Cited By
View all- Brookes S(2020)Transcending the Teetering Tower of TrustProceedings of the New Security Paradigms Workshop 202010.1145/3442167.3442168(90-98)Online publication date: 26-Oct-2020
Rethinking operating system design: asymmetric multiprocessing for security and performance
Pages 68 - 79
Abstract
Developers and academics are constantly seeking to increase the speed and security of operating systems. Unfortunately, an increase in either one often comes at the cost of the other. In this paper, we present an operating system design that challenges a long-held tenet of multicore operating systems in order to produce an alternative architecture that has the potential to deliver both increased security and faster performance. In particular, we propose decoupling the operating system kernel from user processes by running each on completely separate processor cores instead of at different privilege levels within shared cores. Without using the hardware's privilege modes, virtualization and virtual memory contexts enforce the security policies necessary to maintain process isolation and protection. Our new kernel design paradigm offers the opportunity to simultaneously increase both performance and security; utilizing the hardware facilities for inter-core communication in place of those for privilege mode switching offers the opportunity for increased system call performance, while the hard separation between user processes and the kernel provides several strong security properties.
References
[1]
CVE-2013-2094, May 2013.
[2]
CVE-2016-0728, January 2016.
[3]
M. Accetta, R. Baron, W. Bolosky, D. Golub, R. Rashid, A. Tevanian, and M. Young. Mach: A New Kernel Foundation for UNIX Development. pages 93--112, 1986.
[4]
G. M. Amdahl. Validity of the Single Processor Approach to Achieving Large Scale Computing Capabilities. In Proceedings of the April 18--20, 1967, Spring Joint Computer Conference, AFIPS '67 (Spring), pages 483--485, New York, NY, USA, 1967. ACM.
[5]
S. Balakrishnan, R. Rajwar, M. Upton, and K. Lai. The Impact of Performance Asymmetry in Emerging Multicore Architectures. SIGARCH Comput. Archit. News, 33(2):506--517, May 2005.
[6]
C. Baumann, B. Beckert, H. Blasum, and T. Bormer. Formal Verification of a Microkernel Used in Dependable Software Systems. In B. Buth, G. Rabe, and T. Seyfarth, editors, Computer Safety, Reliability, and Security, volume 5775 of Lecture Notes in Computer Science, pages 187--200. Springer Berlin Heidelberg, 2009.
[7]
K. J. Biba. Integrity considerations for secure computer systems. Technical report, DTIC Document, 1977.
[8]
S. Boyd-Wickizer, H. Chen, R. Chen, Y. Mao, F. Kaashoek, R. Morris, A. Pesterev, L. Stein, M. Wu, Y. Dai, Y. Zhang, and Z. Zhang. Corey: An Operating System for Many Cores. In Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation, OSDI'08, pages 43--57, Berkeley, CA, USA, 2008. USENIX Association.
[9]
A. Bratterud, A.-A. Walla, P. E. Engelstad, K. Begnum, et al. IncludeOS: A minimal, resource efficient unikernel for cloud services. In 2015 IEEE 7th International Conference on Cloud Computing Technology and Science (CloudCom), pages 250--257. IEEE, 2015.
[10]
S. Bratus, M. E. Locasto, A. Ramaswamy, and S. W. Smith. VM-based Security Overkill: A Lament for Applied Systems Security Research. In Proceedings of the 2010 Workshop on New Security Paradigms, NSPW'10, pages 51--60, New York, NY, USA, 2010. ACM.
[11]
S. Brookes, R. Denz, M. Osterloh, and S. Taylor. ExOShim: Preventing Memory Disclosure using Execute-Only Kernel Code. In Proceedings of the 11th International Conference on Cyber Warfare and Security, ICCWS'16, pages 56--66, April 2016.
[12]
S. Brookes and S. Taylor. Containing a Confused Deputy on x86: A Survey of Privilege Escalation Mitigation Techniques. IJACSA, April 2016.
