Cited By
View all- Boos KZhong LLawall J(2017)TheseusProceedings of the 9th Workshop on Programming Languages and Operating Systems10.1145/3144555.3144560(29-35)Online publication date: 28-Oct-2017
Lightweight capability domains: towards decomposing the Linux kernel
Authors: 
Charles Jacobsen, Muktesh Khole, Sarah Spall, Scotty Bauer, Anton BurtsevAuthors Info & Claims
Pages 8 - 14
Abstract
Despite a number of radical changes in how computer systems are used, the design principles behind the very core of the systems stack---an operating system kernel---has remained unchanged for decades. We run monolithic kernels developed with a combination of an unsafe programming language, global sharing of data structures, opaque interfaces, and no explicit knowledge of kernel protocols. Today, the monolithic architecture of a kernel is the main factor undermining its security, and even worse, limiting its evolution towards a safer, more secure environment. Lack of isolation across kernel subsystems allows attackers to take control over the entire machine with a single kernel vulnerability. Furthermore, complex, semantically rich monolithic code with globally shared data structures and no explicit interfaces is not amenable to formal analysis and verification tools. Even after decades of work to make monolithic kernels more secure, over a hundred serious kernel vulnerabilities are still reported every year.
Modern kernels need decomposition as a practical means of confining the effects of individual attacks. Historically, decomposed kernels were prohibitively slow. Today, the complexity of a modern kernel prevents a trivial decomposition effort. We argue, however, that despite all odds modern kernels can be decomposed. Careful choice of communication abstractions and execution model, a general approach to decomposition, a path for incremental adoption, and automation through proper language tools can address complexity of decomposition and performance overheads of decomposed kernels. Our work on lightweight capability domains (LCDs) develops principles, mechanisms, and tools that enable incremental, practical decomposition of a modern operating system kernel.
References
[1]
M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity - principles, implementations, and applications. In CCS, 2005.
[2]
K. Ashcraft and D. R. Engler. Using programmer-written compiler extensions to catch security holes. In IEEE Symposium on Security and Privacy, pages 143--159, 2002.
[3]
A. Belay, G. Prekas, A. Klimovic, S. Grossman, C. Kozyrakis, and E. Bugnion. IX: A protected dataplane operating system for high throughput and low latency. In OSDI, 2014.
[4]
B. Blackham and G. Heiser. Correct, fast, maintainable: choose any three! In APSys, page 13, 2012.
[5]
Bomberger, A. C. and Frantz, A. P. and Frantz, W. S. and Hardy, A. C. and Hardy, N. and Landau, C. R. and Shapiro, J. S. The KeyKOS nanokernel architecture. In Proceedings of the USENIX Workshop on Micro-Kernels and Other Kernel Architectures, pages 95--112, 1992.
[6]
S. Boyd-Wickizer and N. Zeldovich. Tolerating malicious device drivers in Linux. In USENIX ATC, pages 9--9, 2010.
[7]
Bromium. Bromium micro-virtualization, 2010. http://www.bromium.com/misc/BromiumMicrovirtualization.pdf.
[8]
H. Chen, Y. Mao, X. Wang, D. Zhou, N. Zeldovich, and M. F. Kaashoek. Linux kernel vulnerabilities: state-of-the-art defenses and open problems. In APSys, pages 5:1--5:5, 2011.
[9]
S. Chiricescu, A. DeHon, D. Demange, S. Iyer, A. Kliger, G. Morrisett, B. C. Pierce, H. Reubenstein, J. M. Smith, G. T. Sullivan, et al. SAFE: A clean-slate architecture for secure systems. In Technologies for Homeland Security (HST), pages 570--576, 2013.
[10]
Coverity, Inc. Coverity SAVE, 2012. http://www.coverity.com/products/coverity-save.html.
[11]
C. Cowan, C. Pu, D. Maier, H. Hinton, and J. Walpole. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In USENIX Security Symposium, 1998.
[12]
CVE Details. Vulnerabilities in the Linux kernel by year. http://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33.
[13]
CVE Details. Vulnerabilities in the Linux kernel in 2014. http://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/year-2014/Linux-Linux-Kernel.html.
[14]
W. de Bruijn and H. Bos. Beltway buffers: Avoiding the OS traffic jam. In INFOCOM, 2008.
[15]
P. Derrin, D. Elkaduwe, and K. Elphinstone. seL4 reference manual. Technical report, ERTOS NICTA. http://www.ertos.nicta.com/research/sel4/sel4-refman.pdf.
