透過自動化程式碼分析與修改增強 Linux 系統呼叫的可靠性

徐翊凌; Yi-Lin Hsu

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/96839

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	黎士瑋	zh_TW
dc.contributor.advisor	Shih-Wei Li	en
dc.contributor.author	徐翊凌	zh_TW
dc.contributor.author	Yi-Lin Hsu	en
dc.date.accessioned	2025-02-24T16:12:06Z	-
dc.date.available	2025-02-25	-
dc.date.copyright	2025-02-24	-
dc.date.issued	2025	-
dc.date.submitted	2025-01-09	-
dc.identifier.citation	[1] ARM. Memory Tagging Extension. https://community.arm.com/arm-community-blogs/b/architectures-and-processors-blog/posts/enhancing-memory-safety [Accessed: JUL 13, 2024]. [2] ARM. pointer authentication instructions. https://developer.arm.com/documentation/109576/0100/Pointer-Authentication-Code/Introduction-to-PAC [Accessed: JUL 13, 2024]. [3] F. Bellard. QEMU, a fast and portable dynamic translator. In Proceedings of theAnnual Conference on USENIX Annual Technical Conference, ATEC ’05, page 41,USA, 2005. USENIX Association. [4] C. Dall and J. Nieh. KVM/ARM: the design and implementation of the linux ARMhypervisor. In Proceedings of the 19th International Conference on ArchitecturalSupport for Programming Languages and Operating Systems, ASPLOS ’14, page333–348, New York, NY, USA, 2014. Association for Computing Machinery. [5] R. M. Farkhani, S. Jafari, S. Arshad, W. Robertson, E. Kirda, and H. Okhravi. Onthe Effectiveness of Type-based Control Flow Integrity. In Proceedings of the 34thAnnual Computer Security Applications Conference, ACSAC ’18, page 28–39, NewYork, NY, USA, 2018. Association for Computing Machinery. [6] V. Ganapathy, M. J. Renzelmann, A. Balakrishnan, M. M. Swift, and S. Jha. Thedesign and implementation of microdrivers. In Proceedings of the 13th InternationalConference on Architectural Support for Programming Languages and OperatingSystems, ASPLOS XIII, page 168–178, New York, NY, USA, 2008. Association forComputing Machinery. [7] M. W. Hall and K. Kennedy. Efficient call graph analysis. ACM Lett. Program.Lang. Syst., 1(3):227–242, Sept. 1992. [8] Y. Huang, V. Narayanan, D. Detweiler, K. Huang, G. Tan, T. Jaeger, and A. Burtsev.KSplit: Automating Device Driver Isolation. In 16th USENIX Symposium onOperating Systems Design and Implementation (OSDI 22), pages 613–631, Carlsbad,CA, July 2022. USENIX Association. [9] Intel. Intel. (2023, Dec.) Intel 64 and IA-32 architectures software developermanuals. [Online]. https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sdm.html [Accessed: JUL 13, 2024]. [10] Intel. Intel® 64 and IA-32 Arch. SDM. Vol. 3C, Sec. 26.5.6: FEATURES SPECIFICTO VMX NON-ROOT OPERATION: VM Functions. Version: December 2022.[Accessed: JUL 13, 2024]. [11] J. Kang, C.-K. Hur, O. Lahav, V. Vafeiadis, and D. Dreyer. A promising semanticsfor relaxed-memory concurrency. SIGPLAN Not., 52(1):175–189, Jan. 2017. [12] Kangjie Lu. MLTA LLVM 14.0.6 Source code. https://github.com/seclab-ucr/Unias/tree/main/src/mlta. [13] C. Lattner and V. Adve. LLVM: a compilation framework for lifelong programanalysis transformation. In International Symposium on Code Generation andOptimization, 2004. CGO 2004., pages 75–86, 2004. [14] H. Lefeuvre, N. Dautenhahn, D. Chisnall, and P. Olivier. SoK: Software Compartmentalization,2024. [15] Linux Developer Group. Minimal requirements to compile the Kernel.https://elixir.bootlin.com/linux/v5.15/source/Documentation/process/changes.rst. [16] LLVM Developer Group. LLVM Call Graph. https://llvm.org/doxygen/CallGraph_8h_source.html [Accessed: DEC 19, 2024]. [17] llvm.org. Argument Promotion. https://llvm.org/doxygen/ArgumentPromotion_8cpp.html [Accessed: DEC 21, 2024]. [18] llvm.org. Hot Cold Splitting. https://llvm.org/doxygen/HotColdSplitting_8cpp.html#details [Accessed: DEC 21, 2024]. [19] llvm.org. Inliner. https://llvm.org/doxygen/Inliner_8cpp.html [Accessed:DEC 21, 2024]. [20] llvm.org. LLVM Intermediate