research-article

Fast byte-granularity software fault isolation

Authors:

Jean-Philippe Martin,

Marcus Peinado,

Periklis Akritidis,

Austin Donnelly,

Richard BlackAuthors Info & Claims

SOSP '09: Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles

Pages 45 - 58

https://doi.org/10.1145/1629575.1629581

Published: 11 October 2009 Publication History

Abstract

Bugs in kernel extensions remain one of the main causes of poor operating system reliability despite proposed techniques that isolate extensions in separate protection domains to contain faults. We believe that previous fault isolation techniques are not widely used because they cannot isolate existing kernel extensions with low overhead on standard hardware. This is a hard problem because these extensions communicate with the kernel using a complex interface and they communicate frequently. We present BGI (Byte-Granularity Isolation), a new software fault isolation technique that addresses this problem. BGI uses efficient byte-granularity memory protection to isolate kernel extensions in separate protection domains that share the same address space. BGI ensures type safety for kernel objects and it can detect common types of errors inside domains. Our results show that BGI is practical: it can isolate Windows drivers without requiring changes to the source code and it introduces a CPU overhead between 0 and 16%. BGI can also find bugs during driver testing. We found 28 new bugs in widely used Windows drivers.

References

[1]

M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-Flow Integrity: Principles, Implementations, and Applications. In ACM CCS, 2005.

Digital Library

[2]

P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro. Preventing memory error exploits with WIT. In IEEE Symposium on Security and Privacy, 2008.

Digital Library

[3]

Z. Anderson, D. Gay, and M. Naik. Lightweight annotations for controlling sharing in concurrent data structures. In PLDI, 2009.

Digital Library

[4]

P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the art of virtualization. In SOSP, 2003.

Digital Library

[5]

B.N. Bershad, S. Savage, P. Pardyak, E.G. Sirer, M. Fiuczynski, D. Becker, S. Eggers, and C. Chambers. Extensibility, safety and performance in the SPIN operating system. In SOSP, 1995.

Digital Library

[6]

H. Bos and B. Samwel. Safe kernel programming in the OKE. In OPENARCH, 2002.

[7]

A. Chou, J. Yang, B. Chelf, S. Hallem, and D. Engler. An empirical study of operating system errors. In SOSP, 2001.

Digital Library

[8]

J. Christmansson and R. Chillarege. Generation of an error set that emulates software faults -- based on field data. In FTCS, 1996.

Digital Library

[9]

P. Chubb. Get more device drivers out of the kernel! In Linux Symposium, 2004.

[10]

J. Criswell, A. Lenharth, D. Dhurjati, and V. Adve. Secure virtual architecture: a safe execution environment for commodity operating systems. In SOSP, 2007.

Digital Library

[11]

U. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G.C. Necula. XFI: software guards for system address spaces. In OSDI, 2006.

Digital Library

[12]

A. Forin, D. Golub, and B. Bershad. An I/O system for Mach 3.0. In Proc. USENIX Mach Symposium, 1991.

[13]

V. Ganapathy, M. Renzelmann, A. Balakrishnan, M. Swift, and S. Jha. The Design and Implementation of Microdrivers. 2008.

Digital Library

[14]

D. Gay, R. Ennals, and E. Brewer. Safe manual memory management. In ISMM, 2007.

Digital Library

[15]

K. Glerum, K. Kinshumann, S. Greenberg, G. Aul, V. Orgovan, G. Nichols, D. Grant, G. Loihle, and G. Hunt. Debugging in the (Very) Large: Ten Years of Implementation and Experience. In SOSP, 2009.

Digital Library

[16]

L.H. Linux Kernel Heap Tampering Detection. Phrack, 13(66), 2009.

[17]

B. Hackett, M. Das, D. Wang, and Z. Yang. Modular checking for buffer overflows in the large. In ICSE, 2006.

Digital Library

[18]

H. Härtig, M. Hohmuth, J. Liedtke, S. Schönberg, and J. Wolter. The performance of μ-kernel-based systems. In SOSP, 1997.

Digital Library

[19]

J.N. Herder, H. Bos, B. Gras, P. Homburg, and A.S. Tanenbaum. Minix 3: a highly reliable, self-repairing operating system. SIGOPS OSR, 40(3):80--89, 2006.

Digital Library

[20]

G.C. Hunt and J.R. Larus. Singularity: rethinking the software stack. SIGOPS OSR, 41(2):37--49, 2007.

Digital Library

[21]

A. Ionescu. Pointers and Handles: A Story of Unchecked Assumptions in the Windows Kernel. In Black Hat, 2008.

[22]

T. Jim, J.G. Morrisett, D. Grossman, M.W. Hicks, J. Cheney, and Y. Wang. Cyclone: A Safe Dialect of C. In USENIX Annual Technical Conference, 2002.

Digital Library

[23]

J. Katcher. Postmark: A new file system benchmark. Technical Report TR3022, Network Appliance, 1997.

[24]

V. Kiriansky, D. Bruening, and S.P. Amarasinghe. Secure Execution via Program Shepherding. In USENIX Security Symposium, 2002.

