| On a modern computer system,all the resources are managed by an operating system,whose critical functionalities are integrated into a software hierachy called kernel.If the kernel is compromised,the system security might be collapsed and all system resources might be destroyed.Nowadays,adversaries usually abuse the extension mechanism supported by the kernel for compromising,via cheating the kernel to load malicious Kernel-level programs.Therefore,it is important to validate the loadable kernel modules for security.An effective mechanism is to isolate the kernel extension module from the kernel.Currently,the hardware virtualization technologies provided by commercial processors such as x86 and ARM are applied for this purpose.While hardware-based virtual machines can provide good compatibility and security,it might introduce a high performance overhead due to the frequent switching of hardware privilege level.This thesis studies the current efficient isolation of kernel modules based on hardware virtualization technology and to reduce the system overhead caused by the module isolation mechanism.The main contributions of this work are listed as follows:(1).We systematically analyze the existing solutions for kernel extension module isolating,with a focus on works based on hardware virtualization.According to comparisons on their advantages and disadvantages,we found that the VMMs used by these solutions have to trap the Guest OS at a high frequency.As a result,they inevitably cause high performance penalty to the system.In this work,we set our goal to reduce the runtime overhead caused by these hardware-assisted solutions.(2).We improve the kernel module isolation solution based on hardware virtualization,so as to alleviate the performance overhead of the system runtime.We put the security monitor in the Guest OS by exploiting the Intel hardware virtualization technology,and enforce the isolation by rewriting the source code of kernel extension modules.Specifically,we divide the operating system into two domains using the nested page table provided by modern x86 processors for virtual machine enhancement.Since this scheme can get rid of the VMM intervention when the control flows between kernel extension modules and kernels,it can effectively reduce the performance overhead.(3).We implement a prototype system for the isolation solution of kernel extension module based on the Intel VT technology.Also,we isolate the network card driver for demonstration,and tested the gain on performance improvement.Experimental results show that our solution has a great improvement in reducing the network time delay. |
PDF Full Text Request