[13]
Z. Brown. Asynchronous System Calls. In Proceedings of the Ottawa Linux Symposium (OLS), pages 81--85, 2007.
[14]
E. Buchanan, R. Roemer, S. Savage, and H. Shacham. Return-Oriented Programming: Exploitation without Code Injection, 2008.
[15]
A. Chou, J. Yang, B. Chelf, S. Hallem, and D. Engler. An Empirical Study of Operating Systems Errors. In Proceedings of the Eighteenth ACM Symposium on Operating Systems Principles, SOSP '01, pages 73--88, New York, NY, USA, 2001. ACM.
[16]
F. J. Corbató and V. A. Vyssotsky. Introduction and Overview of the Multics System. In Proceedings of the November 30-December 1, 1965, Fall Joint Computer Conference, Part I, AFIPS '65 (Fall, part I), pages 185--196, New York, NY, USA, 1965. ACM.
[17]
P. Crawford. Linux Watchdog Daemon - Overview. http://www.sat.dundee.ac.uk/psc/watchdog/watchdog-background.html, January 2016.
[18]
J. Criswell, N. Dautenhahn, and V. Adve. KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels. In Proceedings of the 2014 IEEE Symposium on Security and Privacy, SP'14, pages 292--307, May 2014.
[19]
J. Criswell, A. Lenharth, D. Dhurjati, and V. Adve. Secure Virtual Architecture: A Safe Execution Environment for Commodity Operating Systems. In Proceedings of Twenty-first ACM SIGOPS Symposium on Operating Systems Principles, SOSP '07, pages 351--366, New York, NY, USA, 2007. ACM.
[20]
R. C. Daley and J. B. Dennis. Virtual memory, processes, and sharing in Multics. Communications of the ACM, 11(5):306--312, 1968.
[21]
R. Denz. Securing the Cloud with Utility Virtual Machines. PhD thesis, Thayer School of Engineering at Dartmouth College, July 2016.
[22]
D. R. Engler, M. F. Kaashoek, and J. O'Toole, Jr. Exokernel: An Operating System Architecture for Application-level Resource Management. In Proceedings of the Fifteenth ACM Symposium on Operating Systems Principles, SOSP '95, pages 251--266, New York, NY, USA, 1995. ACM.
[23]
P. Enslow, Jr. Multiprocessor Organization - a Survey. ACM Comput. Surv., 9(1):103--129, Mar. 1977.
[24]
S. Fischer. Supervisor Mode Execution Protection. NSA Trusted Computing Conference and Exposition, 2011.
[25]
A. Ganapathi, V. Ganapathi, and D. Patterson. Windows XP Kernel Crash Analysis. In Proceedings of the 20th Conference on Large Installation System Administration, LISA '06, pages 12--12, Berkeley, CA, USA, 2006. USENIX Association.
[26]
J. N. Herder. Towards a true microkernel operating system. PhD thesis, Vrije Universiteit Amsterdam, February 2005.
[27]
J. N. Herder, H. Bos, B. Gras, P. Homburg, and A. S. Tanenbaum. MINIX 3: A Highly Reliable, Self-repairing Operating System. SIGOPS Oper. Syst. Rev., 40(3):80--89, July 2006.
[28]
D. Hildebrand. An Architectural Overview of QNX. In Proceedings of the Workshop on Micro-kernels and Other Kernel Architectures, pages 113--126, Berkeley, CA, USA, 1992. USENIX Association.
[29]
R. Hund, T. Holz, and F. C. Freiling. Return-oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms. In Proceedings of the 18th Conference on USENIX Security Symposium, SSYM'09, pages 383--398, Berkeley, CA, USA, 2009. USENIX Association.
[30]
Intel. Intel 64 and IA-32 Architectures Software Developer's Manual Combined Volumes: 1, 2A, 2B, 2C, 3A, 3B, and 3C, June 2014.
