K-Int, 作業系統核心完整性保護之執行器

Abstract

None

Many of the currently running OSes in the cloud are monolithic. Unfortunately, a monolithic design is prone to be highly vulnerable due to the nature of its arrangement. A single kernel vulnerability or a rootkit could grant the attacker full authority over the system. To mitigate this issue, we present K-Int, an additional layer of protection that ensures the execution of only approved code with the superuser privilege while still allowing external module loading even if the kernel is compromised. Past research has proposed solutions to improve the security of monolithic kernels. However, very few of them were built on Arm64. By relying on virtualization, K-Int interposes on all updates to the kernel page table and kernel code. Therefore, it prevents kernel code modification and malicious kernel page table manipulation. Since K-Int relies only on the basic hypervisor and Arm64’s features, it does not need the host hypervisor to provide complex implementations. In this sense, K-int is an extension that would be portable on hypervisors. K-Int leverages Arm virtualization extensions to protect Arm64 kernels. It is built upon SeKVM and reuses its formally verified functionality. The code base is composed of 4205 LoC and only 3 hypercalls to apply the protective layer. The implementation of K-Int over SeKVM suggests just a small overhead in performance at run time (e.g. < 2%).