Soo Yee Lim, Sidhartha Agrawal, Xueyuan Han, David Eyers, Dan O'Keeffe, Thomas Pasquier
{"title":"利用分隔确保单片内核安全","authors":"Soo Yee Lim, Sidhartha Agrawal, Xueyuan Han, David Eyers, Dan O'Keeffe, Thomas Pasquier","doi":"arxiv-2404.08716","DOIUrl":null,"url":null,"abstract":"Monolithic operating systems, where all kernel functionality resides in a\nsingle, shared address space, are the foundation of most mainstream computer\nsystems. However, a single flaw, even in a non-essential part of the kernel\n(e.g., device drivers), can cause the entire operating system to fall under an\nattacker's control. Kernel hardening techniques might prevent certain types of\nvulnerabilities, but they fail to address a fundamental weakness: the lack of\nintra-kernel security that safely isolates different parts of the kernel. We\nsurvey kernel compartmentalization techniques that define and enforce\nintra-kernel boundaries and propose a taxonomy that allows the community to\ncompare and discuss future work. We also identify factors that complicate\ncomparisons among compartmentalized systems, suggest new ways to compare future\napproaches with existing work meaningfully, and discuss emerging research\ndirections.","PeriodicalId":501333,"journal":{"name":"arXiv - CS - Operating Systems","volume":"298 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-04-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Securing Monolithic Kernels using Compartmentalization\",\"authors\":\"Soo Yee Lim, Sidhartha Agrawal, Xueyuan Han, David Eyers, Dan O'Keeffe, Thomas Pasquier\",\"doi\":\"arxiv-2404.08716\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Monolithic operating systems, where all kernel functionality resides in a\\nsingle, shared address space, are the foundation of most mainstream computer\\nsystems. However, a single flaw, even in a non-essential part of the kernel\\n(e.g., device drivers), can cause the entire operating system to fall under an\\nattacker's control. Kernel hardening techniques might prevent certain types of\\nvulnerabilities, but they fail to address a fundamental weakness: the lack of\\nintra-kernel security that safely isolates different parts of the kernel. We\\nsurvey kernel compartmentalization techniques that define and enforce\\nintra-kernel boundaries and propose a taxonomy that allows the community to\\ncompare and discuss future work. We also identify factors that complicate\\ncomparisons among compartmentalized systems, suggest new ways to compare future\\napproaches with existing work meaningfully, and discuss emerging research\\ndirections.\",\"PeriodicalId\":501333,\"journal\":{\"name\":\"arXiv - CS - Operating Systems\",\"volume\":\"298 1\",\"pages\":\"\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2024-04-12\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"arXiv - CS - Operating Systems\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/arxiv-2404.08716\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Operating Systems","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2404.08716","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Securing Monolithic Kernels using Compartmentalization
Monolithic operating systems, where all kernel functionality resides in a
single, shared address space, are the foundation of most mainstream computer
systems. However, a single flaw, even in a non-essential part of the kernel
(e.g., device drivers), can cause the entire operating system to fall under an
attacker's control. Kernel hardening techniques might prevent certain types of
vulnerabilities, but they fail to address a fundamental weakness: the lack of
intra-kernel security that safely isolates different parts of the kernel. We
survey kernel compartmentalization techniques that define and enforce
intra-kernel boundaries and propose a taxonomy that allows the community to
compare and discuss future work. We also identify factors that complicate
comparisons among compartmentalized systems, suggest new ways to compare future
approaches with existing work meaningfully, and discuss emerging research
directions.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
