Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

ASPLOS '15 Nested Kernel Presentation

This prezi details our efforts in creating the nested kernel architecture, a new operating system organization that enables a single kernel to enforce memory isolation and privilege separation within the kernel itself.
by

Nathan Dautenhahn

on 31 May 2015

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of ASPLOS '15 Nested Kernel Presentation

Monolithic Operating System Architecture
Drivers
Virtual Memory
1) What's the problem?
2) Nested Kernel Approach
3) Intra-Kernel Isolation
4) Evaluation
5) Future Work
The Nested Kernel Architecture
Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege Separation

*Nathan Dautenhahn
Theodoros Kasampalis
Will Dietz
John Criswell
Vikram Adve
UIUC
UIUC
UIUC
University of Rochester
UIUC
Nested Kernel
MMU
Isolate MMU at a single hardware privilege level by
virtualizing supervisor mode
Simple malware are extremely powerful:
File System
CPU Virtualization
Networking
Nested Kernel Property
Hardware privilege boundary
Threads, Address Spaces, and Message Passing
Microkernel
Virtualizing the MMU with the Nested Kernel
nk_update_pte(mapping,pte){

if (
update_pts_to_ptp(val, pte)
){
set_read_only();
}
do_update();
}
The nested kernel interposes on all modifications of the MMU
Access to Page Tables is
configured
read-only
Read-only permissions
enforced
while the outer kernel executes
Microbenchmarks
Macrobenchmark
Apache HTTPD
Kernel Reorganization
Trusted Computing Base
Code Scanner
40 implicit instructions
2 writes to cr0
38 wrmsr
52 Files
~1900 LOC Modified
~100 Deleted
SMP support needed
∼4000 C
∼800 Assembly
248 Python Scanner
MMU TCB PerspicuOS / FreeBSD 9.0: 0.45%
Nested Kernel Services
Write-Logging
Intra-kernel memory isolation
Nested Kernel
MMU Isolation and Write-Protection Services
Key Takeaways
Retrofit the nested kernel architecture
in FreeBSD 9.0
Intra-kernel memory protection services
Lifetime kernel code integrity in FreeBSD 9.0
End-to-end
intra-kernel security solutions
Directions for the Nested Kernel
Formal verification
of Nested Kernel
Nested Kernel
VMMs
or
Microkernels

De-privileging
to virtualize other
hardware
Nested Kernel and Microkernel Address Similar Problems but...
Virtualize supervisor mode
Observation: If we can Restrict Access to the Page Tables then Enable Memory Isolation
13.1%
Initialize read-only
Outer Kernel
Nested Kernel
Outer Kernel Execution Integrity
Problem: A complete lack of memory isolation
Super-Duper-Ooper-Schmooper Big Idea:
Isolate the MMU using the MMU
Nested Kernel Lines of Code
TCB for Nested Kernel and MMU Isolation
SLOCCOUNT
The nested kernel isolates the MMU and provides lifetime kernel code integrity
Outer Kernel
Monolithic Operating System
Services
Privilege Separation
Monolithic Applicability
Virtualize Supervisor Mode
Write Protection Service
syscall(read)
syscall_dispatch()
read( )
malicous_read()
operation;
audit_read();
return;
NOOP
Code Injection
operation;
operation;
Violates the integrity of audit recording
System Call Hooking
Confidentiality or Integrity Violation
Single Privilege Level
Efficient Privilege Switch
Entry Gate
2. Disable write-protection enforcement
1. Disable interrupts
3. Switch to nested kernel stack
Outer Kernel
Nested Kernel
Exit Gate
2. Enable write-protection enforcement
3. Enable interrupts
1. Switch to outer kernel stack
Outer Kernel
Nested Kernel
Enforcing Privilege Separation on x86-64
Static Code Privilege Separation
mov cr0, val
nk_wr_cr0(val)
mov cr3, val
nk_wr_cr3(val)
Write Mediation
Guaranteed invocation and isolation of security monitor
Each connection forks a new process and mmaps data
Reliability
nk_update_pte(mapping,pte)
Special Operating Modes
Return Integrity
Guaranteed Mediation
Nested Kernel key assumption: can enforce read-only on supervisor code
CPU
Memory
Root PTR
Enforcement Bits
Page Tables in Typical Systems
Modifiable by Attacker
Apply to Monolithic OS
No Control Flow Integrity
Access Control Policy
Translation
Threat Model
Outer Kernel Under Complete Control of Attacker
Source Code
Execution State
No Control Flow Integrity
Nested Kernel source is trusted
Code Deprivilege
CPU
: Base PTR -> CR3
Memory
: PTs
CPU
: CR0 write-protect enable flag
Code Verification
Lifetime Kernel Code Integrity
FreeBSD 9.0: 7.9 MB
PerspicuOS: 34 KB
Virtual Privilege Switch
Attacker cannot remove events
No Virtual Machine Introspection
Virtual Privilege Switch
How Practical is the Nested Kernel
Full transcript