Introducing 

Prezi AI.

Your new presentation assistant.

Refine, enhance, and tailor your content, source relevant images, and edit visuals quicker than ever before.

Loading…
Transcript

The Nested Kernel Architecture

Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege Separation

Key Takeaways

Monolithic Operating System

Outer Kernel

  • Intra-kernel memory protection services

Nested Kernel

MMU

Virtualize Supervisor Mode

Write Protection Service

Nested Kernel and Microkernel Address Similar Problems but...

Nested Kernel

Microkernel

Privilege Separation

Hardware privilege boundary

Virtualize supervisor mode

MMU Isolation and Write-Protection Services

Threads, Address Spaces, and Message Passing

Services

Monolithic Applicability

Reliability

Simple malware are extremely powerful:

Confidentiality or Integrity Violation

Code Injection

operation;

audit_read();

NOOP

return;

Violates the integrity of audit recording

System Call Hooking

Problem: A complete lack of memory isolation

Drivers

1) What's the problem?

Monolithic Operating System Architecture

File System

CPU Virtualization

Networking

Virtual Memory

Observation: If we can Restrict Access to the Page Tables then Enable Memory Isolation

Page Tables in Typical Systems

Memory

CPU

Enforcement Bits

  • Single Privilege Level
  • Efficient Privilege Switch
  • Apply to Monolithic OS
  • No Control Flow Integrity

Virtualizing the MMU with the Nested Kernel

Threat Model

  • Outer Kernel Under Complete Control of Attacker
  • Source Code
  • Execution State
  • No Control Flow Integrity
  • Nested Kernel source is trusted

2) Nested Kernel Approach

Enforcing Privilege Separation on x86-64

Nested Kernel Property

Code Deprivilege

The nested kernel interposes on all modifications of the MMU

CPU: Base PTR -> CR3

Nested Kernel key assumption: can enforce read-only on supervisor code

CPU: CR0 write-protect enable flag

Code Verification

Initialize read-only

Virtual Privilege Switch

Exit Gate

1. Switch to outer kernel stack

2. Enable write-protection enforcement

3. Enable interrupts

Outer Kernel

Outer Kernel Execution Integrity

Nested Kernel

  • Guaranteed Mediation

nk_update_pte(mapping,pte)

  • Return Integrity
  • Special Operating Modes

nk_update_pte(mapping,pte){

if (update_pts_to_ptp(val, pte)){

set_read_only();

}

do_update();

}

Virtual Privilege Switch

Entry Gate

1. Disable interrupts

2. Disable write-protection enforcement

3. Switch to nested kernel stack

The nested kernel isolates the MMU and provides lifetime kernel code integrity

Nested Kernel Services

3) Intra-Kernel Isolation

Intra-kernel memory isolation

  • Attacker cannot remove events
  • Guaranteed invocation and isolation of security monitor
  • No Virtual Machine Introspection

How Practical is the Nested Kernel

Kernel Reorganization

~1900 LOC Modified

52 Files

~100 Deleted

SMP support needed

Trusted Computing Base

TCB for Nested Kernel and MMU Isolation

Nested Kernel Lines of Code

FreeBSD 9.0: 7.9 MB

∼4000 C

SLOCCOUNT

∼800 Assembly

PerspicuOS: 34 KB

248 Python Scanner

MMU TCB PerspicuOS / FreeBSD 9.0: 0.45%

Code Scanner

2 writes to cr0

40 implicit instructions

38 wrmsr

4) Evaluation

Microbenchmarks

Macrobenchmark

Apache HTTPD

13.1%

Each connection forks a new process and mmaps data

Directions for the Nested Kernel

  • End-to-end intra-kernel security solutions

  • De-privileging to virtualize other hardware

5) Future Work

  • Nested Kernel VMMs or Microkernels
  • Formal verification of Nested Kernel

mov cr3, val

nk_wr_cr3(val)

mov cr0, val

nk_wr_cr0(val)

Access to Page Tables is configured read-only

Modifiable by Attacker

Nested Kernel

Outer Kernel

  • Lifetime kernel code integrity in FreeBSD 9.0

Static Code Privilege Separation

Memory: PTs

*Nathan Dautenhahn

Theodoros Kasampalis

Will Dietz

John Criswell

Vikram Adve

UIUC

UIUC

UIUC

University of Rochester

UIUC

Lifetime Kernel Code Integrity

  • Retrofit the nested kernel architecture in FreeBSD 9.0

malicous_read()

  • Isolate MMU at a single hardware privilege level by virtualizing supervisor mode

Read-only permissions enforced while the outer kernel executes

Root PTR

Write-Logging

Write Mediation

Super-Duper-Ooper-Schmooper Big Idea:

Isolate the MMU using the MMU

Access Control Policy

syscall(read)

syscall_dispatch()

read( )

Nested Kernel

Outer Kernel

Translation

Learn more about creating dynamic, engaging presentations with Prezi