, and Efficient Kernel Compartmentalization with PKS Rethinking Programmed I/O for Fast Devices, Cheap Cores, and Coherent Interconnects
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1