Representation . https://releases.llvm.org/14.0.0/docs/LangRef.html. [Accessed: JUL 13, 2024]. [21] K. Lu. Practical Program Modularization with Type-Based Dependence Analysis.In 2023 IEEE Symposium on Security and Privacy (SP), pages 1256–1270, 2023. [22] K. Lu and H. Hu. Where does it go? refining indirect-call targets with multi-layertype analysis. In Proceedings of the 2019 ACM SIGSAC Conference on Computerand Communications Security, pages 1867–1881, 2019. [23] Y. Mao, H. Chen, D. Zhou, X. Wang, N. Zeldovich, and M. F. Kaashoek. Softwarefault isolation with API integrity and multi-principal modules. In Proceedings of theTwenty-Third ACM Symposium on Operating Systems Principles, SOSP ’11, page115–128, New York, NY, USA, 2011. Association for Computing Machinery. [24] D. P. McKee, Y. Giannaris, C. Ortega, H. E. Shrobe, M. Payer, H. Okhravi, andN. Burow. Preventing Kernel Hacks with HAKCs. In NDSS, pages 1–17, 2022. [25] M. S. Miller. Robust composition: towards a unified approach to access controland concurrency control. PhD thesis, JohnsHopkins University, USA, 2006.AAI3245526. [26] V. Narayanan, A. Balasubramanian, C. Jacobsen, S. Spall, S. Bauer, M. Quigley,A. Hussain, A. Younis, J. Shen, M. Bhattacharyya, and A. Burtsev. LXDs: TowardsIsolation of Kernel Subsystems. In 2019 USENIX Annual Technical Conference(USENIX ATC 19), pages 269–284, Renton, WA, July 2019. USENIX Association. [27] V. Narayanan, Y. Huang, G. Tan, T. Jaeger, and A. Burtsev. Lightweight kernelisolation with virtualization and VM functions. In Proceedings of the 16th ACMSIGPLAN/SIGOPS International Conference on Virtual Execution Environments,VEE ’20, page 157–171, New York, NY, USA, 2020. Association for ComputingMachinery. [28] National Institute of Standards and Technology. National Vulnerability Database.CVE-2018-18021. https://nvd.nist.gov/vuln/detail/cve-2018-18021[Accessed: DEC 26, 2024]. [29] National Institute of Standards and Technology. National Vulnerability Database.CVE-2019-6974. https://nvd.nist.gov/vuln/detail/cve-2019-6974 [Accessed:DEC 26, 2024]. [30] National Institute of Standards and Technology. National Vulnerability Database.CVE-2021-4095. https://nvd.nist.gov/vuln/detail/CVE-2021-4095 [Accessed:DEC 26, 2024]. [31] Neil Brown. Object-oriented design patterns in the kernel. https://lwn.net/Articles/444910/ [Accessed: DEC 22, 2024]. [32] R. Nikolaev and G. Back. VirtuOS: an operating system with kernel virtualization.In Proceedings of the Twenty-Fourth ACM Symposium on Operating SystemsPrinciples, SOSP ’13, page 116–132, New York, NY, USA, 2013. Association forComputing Machinery. [33] N. Roessler, L. Atayde, I. Palmer, D. McKee, J. Pandey, V. P. Kemerlis, M. Payer,A. Bates, J. M. Smith, A. DeHon, and N. Dautenhahn. μSCOPE: A Methodologyfor Analyzing Least-Privilege Compartmentalization in Large Software Artifacts. InProceedings of the 24th International Symposium on Research in Attacks, Intrusionsand Defenses, RAID ’21, page 296–311, New York, NY, USA, 2021. Associationfor Computing Machinery. [34] J. Saltzer and M. Schroeder. The protection of information in computer systems.Proceedings of the IEEE, 63(9):1278–1308, 1975. [35] SecurityScorecard. Linux kernel vulnerabilities. https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33 [Accessed: JUL13, 2024]. [36] M. M. Swift, S. Martin, H. M. Levy, and S. J. Eggers. Nooks: an architecture forreliable device drivers. In Proceedings of the 10th Workshop on ACM SIGOPSEuropean Workshop, EW 10, page 102–107, New York, NY, USA, 2002. Associationfor Computing Machinery. [37] W. B. Q. Z. K. L. Yinggang Guo, Zicheng Wang. BULKHEAD: Secure, Scalable,and Efficient Kernel Compartmentalization with PKS. In NDSS, 2025. [38] You-Ting Lee. Time interval base crash recovery system. https://github.com/ntu-ssl/linux-compartment [Accessed: DEC 19, 2024].	-
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/96839	-