[31]
A. Joshi, S. Pimpale, M. Naik, S. Rathi, and K. Pawar. Twin-Linux: Running independent Linux Kernels simultaneously on separate cores of a multicore system. In Proceedings of the Ottawa Linux Symposium, 2010.
[32]
S. Kagstrom, L. Lundberg, and H. Grahn. A novel method for adding multiprocessor support to a large and complex uniprocessor kernel. In Parallel and Distributed Processing Symposium, 2004. Proceedings. 18th International, pages 60--, April 2004.
[33]
keegan. Attacking Hardened Linux Systems with Kernel JIT Spraying, June 2011.
[34]
V. P. Kemerlis, M. Polychronakis, and A. D. Keromytis. Ret2Dir: Rethinking Kernel Isolation. In Proceedings of the 23rd USENIX Conference on Security Symposium, SEC'14, pages 957--972, Berkeley, CA, USA, 2014. USENIX Association.
[35]
V. P. Kemerlis, G. Portokalidis, and A. D. Keromytis. kGuard: Lightweight Kernel Protection Against Return-to-user Attacks. In Proceedings of the 21st USENIX Conference on Security Symposium, Security'12, pages 39--39, Berkeley, CA, USA, 2012. USENIX Association.
[36]
D. Keuper. XNU: a security evaluation, December 2012.
[37]
J.-J. Khalife. MS15-010/CVE-2015-0057 win32k Local Privilege Escalation, December 2015.
[38]
A. Kivity, D. Laor, G. Costa, P. Enberg, N. Har'El, D. Marti, and V. Zolotarov. OSv-optimizing the operating system for virtual machines. In 2014 usenix annual technical conference (usenix atc 14), pages 61--72, 2014.
[39]
G. Klein, J. Andronick, K. Elphinstone, T. Murray, T. Sewell, R. Kolanski, and G. Heiser. Comprehensive Formal Verification of an OS Microkernel. ACM Trans. Comput. Syst., 32(1):2:1--2:70, Feb. 2014.
[40]
C. Lever and D. Boreham. Malloc() Performance in a Multithreaded Linux Environment. In Proceedings of the Annual Conference on USENIX Annual Technical Conference, ATEC '00, pages 56--56, Berkeley, CA, USA, 2000. USENIX Association.
[41]
R. Lindsley and D. Hansen. Bkl: One lock to bind them all. In Ottawa Linux Symposium, page 301, 2002.
[42]
A. Lineberry. Malicious Code Injection via/dev/mem. 2009.
[43]
A. Madhavapeddy and D. J. Scott. Unikernels: Rise of the virtual library operating system. Queue, 11(11):30, 2013.
[44]
A. Mahmood and E. J. McCluskey. Concurrent error detection using watchdog processors-a survey. IEEE Transactions on Computers, 37(2):160--174, Feb 1988.
[45]
J. Martins, M. Ahmed, C. Raiciu, and F. Huici. Enabling fast, dynamic network processing with clickos. In Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking, pages 67--72. ACM, 2013.
[46]
R. McDougall and J. Mauro. Solaris internals: Solaris 10 and OpenSolaris kernel architecture. Pearson Education, 2006.
[47]
metasploit. Chkroot Local Privilege Escalation, November 2015.
[48]
J. C. Mogul, J. Mudigonda, N. Binkert, P. Ranganathan, and V. Talwar. Using Asymmetric Single-ISA CMPs to Save Energy on Operating Systems. IEEE Micro, 28(3):26--41, 2008.
[49]
I. Molnar. 4G/4G split on x86, 64 GB RAM (and more) support, July 2003.
[50]
T. Morad, U. Weiser, A. Kolodny, M. Valero, and E. Ayguade. Performance, power efficiency and scalability of asymmetric cluster chip multiprocessors. Computer Architecture Letters, 5(1):14--17, Jan 2006.
