Ianus: secure and holistic coexistence with kernel extensions - a immune system-inspired approach

Abstract

Kernel extensions, especially device drivers, make up a large fraction of modern OS kernels (approximately 70% in Linux). Most extensions are benign and represent a convenient approach for extending the kernel functionality and allowing a system to communicate with an increasing number of I/O devices. A small fraction of them are malicious and, as they run in kernel space, pose a threat to kernel integrity. From a security viewpoint this situation is paradoxical: modern OSes depend and must co-live with untrustworthy but needed extensions. Our immune system faces the same challenge: our body is made of a large number of bacteria, which are mostly benign and also carry out critical functions for our physiology. However, a small fraction of them pose a threat to our body as they can cause pathologies. The immune system maintains an homeostatic relationship with its microbiota by minimizing contact between bacteria and cell surfaces and confining bacteria to certain sites. Challenging the current trend that advocates leveraging only a hypervisor to defend the kernel (for considering it too vulnerable to defend itself), this paper advocates that modern OSes, like our immune system, should play an active role in maintaining healthy and safe interactions with their extensions. This work presents Ianus, a proof-of-concept prototype for this paradigm using Linux and the Bochs x86 emulator, which successfully minimized kernel extensions interactions with original kernel. Its security was evaluated with real rootkits and benign modules. Ianus' performance was analyzed with system and CPU benchmarks and it caused an small overhead to the system (approximately 12%).