dc.description.abstract	作業系統（OS）如 Linux 藉由系統呼叫介面向用戶提供服務，但其龐大的程式碼基礎（幾乎是使用不安全的程式語言撰寫）使其易於受到攻擊。2014 至 2024年七月十三日，Linux 核心報告了 1,866 個新的 CVE，顯示了保護這些系統的挑戰。由於大部分作業系統核心採用單體式架構，一個漏洞即可危及整個系統。核心區隔化藉由執行最小特權原則，將核心分隔成不同區隔，限制每個元件僅能存取其功能所需要的資料跟程式碼，以減少風險。過去的區隔化工具，如 μSCOPE 和 TyPM，雖嘗試自動化此過程，但仍存在局限性。這些工具要麼因不完整的動態程式碼分析導致區隔特權不足，要麼因基於資料型別授權導致區隔特權過多，使攻擊者得以利用漏洞去攻擊與該漏洞無關的系統元件。此外，這些工具仍需手動實作區隔化政策，導致採用過程費時且容易出錯。此論文提出的框架，能自動將 Linux 核心元件進行細緻的區隔化。此框架支持針對特定程式路徑（如系統呼叫處理路徑）進行自訂區隔，並透過函式呼叫關係圖分析自動生成區隔化策略。框架定義了共享資料抽象 API，包括：(1) 用於分配資料至區隔的共享資料指派 API，以及 (2) 控制資料存取的共享資料存取 API（getter 和 setter）。自動化將記憶體操作的指令轉換為 API 呼叫，使監控器能夠強制執行共享資料存取的權限。我們的實作基於 MLTA 型別分析工具和 LLVM，能自動識別和修改 Linux v5.15 中的程式路徑上的程式碼。我們評估了此框架在多個系統呼叫（如KVM_CREATE_VM）中的應用，證明其在減少手動修改的量之外，也能提升了核心安全性。	zh_TW
dc.description.abstract	Operating system (OS) kernels, such as Linux, expose a system call interface to users, but their extensive codebases—often written in unsafe languages—leave them vulnerable to exploitation. Between 2014 and July 13, 2024, 1,866 new CVEs were reported in the Linux kernel, illustrating the challenge of securing such systems. As most OS kernels are monolithic, a single vulnerability can compromise the entire system. Kernel compartmentalization, which conducts the principle of least privilege, mitigates this risk by dividing the kernel into isolated compartments, restricting access to only the data and code necessary for each component's function. Past compartmentalization efforts, including μSCOPE and TyPM, have attempted to automate the process but remain limited. These tools either under-privilege compartments due to incomplete runtime analysis or over-privilege them by granting unnecessary access based on data types, which still allows attackers to exploit vulnerabilities to target parts of the system that are unrelated to the original vulnerabilities. Furthermore, they require manual implementation of the compartmentalization policies, making adoption time-consuming and error-prone. This thesis introduces a framework for automatically compartmentalizing Linux kernel components with fine granularity. It supports custom compartmentalization of code paths, such as those handling system calls, using call graph analysis to generate compartmentalization policies. The framework defines a shared data abstraction API comprising: (1) shared data assignment APIs to allocate data to compartments, and (2) shared data access APIs (getters and setters) to enforce controlled data interaction. Automatic instrumentation transforms memory operations into API calls, enabling a monitor to enforce permissions on shared data access. Our implementation, based on the type analysis tool MLTA and LLVM, automates the identification and instrumentation of code paths in Linux v5.15. The framework was evaluated by compartmentalizing several system calls, including KVM_CREATE_VM, demonstrating its effectiveness in reducing manual effort while enhancing kernel security.	en
dc.description.provenance	Submitted by admin ntu (admin@lib.ntu.edu.tw) on 2025-02-24T16:12:06Z No. of bitstreams: 0	en
dc.description.provenance	Made available in DSpace on 2025-02-24T16:12:06Z (GMT). No. of bitstreams: 0	en
dc.description.tableofcontents	Verification Letter from the Oral Examination Committee i 致謝ii 摘要iii Abstract v Contents vii List of Figures x List of Tables xi Chapter 1 Introduction 1 Chapter 2 Background 7 2.1 Compartmentalization . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.1.1 Compartmentalization Policy . . . . . . . . . . . . . . . . . . . . . 9 2.1.2 Compartmentalization Abstraction . . . . . . . . . . . . . . . . . . 10 2.1.3 Compartmentalization Mechanism . . . . . . . . . . . . . . . . . . 10 2.2 Call Graph Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.2.1 LLVM Call Graph Analysis . . . . . . . . . . . . . . . . . . . . . . 11 2.2.2 First-Layer Type Analysis . . . . . . . . . . . . . . . . . . . . . . . 