TY - GEN
T1 - Nested kernel
T2 - 20th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2015
AU - Dautenhahn, Nathan
AU - Kasampalis, Theodoros
AU - Dietz, Will
AU - Criswell, John
AU - Adve, Vikram
PY - 2015/3/14
Y1 - 2015/3/14
N2 - Monolithic operating system designs undermine the security of computing systems by allowing single exploits anywhere in the kernel to enjoy full supervisor privilege. The nested kernel operating system architecture addresses this problem by "nesting" a small isolated kernel within a traditional monolithic kernel. The "nested kernel" interposes on all updates to virtual memory translations to assert protections on physical memory, thus significantly reducing the trusted computing base for memory access control enforcement. We incorporated the nested kernel architecture into FreeBSD on x86-64 hardware while allowing the entire operating system, including untrusted components, to operate at the highest hardware privilege level by write-protecting MMU translations and de-privileging the untrusted part of the kernel. Our implementation inherently enforces kernel code integrity while still allowing dynamically loaded kernel modules, thus defending against code injection attacks. We also demonstrate that the nested kernel architecture allows kernel developers to isolate memory in ways not possible in monolithic kernels by introducing write-mediation and write-logging services to protect critical system data structures. Performance of the nested kernel prototype shows modest overheads: < 1% average for Apache and 2.7% for kernel compile. Overall, our results and experience show that the nested kernel design can be retrofitted to existing monolithic kernels, providing important security benefits.
AB - Monolithic operating system designs undermine the security of computing systems by allowing single exploits anywhere in the kernel to enjoy full supervisor privilege. The nested kernel operating system architecture addresses this problem by "nesting" a small isolated kernel within a traditional monolithic kernel. The "nested kernel" interposes on all updates to virtual memory translations to assert protections on physical memory, thus significantly reducing the trusted computing base for memory access control enforcement. We incorporated the nested kernel architecture into FreeBSD on x86-64 hardware while allowing the entire operating system, including untrusted components, to operate at the highest hardware privilege level by write-protecting MMU translations and de-privileging the untrusted part of the kernel. Our implementation inherently enforces kernel code integrity while still allowing dynamically loaded kernel modules, thus defending against code injection attacks. We also demonstrate that the nested kernel architecture allows kernel developers to isolate memory in ways not possible in monolithic kernels by introducing write-mediation and write-logging services to protect critical system data structures. Performance of the nested kernel prototype shows modest overheads: < 1% average for Apache and 2.7% for kernel compile. Overall, our results and experience show that the nested kernel design can be retrofitted to existing monolithic kernels, providing important security benefits.
KW - Intra-kernel isolation
KW - Malicious operating systems
KW - Operating system architecture
KW - Virtual memory
UR - http://www.scopus.com/inward/record.url?scp=84939168956&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84939168956&partnerID=8YFLogxK
U2 - 10.1145/2694344.2694386
DO - 10.1145/2694344.2694386
M3 - Conference contribution
AN - SCOPUS:84939168956
T3 - International Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS
SP - 191
EP - 206
BT - ASPLOS 2015 - 20th International Conference on Architectural Support for Programming Languages and Operating Systems
PB - Association for Computing Machinery
Y2 - 14 March 2015 through 18 March 2015
ER -