[16]
D. Elkaduwe. A principled approach to kernel memory management. PhD thesis, University of New South Wales, 2010.
[17]
K. Elphinstone and G. Heiser. From L3 to seL4 what have we learnt in 20 years of L4 microkernels? In SOSP, pages 133--150, 2013.
[18]
D. Engler, B. Chelf, A. Chou, and S. Hallem. Checking system rules using system-specific, programmer-written compiler extensions. In OSDI, pages 1--1, 2000.
[19]
U. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G. C. Necula. XFI: Software guards for system address spaces. In OSDI, pages 75--88, 2006.
[20]
Feske, N. and Helmuth, C. Design of the Bastei OS architecture. Techn. Univ., Fakultät Informatik, 2007.
[21]
B. Ford, G. Back, G. Benson, J. Lepreau, A. Lin, and O. Shivers. The flux OSKit: A substrate for kernel and language research. In SOSP, pages 38--51, 1997.
[22]
T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: a virtual machine-based platform for trusted computing. In SOSP, pages 193--206, 2003.
[23]
A. Gefflaut, T. Jaeger, Y. Park, J. Liedtke, K. J. Elphinstone, V. Uhlig, J. E. Tidswell, L. Deller, and L. Reuther. The SawMill multiserver approach. In Proceedings of the 9th workshop on ACM SIGOPS European workshop: beyond the PC: new challenges for the operating system, pages 109--114. ACM, 2000.
[24]
J. Giacomoni, T. Moseley, and M. Vachharajani. FastForward for efficient pipeline parallelism: a cache-optimized concurrent lock-free queue. In PPoPP, pages 43--52, 2008.
[25]
Gu, L., Vaynberg, A., Ford, B., Shao, Z., and Costanzo, D. CertiKOS: a certified kernel for secure cloud computing. In APSys, page 3, 2011.
[26]
T. Harris, M. Abadi, R. Isaacs, and R. McIlroy. AC: composable asynchronous IO for native languages. ACM SIGPLAN Notices, 46(10):903--920, 2011.
[27]
Härtig, H. Security architectures revisited. In Proceedings of the 10th workshop on ACM SIGOPS European workshop, pages 16--23. ACM, 2002.
[28]
C. Hawblitzel, J. Howell, J. R. Lorch, A. Narayan, B. Parno, D. Zhang, and B. Zill. Ironclad apps: End-to-end security via automated full-system verification. In OSDI, 2014.
[29]
Heiser, G. and Elphinstone, K. and Kuz, I. and Klein, G. and Petters, S. M. Towards trustworthy computing systems: taking microkernels to the next level. ACM SIGOPS Operating Systems Review, 41(4):3--11, 2007.
[30]
Herder, J. N. and Bos, H. and Gras, B. and Homburg, P. and Tanenbaum, A. S. MINIX 3: A highly reliable, self-repairing operating system. ACM SIGOPS Operating Systems Review, 40(3):80--89, 2006.
[31]
Hohmuth, M. and Peter, M. and Härtig, H. and Shapiro, J. S. Reducing TCB size by using untrusted components: small kernels versus virtual-machine monitors. In Proceedings of the 11th workshop on ACM SIGOPS European workshop, page 22. ACM, 2004.
[32]
Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, and Dan Boneh. On the effectiveness of address-space randomization. In CCS, pages 298--307, 2004.
[33]
INTEGRITY Real-Time Operating System. http://www.ghs.com/products/rtos/integrity.html.
[34]
Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., and others. seL4: formal verification of an OS kernel. In SOSP, pages 207--220. ACM, 2009.
[35]
M. Krohn, E. Kohler, and M. F. Kaashoek. Events can make sense. In USENIX ATC, pages 7:1--7:14, 2007.
[36]
A. Landau, M. Ben-Yehuda, and A. Gordon. SplitX: Split guest/hypervisor execution on multi-core. In WIOV, 2011.
[37]
S. Larsen, P. Sarangam, R. Huggahalli, and S. Kulkarni. Architectural breakdown of end-to-end latency in a TCP/IP network. Int. J. Parallel Program., 37(6):556--571, Dec. 2009.
[38]
H. Lim, D. Han, D. G. Andersen, and M. Kaminsky. MICA: A holistic approach to fast in-memory key-value storage. In NSDI, pages 429--444, 2014.
