透過基於時間間隔的監測器恢復内核模組錯誤

Abstract

作業系統核心的隔離對於系統本身安全的保護有著極大的好處。截至2023年為止，Linux Kernel的行數已超過三千六百萬行程式碼，龐大的代碼量對程式除錯的難度日益增加，系統核心工程師不經意的錯誤可能會導致核心毀損而panic，如null pointer deference、use after free。因此，我們在Arm v8的架構下提出了一套備份機制，首先會選定其中一種system call，將其定義為我們的compartment，並藉由分析該compartment的call graph，找出與核心其他部份share的global memory。針對這些記憶體內容，我們實作了一套Time Interval Based的Monitor，他會紀錄並備份所有process對該記憶體位置的更改情況。當隔離區域程式碼遇到錯誤時，先透過hypercall進入EL2回復暫存器的狀態，再讓monitor回復共享記憶體的內容，最後讓process回到進入system call前的系統狀態，並返回錯誤代碼，以讓使用者有機會處理核心錯誤，藉此達到系統核心保護及恢復的目的。

The isolation of the operating system kernel is of great benefit to the security of the system itself. As of 2023, the Linux Kernel will have more than 36 million lines of code, and the huge amount of code will make it increasingly difficult to debug the program, and inadvertent mistakes made by the kernel engineers may cause the kernel to be corrupted and become panic, e.g., null pointer deference, use after free. Therefore, we propose a backup mechanism in the Arm v8 architecture, trying to prevent kernel crash after these mistakes causes kernel errors. Firstly, we will select one of the system calls, which is defined as our compartment, and analyze the control flow graph of the compartment to find out the global variables shared outside of the compartment. And then, we design a Time Interval Based Monitor, which can record and back up all value changes to the memory addresses. When the compartment encounters an error, the monitor can recover tracked memory locations, and allows the process to return to the original system state before entering the compartment, thus achieving the purpose of protecting the system kernel and maintaining kernel availability.