BULKHEAD: Secure, Scalable, and Efficient Kernel Compartmentalization with PKS

arXiv - CS - Operating Systems Pub Date : 2024-09-15 DOI:arxiv-2409.09606

Yinggang Guo, Zicheng Wang, Weiheng Bai, Qingkai Zeng, Kangjie Lu

{"title":"BULKHEAD: Secure, Scalable, and Efficient Kernel Compartmentalization with PKS","authors":"Yinggang Guo, Zicheng Wang, Weiheng Bai, Qingkai Zeng, Kangjie Lu","doi":"arxiv-2409.09606","DOIUrl":null,"url":null,"abstract":"The endless stream of vulnerabilities urgently calls for principled\nmitigation to confine the effect of exploitation. However, the monolithic\narchitecture of commodity OS kernels, like the Linux kernel, allows an attacker\nto compromise the entire system by exploiting a vulnerability in any kernel\ncomponent. Kernel compartmentalization is a promising approach that follows the\nleast-privilege principle. However, existing mechanisms struggle with the\ntrade-off on security, scalability, and performance, given the challenges\nstemming from mutual untrustworthiness among numerous and complex components. In this paper, we present BULKHEAD, a secure, scalable, and efficient kernel\ncompartmentalization technique that offers bi-directional isolation for\nunlimited compartments. It leverages Intel's new hardware feature PKS to\nisolate data and code into mutually untrusted compartments and benefits from\nits fast compartment switching. With untrust in mind, BULKHEAD introduces a\nlightweight in-kernel monitor that enforces multiple important security\ninvariants, including data integrity, execute-only memory, and compartment\ninterface integrity. In addition, it provides a locality-aware two-level scheme\nthat scales to unlimited compartments. We implement a prototype system on Linux\nv6.1 to compartmentalize loadable kernel modules (LKMs). Extensive evaluation\nconfirms the effectiveness of our approach. As the system-wide impacts,\nBULKHEAD incurs an average performance overhead of 2.44% for real-world\napplications with 160 compartmentalized LKMs. While focusing on a specific\ncompartment, ApacheBench tests on ipv6 show an overhead of less than 2%.\nMoreover, the performance is almost unaffected by the number of compartments,\nwhich makes it highly scalable.","PeriodicalId":501333,"journal":{"name":"arXiv - CS - Operating Systems","volume":"46 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-09-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Operating Systems","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2409.09606","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

The endless stream of vulnerabilities urgently calls for principled mitigation to confine the effect of exploitation. However, the monolithic architecture of commodity OS kernels, like the Linux kernel, allows an attacker to compromise the entire system by exploiting a vulnerability in any kernel component. Kernel compartmentalization is a promising approach that follows the least-privilege principle. However, existing mechanisms struggle with the trade-off on security, scalability, and performance, given the challenges stemming from mutual untrustworthiness among numerous and complex components. In this paper, we present BULKHEAD, a secure, scalable, and efficient kernel compartmentalization technique that offers bi-directional isolation for unlimited compartments. It leverages Intel's new hardware feature PKS to isolate data and code into mutually untrusted compartments and benefits from its fast compartment switching. With untrust in mind, BULKHEAD introduces a lightweight in-kernel monitor that enforces multiple important security invariants, including data integrity, execute-only memory, and compartment interface integrity. In addition, it provides a locality-aware two-level scheme that scales to unlimited compartments. We implement a prototype system on Linux v6.1 to compartmentalize loadable kernel modules (LKMs). Extensive evaluation confirms the effectiveness of our approach. As the system-wide impacts, BULKHEAD incurs an average performance overhead of 2.44% for real-world applications with 160 compartmentalized LKMs. While focusing on a specific compartment, ApacheBench tests on ipv6 show an overhead of less than 2%. Moreover, the performance is almost unaffected by the number of compartments, which makes it highly scalable.

查看原文本刊更多论文

BULKHEAD：利用 PKS 实现安全、可扩展和高效的内核分隔

层出不穷的漏洞迫切需要有原则的缓解措施来限制漏洞利用的效果。然而，商品操作系统内核（如 Linux 内核）的单体架构允许攻击者利用任何内核组件中的漏洞入侵整个系统。内核分隔是一种很有前途的方法，它遵循权限最小原则。然而，现有的机制在安全性、可扩展性和性能之间难以取舍，因为众多复杂的组件之间存在互不信任的问题。在本文中，我们介绍了一种安全、可扩展和高效的内核分区技术--BULKHEAD，它可为无限分区提供双向隔离。它利用英特尔的新硬件功能 PKS 将数据和代码隔离到互不信任的分区中，并受益于其快速的分区切换。考虑到不信任因素，BULKHEAD 引入了轻量级内核监控器，可执行多个重要的安全变量，包括数据完整性、只执行内存和隔间接口完整性。此外，它还提供了一种本地感知的两级方案，可扩展到无限的隔间。我们在 Linuxv6.1 上实现了一个原型系统，用于分割可加载内核模块（LKM）。广泛的评估证实了我们方法的有效性。作为对整个系统的影响，BULKHEAD 在实际应用中使用 160 个分隔的 LKM 时，平均性能开销为 2.44%。此外，性能几乎不受分区数量的影响，因此具有很强的可扩展性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

arXiv - CS - Operating Systems

自引率

0.00%

发文量