[39]
LynuxWorks. Desktop virtualization and secure client virtualization based on military-grade technology.
[40]
D. Molka, D. Hackenberg, and R. Schöne. Main memory and cache performance of Intel Sandy Bridge and AMD Bulldozer. In Workshop on Memory Systems Performance and Correctness, pages 4:1--4:10, 2014.
[41]
D. Molka, D. Hackenberg, R. Schone, and M. S. Muller. Memory performance and cache coherency effects on an Intel Nehalem multiprocessor system. In PACT, pages 261--270. IEEE, 2009.
[42]
Moritz Jodeit and Martin Johns. USB device drivers: A stepping stone into your kernel. In European Conference on Computer Network Defense, 2010.
[43]
T. Mueller. Virtualised USB fuzzing for vulnerabilities. 2010. https://muelli.cryptobitch.de/paper/2010-usb-fuzzing.pdf.
[44]
S. Peter, J. Li, I. Zhang, D. R. Ports, D. Woos, A. Krishnamurthy, T. Anderson, and T. Roscoe. Arrakis: The operating system is the control plane. In OSDI, 2014.
[45]
Bypassing StackGuard and StackShield. Phrack Magazine. Volume 0xa. Issue 0x38.
[46]
R. Roemer, E. Buchanan, H. Shacham, and S. Savage. Return-oriented programming: Systems, languages, and applications. ACM Trans. Inf. Syst. Secur., 15(1):2:1--2:34, Mar. 2012. http://doi.acm.org/10.1145/2133375.2133377.
[47]
Rutkowska, J. and Wojtczuk, R. Qubes OS architecture. Invisible Things Lab Tech Rep, 2010.
[48]
A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In SOSP, pages 335--350, 2007.
[49]
H. Shacham. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In CCS, pages 552--561, 2007.
[50]
L. Soares and M. Stumm. FlexSC: flexible system call scheduling with exception-less system calls. In OSDI, pages 1--8, 2010.
[51]
M. Stiegler. The E language in a walnut, 2000. http://www.skyhunter.com/marcs/ewalnut.html.
[52]
M. M. Swift, S. Martin, H. M. Levy, and S. J. Eggers. Nooks: An architecture for reliable device drivers. In Proceedings of the 10th workshop on ACM SIGOPS European workshop, pages 102--107. ACM, 2002.
[53]
XenClient. http://www.citrix.com/products/xenclient/how-it-works.html.
[54]
J. Yang and C. Hawblitzel. Safe to the last instruction: automated verification of a type-safe operating system. In ACM Sigplan Notices, volume 45, pages 99--110. ACM, 2010.
Index Terms
- Lightweight capability domains: towards decomposing the Linux kernel
Recommendations
Lightweight Capability Domains: Towards Decomposing the Linux Kernel
Special TopicsDespite a number of radical changes in how computer systems are used, the design principles behind the very core of the systems stack--an operating system kernel--has remained unchanged for decades.We run monolithic kernels developed with a combination ...
Can We Make Operating Systems Reliable and Secure?
Microkernels--long discarded as unacceptable because of their lower performance compared with monolithic kernels--might be making a comeback in operating systems due to their potentially higher reliability, which many researchers now regard as more ...
A detailed performance analysis of UDP/IP, TCP/IP, and M-VIA network protocols using Linux/SimOS
This paper presents a performance study of UDP/IP, TCP/IP, and M-VIA using Linux/SimOS. Linux/SimOS is a Linux operating system port to a complete machine simulator SimOS. A complete machine simulator includes all the system components, such as CPU, ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
Copyright © 2015 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 04 October 2015
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
Conference
SOSP '15
Sponsor:
SOSP '15: ACM SIGOPS 25th Symposium on Operating Systems Principles
October 4, 2015
California, Monterey
Acceptance Rates
PLOS '15 Paper Acceptance Rate 7 of 16 submissions, 44%;
Overall Acceptance Rate 17 of 32 submissions, 53%
Upcoming Conference
SOSP '25
- Sponsor:
- sigops
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 388Total Downloads
- Downloads (Last 12 months)11
- Downloads (Last 6 weeks)0
Reflects downloads up to 14 Dec 2024
Other Metrics
Citations
Cited By
View all- Boos KZhong LLawall J(2017)TheseusProceedings of the 9th Workshop on Programming Languages and Operating Systems10.1145/3144555.3144560(29-35)Online publication date: 28-Oct-2017
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in