Reducing TCB Of The Commodity OS With User-space Device Driver

The operating system(OS), which manages the whole hardware platform, has sheer size by supporting many more architectures and devices. The monolithic kernel of the OS makes it a prime target for attackers exploiting to steal privacy of the user, or crash the kernel. More vulnerabilities in kernel can be exploited because of the huge code size of OS kernel. Device driver is the major part of the monolithic kernel and any vulnerabilities in the device driver may be exploited by attackers to compromise the whole system. Besides, the system calls are main routines for users to use the service provided by kernel, then attackers can exploit vulnerabilities of the system calls to destroy the kernel. The smaller kernel can mitigate the threat of vulnerabilities in kernel. Thus, it’s an important research approach to secure the computing system by making the kernel smaller.The architecture, which proposes a method to reduce the trusted computing base(TCB) of the OS based on user-space device driver, takes the Linux as an example and reduces attack surface and TCB of the Linux by separating the kernel. On one hand, the architecture makes the kernel code small by moving device drivers out of the kernel. It takes advantage of proxy driver to support unmodified device driver running in the user space. On the other hand, the OS functions(such as file system, process management) are implemented in the user space as libraries(libOS) to reduce the attack surface of the kernel. By using these two methods, the architecture can prevent some threats from vulnerabilities in the kernel effectively. To prove the validation of the architecture, an ethernet card driver based PCI(Peripheral Component Interconnect) is presented in the user space, which normally can manage and control the device.The result of system evaluation shows that the architecture reduces 81.7% system call interfaces of the kernel, and develops an ethernet proxy which possesses 900 lines of code(e1000 has 12000 lines of code). The TCP and UDP benchmarks have less than 25% overhead in the aspect of network request-response performance. There is small overhead on overall performance of the system. All these indicate that the performance overhead is acceptable.