| With the advent of the information age,the core position of computers has become increasingly prominent,and system security related to it has also arisen increasing attention.The core of its safe operation and management control is the kernel for the mainstream open-source Linux operating system.In the face of frequent system security threats,especially memory corruption attacks,effectively protecting kernel security is very important.As a critical and popular research direction for system security,kernel isolation has received extensive attention in recent years.Among them,kernel isolation based on memory allocation is one of the leading solutions.This paper investigates and analyzes the methods and related technologies of kernel isolation at home and abroad and finds that the current kernel isolation mainly uses memory isolation methods based on processes,page tables or virtual machines.Among them,the idea of building an independent execution space based on page tables and completing memory allocation and isolation has been widely used.However,in the implementation based on the page table,the kernel has a mixed page problem in which data belonging to the main kernel or different kernel modules are allocated to the same physical page frame.With such mixed pages,it is difficult for the Linux operating system to perform page-level protection,and it is highly prone to memory corruption attacks such as memory leaks or buffer overflows.Then,this article carried out in-depth research around the Linux kernel memory allocation mechanism and found that the root cause of the mixed page problem is that the Linux kernel uses a conventional partner system allocator and the conventional partner system allocator,which can be called a block.The allocator is a small memory allocator.Therefore,in order to effectively improve system security and solve the problem of mixed pages,the block allocator must be improved to better realize the isolation between the main kernel and the kernel module during memory allocation.Through the analysis of the Linux kernel source code,this article found that in the Linux kernel space,there are three block allocators,SLAB,SLUB and SLOB,among which SLUB allocator is the default block allocator of the current Linux kernel.Next,this article focuses on how to improve the SLUB allocator.Specifically,the improved SLUB allocator adds allocation flags that identify the central core and kernel modules and builds a dedicated memory cache so that the kernel can call the dedicated memory cache to complete the corresponding memory allocation request according to the allocation flag,thereby solving the problem of mixing page problem.On this basis,the partner system allocator has improved accordingly,and a new allocator processing model is constructed for the memory allocation isolation method of Linux kernel space.Finally,this paper conducts experimental testing and evaluation of the new model.The prototype experiment results show that the new model built based on this method can achieve the memory allocation of the central core and core modules without changing the original processing logic of the core.The isolation and has little impact on the original memory allocation performance of the kernel.It should be noted that the new model implemented in this article is only a theoretical model to solve the mixed page problem.There is still much work before the application and integration into the Linux kernel and providing safe and reliable memory allocation and kernel isolation services. |
PDF Full Text Request