Digital Library

[25]

K. Kortchinsky. Real World Kernel Pool Exploitation. In SyScan'08 Hong Kong, 2008.

[26]

B. Leslie, P. Chubb, N. Fitzroy-Dale, S. Gotz, C. Gray, L. Macpherson, D. Potts, Y. Shen, K. Elphinstone, and G. Heiser. User-level device drivers: Achieved performance. Journal of Computer Science and Technology, 20(5), 2005.

[27]

J. LeVasseur, V. Uhlig, J. Stoess, and S. Gotz. Unmodified Device Driver Reuse and Improved System Dependability via Virtual Machines. In OSDI, 2004.

Digital Library

[28]

S. McCamant and G. Morrisett. Evaluating SFI for a CISC architecture. In USENIX Security Symposium, 2006.

Digital Library

[29]

Microsoft. Phoenix SDK. http://connect.microsoft.com/Phoenix.

[30]

Microsoft. User-Mode Driver Framework. http://www.microsoft.com/whdc/driver/wdf/UMDF.mspx.

[31]

Microsoft. Windows Driver Kit. http://www.microsoft.com/wdk.

[32]

G.C. Necula and P. Lee. Safe kernel extensions without run-time checking. In OSDI, 1996.

Digital Library

[33]

G.C. Necula, S. McPeak, and W. Weimer. CCured: type-safe retrofitting of legacy code. SIGPLAN Not., 37(1):128--139, 2002.

Digital Library

[34]

L. Seawright and R. MacKinnon. VM/370--A Study of Multiplicity and Usefulness. IBM Systems Journal, 18(1):4--17, 1979.

Digital Library

[35]

M.I. Seltzer, Y. Endo, C. Small, and K.A. Smith. Dealing with disaster: surviving misbehaved kernel extensions. In OSDI, 1996.

Digital Library

[36]

C. Small and M. Seltzer. MiSFIT: A tool for constructing safe extensible C++ systems. IEEE Concurrency, 6(3):34--41, 1998.

Digital Library

[37]

A. Srivastava, A. Edwards, and H. Vo. Vulcan: Binary transformation in a distributed environment. Technical Report MSR-TR-2001-50, Microsoft Research, 2001.

[38]

R.E. Strom and S. Yemini. Typestate: A programming language concept for enhancing software reliability. IEEE Transactions on Software Engineering, 12(1), 1986.

Digital Library

[39]

J. Sugerman, G. Venkitachalam, and B.-H. Lim. Virtualizing I/O devices on VMware Workstation's hosted virtual machine monitor. In USENIX Annual Technical Conference, 2001.

Digital Library

[40]

M. Sullivan and R. Chillarege. Software defects and their impact on system availability -- a study of field failures in operating systems. In FTCS, 1991.

[41]

M.M. Swift, M. Annamalai, B.N. Bershad, and H.M. Levy. Recovering device drivers. ACM TOCS, 24(4):333--360, 2006.

Digital Library

[42]

M.M. Swift, B.N. Bershad, and H.M. Levy. Improving the reliability of commodity operating systems. ACM TOCS, 23(1):77--110, 2005.

Digital Library

[43]

R. Wahbe, S. Lucco, T.E. Anderson, and S.L. Graham. Efficient software-based fault isolation. In SOSP, 1993.

Digital Library

[44]

D. Williams, P. Reynolds, K. Walsh, E.G. Sirer, and F.B. Schneider. Device driver safety through a reference validation mechanism. In OSDI, 2008.

Digital Library

[45]

E. Witchel, J. Rhee, and K. Asanović. Mondrix: memory isolation for Linux using mondriaan memory protection. In SOSP, 2005.

Digital Library

[46]

F. Zhou, J. Condit, Z. Anderson, I. Bagrak, R. Ennals, M. Harren, G. Necula, and E. Brewer. SafeDrive: safe and recoverable extensions using language-based techniques. In OSDI, 2006.

Digital Library

Cited By

Lim SPrasad THan XPasquier TFournaris APalmieri P(2024)SafeBPF: Hardware-assisted Defense-in-depth for eBPF Kernel ExtensionsProceedings of the 2024 on Cloud Computing Security Workshop10.1145/3689938.3694781(80-94)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689938.3694781
Yedidia ZTsafrir DMusuvathi MGupta RAbu-Ghazaleh N(2024)Lightweight Fault Isolation: Practical, Efficient, and Secure Software SandboxingProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 210.1145/3620665.3640408(649-665)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3620665.3640408
Filipiuk TWanninger NDhiantravan NSurmeier CBernat ADinda P(2023)CARAT KOP: Towards Protecting the Core HPC Kernel from Linux Kernel ModulesProceedings of the SC '23 Workshops of The International Conference on High Performance Computing, Network, Storage, and Analysis10.1145/3624062.3624237(1596-1605)Online publication date: 12-Nov-2023
https://dl.acm.org/doi/10.1145/3624062.3624237
Show More Cited By

