臺灣博碩士論文加值系統

當一個系統核心模組內存在著漏洞,會使得攻擊者有機會去破壞系統或者繞過核心的保護機制,將會暴露整個系統在風險之中。為此,我們提出了一個名為KSA的機制,利用虛擬化的技術來將一些程式碼移到虛擬機來執行,達到一個以函式為單位的隔離效果。ARM SoC比起x86機器來說更經常連接不同設備,為了讓系統能支持新設備,ARM平台上比較會有安裝新核心模組(驅動程式)的需求。再加上,由於 ARM SoC在設計上可能會缺少一些硬體的支援,例如用來映射設備地址的IOMMU。於是我們選擇在ARM平台上實做KSA並且不需要額外的硬體支援。與半虛擬化類似的概念,我們將一個核心模組分成前端模組與後端模組的形式。後端模組存在於虛擬機中,將被用來執行從主體機的前端模組送來之函式呼叫。KSA透過虛擬化的隔離效果,來使主體機免於潛藏在這些函式中的漏洞。我們經由一些實驗來評估KSA 所造成的效能影響和他的隔離效果,從結果中顯示KSA能夠避免主體機當機或者洩漏資訊。KSA較適用在處理核心模組設定、認證或者資料處理的函式上。

Vulnerabilities in a kernel module could allow the adversary to break kernel functionality down or bypass kernel protection, putting the system in risk. We propose a mechanism, called KSA(Kernel module Sandboxing mechanism for ARM platform), leveraged virtualization techniques to move the execution of certain functions into a virtual machine and provide a function-based isolation. Unlike an x86 machine, an ARM SoC may not have the full hardware support(e.g., IOMMU) and usually is attached several devices, such as sensors, to complete a certain work. An ARM platform is more likely to install a new kernel module(device driver). Therefore, we implement KSA on ARM platform without needing the additional hardware support. With the similar ideal of paravirtualization, our mechanism turns a kernel module into a form of front-end part and back-end part that exists respectively in host OS and guest VM. Back-end part performs the execution of the functions invoked by the front-end part. Through the isolation of virtualization, the host system can avoid the damage caused by potential vulnerabilities. In this paper, we evaluate the performance overhead and the isolation feature of KSA. The result shows that KSA can prevent host OS from crashing or leaking information and is suitably applied on configuration, verification and buffer processing functions.

1 Introduction 1
2 Background 3
2.1 Virtualization 3
2.1.1 KVM/ARM 3
2.1.2 QEMU 5
2.2 Linux loadable kernel module 5
2.3 Kernel vulnerability 6
3 Design 7
3.1 Overview 7
3.2 KSA API 9
3.2.1 Identical function name 9
3.2.2 Creation of the target function 9
3.2.3 KSA function registration 10
3.2.4 Hardware-dependent code 13
3.3 KSA program flow 16
4 Implementation 18
4.1 Shared memory of KSA 18
4.2 Notification between Host and Guest 19
4.2.1 Host-to-guest notification 19
4.2.2 Guest-to-host notification 19
4.3 Data synchronization between host and guest 20
4.3.1 Global variable 20
4.3.2 Memory allocation of target_module 22
4.3.3 Synchronization of virtual address 23
5 Evaluation 25
5.1 Isolation of vulnerabilities 25
5.1.1 Exploitation of an IPC kernel module 27
5.2 Performance 29
5.2.1 KSA overhead 29
5.2.2 GPIO led driver 31
5.2.3 Network driver 32
6 Related Work 33
7 Discussion 35
7.1 Future work 35
7.2 Limitation 36
8 Conclusion 37
References 38

[1] L. Tan et al. “iKernel: Isolating Buggy and Malicious Device Drivers Using Hardware Virtualization Support”. In: Third IEEE International Symposium on Dependable, Autonomic and Secure Computing (DASC 2007). Sept. 2007, pp. 134–144. doi:10.1109/DASC.2007.16.

[2] Silas Boyd-Wickizer and Nickolai Zeldovich. “Tolerating Malicious Device Drivers in Linux.” In: USENIX Annual Technical Conference. Boston. 2010.

[3] Michael M. Swift et al. “Nooks: an architecture for reliable device drivers”. In: ACM SIGOPS European Workshop. 2002.

[4] XEN developers. XEN - Driver Domain. url: https://wiki.xenproject.org/wiki/Driver_Domain.

[5] Vinod Ganapathy et al. “The design and implementation of microdrivers”. In: ACM SIGARCH Computer Architecture News. Vol. 36. 1. ACM. 2008, pp. 168–178.

[6] Rusty Russell. “virtio: towards a de-facto standard for virtual I/O devices”. In: ACM SIGOPS Operating Systems Review 42.5 (2008), pp. 95–103.

[7] Christoffer Dall and Jason Nieh. “KVM/ARM: the design and implementation of the linux ARM hypervisor”. In: ACM SIGARCH Computer Architecture News 42.1(2014), pp. 333–348.

[8] Fabrice Bellard. “QEMU, a fast and portable dynamic translator.” In: USENIX Annual Technical Conference, FREENIX Track. Vol. 41. 2005, p. 46.

[9] iPerf code authors. iPerf-The TCP, UDP and SCTP network bandwidth measurement tool. url: https://iperf.fr.

[10] Vinod Ganapathy et al. “Microdrivers: A new architecture for device drivers”. In: Network 134 (2007), pp. 27–8.38

[11] S. Butt et al. “Protecting Commodity Operating System Kernels from Vulnerable Device Drivers”. In: 2009 Annual Computer Security Applications Conference. Dec.2009, pp. 301–310. doi: 10.1109/ACSAC.2009.35.

[12] Jeff Dike. The User-mode Linux Kernel Home Page. url: http://user-mode-linux.sourceforge.net/index.html.

[13] Michael M Swift et al. “Recovering device drivers”. In: ACM Transactions on Computer Systems (TOCS) 24.4 (2006), pp. 333–360.

[14] Sebastian Vogl et al. “X-tier: Kernel module injection”. In: International Conference on Network and System Security. Springer. 2013, pp. 192–205.

[15] Michael M Swift et al. “Recovering device drivers”. In: ACM Transactions on Computer Systems (TOCS) 24.4 (2006), pp. 333–360.