Attack surface reduction for commodity OS kernels: trimmed garden plants may attract less bugs

European Workshop on System Security Pub Date : 2011-04-10 DOI:10.1145/1972551.1972557

Anil Kurmus, A. Sorniotti, R. Kapitza

{"title":"Attack surface reduction for commodity OS kernels: trimmed garden plants may attract less bugs","authors":"Anil Kurmus, A. Sorniotti, R. Kapitza","doi":"10.1145/1972551.1972557","DOIUrl":null,"url":null,"abstract":"Kernel vulnerabilities are a major current practical security problem, as attested by the weaknesses and flaws found in many commodity operating system kernels in recent years. Ever-growing code size in those projects, due to the addition of new features and the reluctance to remove legacy support, indicate that this problem will remain a severe system security threat in the foreseeable future. Reactive measures such as bug fixes via code reviews and testing, while effective, can only alleviate the issue. Furthermore, common practices in system hardening often focus on complex and sometimes hard to achieve goals that require extensive manual intervention such as security policies for sandboxing.\n In this paper, we explore an alternative, automated and effective way of reducing the attack surface in commodity operating system kernels, which we call trimming. Trimming is a two-fold process: an initial analysis of a given system for unused kernel code sections is followed by an enforcement phase, in which the unused sections are removed or prevented from being executed. We discuss the requirements that should be reflected in the design of a trimming infrastructure, and present a lightweight and flexible implementation example for the Linux kernel by using dynamic binary instrumentation as provided by kprobes. Our evaluations show we can, in the case of a web server, reduce the attack surface of the kernel (in terms of the number of kernel functions accessible from unprivileged users) by about 88%.","PeriodicalId":302603,"journal":{"name":"European Workshop on System Security","volume":"65 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2011-04-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"41","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"European Workshop on System Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/1972551.1972557","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 41

Abstract

Kernel vulnerabilities are a major current practical security problem, as attested by the weaknesses and flaws found in many commodity operating system kernels in recent years. Ever-growing code size in those projects, due to the addition of new features and the reluctance to remove legacy support, indicate that this problem will remain a severe system security threat in the foreseeable future. Reactive measures such as bug fixes via code reviews and testing, while effective, can only alleviate the issue. Furthermore, common practices in system hardening often focus on complex and sometimes hard to achieve goals that require extensive manual intervention such as security policies for sandboxing. In this paper, we explore an alternative, automated and effective way of reducing the attack surface in commodity operating system kernels, which we call trimming. Trimming is a two-fold process: an initial analysis of a given system for unused kernel code sections is followed by an enforcement phase, in which the unused sections are removed or prevented from being executed. We discuss the requirements that should be reflected in the design of a trimming infrastructure, and present a lightweight and flexible implementation example for the Linux kernel by using dynamic binary instrumentation as provided by kprobes. Our evaluations show we can, in the case of a web server, reduce the attack surface of the kernel (in terms of the number of kernel functions accessible from unprivileged users) by about 88%.

查看原文本刊更多论文

减少商品操作系统内核的攻击面:修剪过的花园植物可能会吸引更少的bug

内核漏洞是当前主要的实际安全问题，近年来在许多商品操作系统内核中发现的弱点和缺陷证明了这一点。在这些项目中不断增长的代码大小，由于新特性的添加和不愿意删除遗留支持，表明这个问题在可预见的将来仍然是一个严重的系统安全威胁。诸如通过代码审查和测试修复错误之类的反应性措施虽然有效，但只能缓解问题。此外，系统加固中的常见实践通常侧重于复杂的、有时难以实现的目标，这些目标需要大量的人工干预，例如沙箱的安全策略。在本文中，我们探索了一种替代的、自动化的、有效的方法来减少商品操作系统内核中的攻击面，我们称之为修剪。精简是一个双重过程:对给定系统中未使用的内核代码段进行初始分析，然后是执行阶段，在此阶段中删除或阻止未使用的部分执行。我们讨论了应该在修剪基础设施的设计中反映的需求，并通过使用kprobes提供的动态二进制工具，为Linux内核提供了一个轻量级和灵活的实现示例。我们的评估表明，在web服务器的情况下，我们可以将内核的攻击面(就非特权用户可访问的内核函数的数量而言)减少约88%。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

European Workshop on System Security

自引率

0.00%

发文量