Index Terms

Fast byte-granularity software fault isolation

Recommendations

TSAC: Enforcing Isolation ofVirtual Machines in Clouds
Virtualization plays a vital role in building the infrastructure of clouds, and isolation is considered as one of its important features. However, we demonstrate with practical measurements that there exist two kinds of isolation problems in current ...
SICE: a hardware-level strongly isolated computing environment for x86 multi-core platforms
CCS '11: Proceedings of the 18th ACM conference on Computer and communications security

SICE is a novel framework to provide hardware-level isolation and protection for sensitive workloads running on x86 platforms in compute clouds. Unlike existing isolation techniques, SICE does not rely on any software component in the host environment (...
Isolating commodity hosted hypervisors with HyperLock
EuroSys '12: Proceedings of the 7th ACM european conference on Computer Systems

Hosted hypervisors (e.g., KVM) are being widely deployed. One key reason is that they can effectively take advantage of the mature features and broad user bases of commodity operating systems. However, they are not immune to exploitable software bugs. ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SOSP '09: Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles

October 2009

346 pages

ISBN:9781605587523

DOI:10.1145/1629575

General Chair:
Jeanna Neefe Matthews
Clarkson University
,
Program Chair:
Thomas Anderson
University of Washington

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 October 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SOSP09

Sponsor:

SOSP09: ACM SIGOPS 22nd Symposium on Operating Systems Principles

October 11 - 14, 2009

Montana, Big Sky, USA

Acceptance Rates

Overall Acceptance Rate 174 of 961 submissions, 18%

Upcoming Conference

SOSP '25

Sponsor:
sigops

ACM SIGOPS 31st Symposium on Operating Systems Principles

October 13 - 16, 2025

Seoul , Republic of Korea

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

136
Total Citations
View Citations
1,102
Total Downloads

Downloads (Last 12 months)77
Downloads (Last 6 weeks)9

Reflects downloads up to 18 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Lim SPrasad THan XPasquier TFournaris APalmieri P(2024)SafeBPF: Hardware-assisted Defense-in-depth for eBPF Kernel ExtensionsProceedings of the 2024 on Cloud Computing Security Workshop10.1145/3689938.3694781(80-94)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689938.3694781
Yedidia ZTsafrir DMusuvathi MGupta RAbu-Ghazaleh N(2024)Lightweight Fault Isolation: Practical, Efficient, and Secure Software SandboxingProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 210.1145/3620665.3640408(649-665)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3620665.3640408
Filipiuk TWanninger NDhiantravan NSurmeier CBernat ADinda P(2023)CARAT KOP: Towards Protecting the Core HPC Kernel from Linux Kernel ModulesProceedings of the SC '23 Workshops of The International Conference on High Performance Computing, Network, Storage, and Analysis10.1145/3624062.3624237(1596-1605)Online publication date: 12-Nov-2023
https://dl.acm.org/doi/10.1145/3624062.3624237
Lim SHan XPasquier T(2023)Unleashing Unprivileged eBPF Potential with Dynamic SandboxingProceedings of the 1st Workshop on eBPF and Kernel Extensions10.1145/3609021.3609301(42-48)Online publication date: 10-Sep-2023
https://dl.acm.org/doi/10.1145/3609021.3609301
Burtsev ANarayanan VHuang YHuang KTan GJaeger TBaumann ACrooks NSchwarzkopf M(2023)Evolving Operating System Kernels Towards Secure Kernel-Driver InterfacesProceedings of the 19th Workshop on Hot Topics in Operating Systems10.1145/3593856.3595914(166-173)Online publication date: 22-Jun-2023
https://dl.acm.org/doi/10.1145/3593856.3595914
Seo JYou JCho YCho YKwon DPaek Y(2023)Sfitag: Efficient Software Fault Isolation with Memory Tagging for ARM Kernel ExtensionsProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3590341(469-480)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3579856.3590341
Hu ZLee SPeinado MMeng WJensen CCremers CKirda E(2023)Hacksaw: Hardware-Centric Kernel Debloating via Device Inventory and Dependency AnalysisProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623208(1994-2008)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623208
Gülmez MNyman TBaumann CMühlberg J(2023)Friend or Foe Inside? Exploring In-Process Isolation to Maintain Memory Safety for Unsafe Rust2023 IEEE Secure Development Conference (SecDev)10.1109/SecDev56634.2023.00020(54-66)Online publication date: 18-Oct-2023
https://doi.org/10.1109/SecDev56634.2023.00020
Peng DLiu CPalit TFonseca PVahldiek-Oberwagner AVij M(2023)μSwitch: Fast Kernel Context Isolation with Implicit Context Switches2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179284(2956-2973)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179284
Gülmez MNyman TBaumann CMühlberg J(2023)Rewind & Discard: Improving Software Resilience using Isolated Domains2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58367.2023.00046(402-416)Online publication date: Jun-2023
https://doi.org/10.1109/DSN58367.2023.00046
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents