Research And Implementation Of Constructing Kernel Separation Spaces Based On Linux Kernel Page Tables

In modern operating systems,the kernel runs as a trusted base for the entire system at the highest privilege level,and provides system services for the upper applications.At the same time there are a lot of vulnerabilities and errors in kernel,and they are often used by the attacker to maliciously operate the kernel.Considering the importance and the inherent vulnerability of the kernel,improving the credibility and security of the kernel has always been an important research.There are a lot of research directions for the untrustworthiness of the kernel.Kernel isolation as one of the important directions has been widely studied.The idea of Using the page tables to build independent execution spaces has been widely used.However,there is a general problem with the current page tables based isolation implementation:the mixed pages of small dynamic data.The mixed pages refers to that the dynamic objects from the different request sources are distributed over the same physical page frame.In the implementation of the page table based isolation,the granularity of memory access control is page.The presence of mixed pages of dynamic data leads to the need for additional access control for these memory pages,resulting in additional overhead.The main contents and innovations are concluded as follows:(1)Propose a method to solve the problem of small dynamic data mixed pages by using a dynamic memory allocator that identifies the source of the memory allocation request.By allocating dynamic data from different sources to different physical page frames it is easy to achieve access control under page granularity.(2)Study and implement a method for building isolation spaces based on the above dynamic memory allocator and the Linux kernel page tables for different components of the kernel to avoid the interference between the kernel components.(3)Based on the existing isolation implementation,this paper describes the concerns and implementation methods of separating the static data of a particular kernel component into a separate Linux kernel page table.In this way,we can use the kernel page tables to achieve the access control of kernel static data.