System Call Address Space Isolation For Kernel Module

Posted on:2022-09-18

Degree:Master

Type:Thesis

Country:China

Candidate:J H Huang

Full Text:PDF

GTID:2518306572497084

Subject:Computer technology

Abstract/Summary:

PDF Full Text Request

With the rapid development of cloud computing,the deployment scale and density of containers on cloud platforms are showing geometric growth,and the isolation and security of containers are also facing more challenges.Compared with traditional virtual machines,container technology still shares operating system kernel resources.Therefore,it is necessary to use the kernel modules to customize the kernel functions and access permissions for the container to achieve strong isolation of the container in the kernel.The kernel module runs in the kernel,it has high permissions to access kernel address space arbitrarily.Malicious attackers can attack the physical kernel through vulnerabilities in the kernel module.So ensuring the security of the kernel module is essential to the security of the container and the kernel.Aiming at the security issues of the kernel module,combined with the kernel page table isolation mechanism,the address space isolation mechanism based on kernel module is designed and implemented.The address space isolation uses the isolated page table to limit the kernel address space that the kernel module can access.According to the system call table in the kernel,a virtual system call table is created in the kernel module,and the isolated system call address is written into the virtual system call table,so that the container system call is distributed through the virtual system call table and jumps to the kernel module system call isolated,and runs the system call kernel code in the restricted address space.The address space isolation mechanism designs a page fault interrupt processing flow to handle page fault interrupts generated by running kernel code accessing unmapped memory pages.The experimental results verify the restriction function of the isolated address space on the system call access to the kernel space,indicating the effectiveness of adding memory page mapping to the isolated page table,and the isolation of system calls brings an average additional delay of 3.02% to container startup.

Keywords/Search Tags:

Container, Kernel module, Isolated page table, Address space isolation

PDF Full Text Request

Related items

1	Research On Kernel Log Isolation Mechanism Of Operating System Oriented To Container Environment
2	Research And Implementation Of Constructing Kernel Separation Spaces Based On Linux Kernel Page Tables
3	Study On Extension Of IP Address Space Combining With Autonomous System Number
4	Hardware-assisted Isolation Mechanism For Intra-VM Execution Environment
5	Design Of Memory Management Unit In 32-bit MIPS Processor
6	Exploiting address space contiguity to accelerate TLB miss handling
7	Resource View Isolation Mechanism On Micro-kernel Operating System Minix
8	An Research Of Microkernel-Based Structure Of Address Space
9	Research On Hybrid--grained Page Management In Hybrid Memory Systems
10	The Design And Implementation Of The General Drive System For The Zero Copy Technology Of Ethernet Card