[51]
S. Muir and J. Smith. AsyMOS-an asymmetric multiprocessor operating system. In Open Architectures and Network Programming, 1998 IEEE, pages 25--34, Apr 1998.
[52]
C. Nichols, M. Kanter, and S. Taylor. Bear - A Resilient Kernel for Tactical Missions. In Military Communications Conference, MILCOM 2013 - 2013 IEEE, pages 1416--1421, Nov 2013.
[53]
Y. Padioleau, J. L. Lawall, and G. Muller. Understanding Collateral Evolution in Linux Device Drivers. In Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006, EuroSys '06, pages 59--71, New York, NY, USA, 2006. ACM.
[54]
R. K. Pandey and V. Tiwari. Article: Reliability Issues in Open Source Software. International Journal of Computer Applications, 34(1):34--38, November 2011. Full text available.
[55]
D. Potts, S. Winwood, and G. Heiser. Design and Implementation of the L4 Microkernel for Alpha Multiprocessors, 2002.
[56]
rebel. issetugid() + rsh + libmalloc osx local root, July 2015.
[57]
T. Roscoe, K. Elphinstone, and G. Heiser. Hype and Virtue. In Proceedings of the 11th USENIX Workshop on Hot Topics in Operating Systems, HOTOS'07, pages 4:1--4:6, Berkeley, CA, USA, 2007. USENIX Association.
[58]
D. Rosenburg. SMEP: What is it, and How to Beat it on Linux., June 2011.
[59]
J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278--1308, 1975.
[60]
R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. Computer, (2):38--47, 1996.
[61]
A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes. SIGOPS Oper. Syst. Rev., 41(6):335--350, Oct. 2007.
[62]
H. Shacham. The Geometry of Innocent Flesh on the Bone: Return-into-libc Without Function Calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS '07, pages 552--561, New York, NY, USA, 2007. ACM.
[63]
K. Spett. Cross-site scripting. Technical report, SPI Labs, 2005.
[64]
A. Starke. Locking in os kernels for smp systems. Citeseer, 2006.
[65]
K. Thompson. Reflections on Trusting Trust. Commun. ACM, 27(8):761--763, Aug. 1984.
[66]
K. Way. Lastore-Daemon in Deepin 15 results in privilege escalation, February 2016.
Index Terms
- Rethinking operating system design: asymmetric multiprocessing for security and performance
Recommendations
The Linux Operating System
The enormous consumer market for IBM PCs and compatibles has made them affordable. Now, with a free operating system called Linux, these inexpensive machines can be converted into powerful workstations for teaching, research, and software development. ...
Design for Security Operating System
AMS '09: Proceedings of the 2009 Third Asia International Conference on Modelling & SimulationUsers and resources in a system are defined subjects and objects separately and abstractly by a mandatory access control mechanism. Both subjects and objects are endowed with security levels. The computer′s security on basis of the operating system, and ...
Comments
Information & Contributors
Information
Published In
September 2016
113 pages
ISBN:9781450348133
DOI:10.1145/3011883
- General Chair:
- Carrie Gates,
- Program Chairs:
- Rainer Böhme,
- Serge Egelman,
- Publications Chair:
- Mohammad Mannan
Copyright © 2016 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
- ACSA: Applied Computing Security Assoc
- The National Science Foundation
- DELL
- CISCO
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 26 September 2016
Check for updates
Qualifiers
- Research-article
Funding Sources
- Defense Advanced Research Projects Agency
Conference
NSPW '16
Sponsor:
- ACSA
Acceptance Rates
Overall Acceptance Rate 62 of 170 submissions, 36%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 437Total Downloads
- Downloads (Last 12 months)57
- Downloads (Last 6 weeks)5
Reflects downloads up to 30 Aug 2024
Other Metrics
Citations
Cited By
View all- Brookes S(2020)Transcending the Teetering Tower of TrustProceedings of the New Security Paradigms Workshop 202010.1145/3442167.3442168(90-98)Online publication date: 26-Oct-2020
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in