TCP/IP Protocol Stack Isolation Based On KVM Virtualization

GNU/Linux operating system plays a very important role in cloud computing and big data and its security and reliability has become a key factor affecting the user's experience.Linux kernel includes network stack,device drivers and some other modules.The fact that all the kernel modules are in the same kernel address space results in the kernel's numerous code size and the kernel often becomes attackers' target.Linux kernel based on monolithic architecture with high efficiency but lack of effective isolation mechanism,some kernel module failing down may affect the other one and even crash the entire kernel,which brings up the operating system great challenges.TCP/IP protocol stack is an important part of the kernel,but as the result of its complexity of logic and implementation making it easier to fail down,such as drawbacks of protocol stack design or vulnerabilities in code exploited by the attackers resulting in gained privileges or Denial of Service attacks.The kernel has no complete protection mechanism and it cannot effectively prevent kernel module's errors/failures from crashing or Denial of Service.What is worse,the kernel has no ability to self-recover when error/failure occurs.Therefore,to ensure that the TCP/IP protocol stack and network device driver's error/failure will not affect the other kernel modules and enhance the kernel security and reliability is the main goal.To solve this problem,a solution with virtualization to isolate kernel's error/faulty-prone module based on KVM proposed,which can prevent vulnerabilities propagation,reducing its scope.The isolated module will not affect others and ultimately achieve the purpose of security and reliability.How to make a kernel protection approach for isolating TCP/IP protocol stack and network device driver to enhance the security and reliability based on KVM,a hardware-assisted virtualization technology,is the focus of this paper.The main achievement and innovation of the research as follows:(1)Through research on the related works,which are for kernel protection and preventing TCP/IP protocol stack and network driver error/fault propagation,the protection mechanisms and methods for kernel security and reliability are summarized.(2)An approach is proposed,for isolating TCP/IP protocol stack and network device driver to enhance kernel's security and reliability based on KVM,a technology of hardware-assist virtualization.It isolates the TCP/IP protocol stack and network device driver into the virtual machine running in the user space,reducing the kernel Trusted Computing Base.Moreover,it takes advantage of the strong isolation of the virtual machine to reduce the influence scope of the vulnerabilities and can effectively avoid the kernel module error/failure to corrupt the entire kernel.(3)The communication between the front-end module of the virtual machine and the host back-end module is implement,with para-virtualization vring mechanism.It will operates the back-end misc device by ioctl syscall,with the related information about the virtual machine memory and front-end data buffer,to inform the back-end driver to complete vring data buffer memory mapping,and then it achieves communication between front-end and back-end.A virtual device created according to the QOM model in Qemu-kvm,provides the appropriate device for the front-end driver.In addition,it completes the data buffer's memory mapping from the front-end drive to the device.The solution of kernel protection based on virtual machine,which simplifies the isolation mechanism,reduces the kernel trusted computing base,and effectively prevents the kernel error/fault diffusion,significantly improves the kernel security and reliability.