透過自動化程式碼分析與修改增強 Linux 系統呼叫的可靠性

Abstract

作業系統（OS）如 Linux 藉由系統呼叫介面向用戶提供服務，但其龐大的程式碼基礎（幾乎是使用不安全的程式語言撰寫）使其易於受到攻擊。2014 至 2024年七月十三日，Linux 核心報告了 1,866 個新的 CVE，顯示了保護這些系統的挑戰。由於大部分作業系統核心採用單體式架構，一個漏洞即可危及整個系統。核心區隔化藉由執行最小特權原則，將核心分隔成不同區隔，限制每個元件僅能存取其功能所需要的資料跟程式碼，以減少風險。 過去的區隔化工具，如 μSCOPE 和 TyPM，雖嘗試自動化此過程，但仍存在局限性。這些工具要麼因不完整的動態程式碼分析導致區隔特權不足，要麼因基於資料型別授權導致區隔特權過多，使攻擊者得以利用漏洞去攻擊與該漏洞無關的系統元件。此外，這些工具仍需手動實作區隔化政策，導致採用過程費時且容易出錯。 此論文提出的框架，能自動將 Linux 核心元件進行細緻的區隔化。此框架支持針對特定程式路徑（如系統呼叫處理路徑）進行自訂區隔，並透過函式呼叫關係圖分析自動生成區隔化策略。框架定義了共享資料抽象 API，包括：(1) 用於分配資料至區隔的共享資料指派 API，以及 (2) 控制資料存取的共享資料存取 API（getter 和 setter）。自動化將記憶體操作的指令轉換為 API 呼叫，使監控器能夠強制執行共享資料存取的權限。 我們的實作基於 MLTA 型別分析工具和 LLVM，能自動識別和修改 Linux v5.15 中的程式路徑上的程式碼。我們評估了此框架在多個系統呼叫（如KVM_CREATE_VM）中的應用，證明其在減少手動修改的量之外，也能提升了核心安全性。

Operating system (OS) kernels, such as Linux, expose a system call interface to users, but their extensive codebases—often written in unsafe languages—leave them vulnerable to exploitation. Between 2014 and July 13, 2024, 1,866 new CVEs were reported in the Linux kernel, illustrating the challenge of securing such systems. As most OS kernels are monolithic, a single vulnerability can compromise the entire system. Kernel compartmentalization, which conducts the principle of least privilege, mitigates this risk by dividing the kernel into isolated compartments, restricting access to only the data and code necessary for each component's function. Past compartmentalization efforts, including μSCOPE and TyPM, have attempted to automate the process but remain limited. These tools either under-privilege compartments due to incomplete runtime analysis or over-privilege them by granting unnecessary access based on data types, which still allows attackers to exploit vulnerabilities to target parts of the system that are unrelated to the original vulnerabilities. Furthermore, they require manual implementation of the compartmentalization policies, making adoption time-consuming and error-prone. This thesis introduces a framework for automatically compartmentalizing Linux kernel components with fine granularity. It supports custom compartmentalization of code paths, such as those handling system calls, using call graph analysis to generate compartmentalization policies. The framework defines a shared data abstraction API comprising: (1) shared data assignment APIs to allocate data to compartments, and (2) shared data access APIs (getters and setters) to enforce controlled data interaction. Automatic instrumentation transforms memory operations into API calls, enabling a monitor to enforce permissions on shared data access. Our implementation, based on the type analysis tool MLTA and LLVM, automates the identification and instrumentation of code paths in Linux v5.15. The framework was evaluated by compartmentalizing several system calls, including KVM_CREATE_VM, demonstrating its effectiveness in reducing manual effort while enhancing kernel security.