12 2.2.3 Multi-Layer Type Analysis . . . . . . . . . . . . . . . . . . . . . . 13 2.3 Kernel-based Virtual Machine . . . . . . . . . . . . . . . . . . . . . 16 Chapter 3 Design 17 3.1 Compartmentalization Policy of the Framework . . . . . . . . . . . . 17 3.2 Compartmentalization Abstraction API . . . . . . . . . . . . . . . . 19 3.2.1 Shared Data Assign API . . . . . . . . . . . . . . . . . . . . . . . 19 3.2.2 Shared Data Access API . . . . . . . . . . . . . . . . . . . . . . . 20 3.3 Support for Monitor-Based Mechanism . . . . . . . . . . . . . . . . 20 3.4 Compartmentalization Analysis and Instrumentation . . . . . . . . . 21 3.4.1 Compartmentalization Subject Analysis . . . . . . . . . . . . . . . 23 3.4.2 Compartmentalization Object and Permission Analysis . . . . . . . 24 3.4.3 Compartmentalization Instrumentation . . . . . . . . . . . . . . . . 25 Chapter 4 Implementation 27 4.1 Customized Compartmentalization Abstraction API . . . . . . . . . . 27 4.1.1 Record-Replay-Based Monitor . . . . . . . . . . . . . . . . . . . . 28 4.1.2 Concurrency Model . . . . . . . . . . . . . . . . . . . . . . . . . . 29 4.1.3 Customized Shared Data Assign API . . . . . . . . . . . . . . . . . 29 4.2 Compartmentalization Analysis and Instrumentation Framework . . . 31 4.2.1 Workflow of the Framework . . . . . . . . . . . . . . . . . . . . . 32 4.2.2 Local Variables Elimination . . . . . . . . . . . . . . . . . . . . . . 33 Chapter 5 Evaluation and Discussion 36 5.1 Performance Evaluation . . . . . . . . . . . . . . . . . . . . . . . . 36 5.1.1 Demo system call . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 5.1.2 KVM Virtual Machine Creation System Call . . . . . . . . . . . . . 39 5.1.3 Cases of Significant Performance Overhead . . . . . . . . . . . . . 40 5.2 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 5.2.1 Generalization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 5.2.1.1 Analysis Limitation . . . . . . . . . . . . . . . . . . . 42 5.2.1.2 Instrumentation Limitation . . . . . . . . . . . . . . . 43 5.2.2 Concurrency Bug Discussion . . . . . . . . . . . . . . . . . . . . . 43 5.2.3 How to ensure the code after instrumentation works as it should be? 44 5.2.4 Effect of Memory Ordering . . . . . . . . . . . . . . . . . . . . . . 45 5.2.5 Effect of Compiler Optimization . . . . . . . . . . . . . . . . . . . 45 Chapter 6 Related Work 46 6.1 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 6.1.1 Driver Automated Isolation . . . . . . . . . . . . . . . . . . . . . . 46 6.1.2 Compartmentalization Policy Analysis . . . . . . . . . . . . . . . . 47 6.1.3 Manual Compartmentalization Approaches . . . . . . . . . . . . . 48 Chapter 7 Conclusions 49 References 50 Appendix A — Configuration 56	-
dc.language.iso	en	-
dc.subject	核心區隔	zh_TW
dc.subject	系統呼叫	zh_TW
dc.subject	靜態分析	zh_TW
dc.subject	系統可用性	zh_TW
dc.subject	System Call	en
dc.subject	System Availability	en
dc.subject	ernel Compartmentalization	en
dc.subject	Static Analysis	en
dc.title	透過自動化程式碼分析與修改增強 Linux 系統呼叫的可靠性	zh_TW
dc.title	Enhancing the Reliability of Linux System Calls through Automated Code Analysis and Modification	en
dc.type	Thesis	-
dc.date.schoolyear	113-1	-
dc.description.degree	碩士	-
dc.contributor.oralexamcommittee	黃敬群;廖世偉;王紹睿	zh_TW
dc.contributor.oralexamcommittee	Ching-Chun Huang;Shih-Wei Liao;Shao-Jui wang	en
dc.subject.keyword	系統呼叫,靜態分析,系統可用性,核心區隔,	zh_TW
dc.subject.keyword	System Call,Static Analysis,System Availability,ernel Compartmentalization,	en
dc.relation.page	56	-
dc.identifier.doi	10.6342/NTU202500063	-
dc.rights.note	同意授權(全球公開)	-
dc.date.accepted	2025-01-09	-
dc.contributor.author-college	電機資訊學院	-
dc.contributor.author-dept	資訊網路與多媒體研究所	-
dc.date.embargo-lift	2025-02-25	-
顯示於系所單位：	資訊網路與多媒體研究所

文件中的檔案：

檔案	大小	格式
ntu-113-1.pdf	1.05 MB	Adobe PDF	檢視/開啟

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。