Securing Monolithic Kernels using Compartmentalization

• URL: http://arxiv.org/abs/2404.08716v1
• Date: Fri, 12 Apr 2024 04:55:13 GMT
• Title: Securing Monolithic Kernels using Compartmentalization
• Authors: Soo Yee Lim, Sidhartha Agrawal, Xueyuan Han, David Eyers, Dan O'Keeffe, Thomas Pasquier,
• Abstract summary: A single flaw in a non-essential part of the kernel can cause the entire operating system to fall under an attacker's control. Kernel hardening techniques might prevent certain types of vulnerabilities, but they fail to address a fundamental weakness. We propose a taxonomy that allows the community to compare and discuss future work.
• Score: 0.9236074230806581
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: Monolithic operating systems, where all kernel functionality resides in a single, shared address space, are the foundation of most mainstream computer systems. However, a single flaw, even in a non-essential part of the kernel (e.g., device drivers), can cause the entire operating system to fall under an attacker's control. Kernel hardening techniques might prevent certain types of vulnerabilities, but they fail to address a fundamental weakness: the lack of intra-kernel security that safely isolates different parts of the kernel. We survey kernel compartmentalization techniques that define and enforce intra-kernel boundaries and propose a taxonomy that allows the community to compare and discuss future work. We also identify factors that complicate comparisons among compartmentalized systems, suggest new ways to compare future approaches with existing work meaningfully, and discuss emerging research directions.

Related papers

• BULKHEAD: Secure, Scalable, and Efficient Kernel Compartmentalization with PKS [16.239598954752594]
  Kernel compartmentalization is a promising approach that follows the least-privilege principle. We present BULKHEAD, a secure, scalable, and efficient kernel compartmentalization technique. We implement a prototype system on Linux v6.1 to compartmentalize loadable kernel modules.
  arXiv  Detail & Related papers  (2024-09-15T04:11:26Z)
• A Survey of Unikernel Security: Insights and Trends from a Quantitative Analysis [0.0]
  This research presents a quantitative methodology using TF-IDF to analyze the focus of security discussions within unikernel research literature. Memory Protection Extensions and Data Execution Prevention were the least frequently occurring topics, while SGX was the most frequent topic.
  arXiv  Detail & Related papers  (2024-06-04T00:51:12Z)
• Safe Multi-agent Learning via Trapping Regions [89.24858306636816]
  We apply the concept of trapping regions, known from qualitative theory of dynamical systems, to create safety sets in the joint strategy space for decentralized learning. We propose a binary partitioning algorithm for verification that candidate sets form trapping regions in systems with known learning dynamics, and a sampling algorithm for scenarios where learning dynamics are not known.
  arXiv  Detail & Related papers  (2023-02-27T14:47:52Z)
• Multiple Kernel Clustering with Dual Noise Minimization [56.009011016367744]
  Multiple kernel clustering (MKC) aims to group data by integrating complementary information from base kernels. In this paper, we rigorously define dual noise and propose a novel parameter-free MKC algorithm by minimizing them. We observe that dual noise will pollute the block diagonal structures and incur the degeneration of clustering performance, and C-noise exhibits stronger destruction than N-noise.
  arXiv  Detail & Related papers  (2022-07-13T08:37:42Z)
• SOCKS: A Stochastic Optimal Control and Reachability Toolbox Using Kernel Methods [0.0]
  SOCKS is a data-driven optimal control toolbox based in kernel methods. We present the main features of SOCKS and demonstrate its capabilities on several benchmarks.
  arXiv  Detail & Related papers  (2022-03-12T00:09:08Z)
• Meta-Learning Hypothesis Spaces for Sequential Decision-making [79.73213540203389]
  We propose to meta-learn a kernel from offline data (Meta-KeL) Under mild conditions, we guarantee that our estimated RKHS yields valid confidence sets. We also empirically evaluate the effectiveness of our approach on a Bayesian optimization task.
  arXiv  Detail & Related papers  (2022-02-01T17:46:51Z)
• Understanding of Kernels in CNN Models by Suppressing Irrelevant Visual Features in Images [55.60727570036073]
  The lack of precisely interpreting kernels in convolutional neural networks (CNNs) is one main obstacle to wide applications of deep learning models in real scenarios. A simple yet effective optimization method is proposed to interpret the activation of any kernel of interest in CNN models.
  arXiv  Detail & Related papers  (2021-08-25T05:48:44Z)
• Entangled Kernels -- Beyond Separability [10.381276986079865]
  We consider the problem of operator-valued kernel learning and investigate the possibility of going beyond the well-known separable kernels. We propose a new view on operator-valued kernels and define a general family of kernels that encompasses previously known operator-valued kernels. Within this framework, we introduce another novel class of operator-valued kernels called entangled kernels that are not separable.
  arXiv  Detail & Related papers  (2021-01-14T09:18:02Z)
• Dos and Don'ts of Machine Learning in Computer Security [74.1816306998445]
  Despite great potential, machine learning in security is prone to subtle pitfalls that undermine its performance. We identify common pitfalls in the design, implementation, and evaluation of learning-based security systems. We propose actionable recommendations to support researchers in avoiding or mitigating the pitfalls where possible.
  arXiv  Detail & Related papers  (2020-10-19T13:09:31Z)
• Isolation Distributional Kernel: A New Tool for Point & Group Anomaly Detection [76.1522587605852]
  Isolation Distributional Kernel (IDK) is a new way to measure the similarity between two distributions. We demonstrate IDK's efficacy and efficiency as a new tool for kernel based anomaly detection for both point and group anomalies.
  arXiv  Detail & Related papers  (2020-09-24T12:25:43Z)
• Towards automated kernel selection in machine learning systems: A SYCL case study [0.0]
  We present initial results using machine learning to select kernels in a case study deploying high performance SYCL kernels in libraries. By combining auto-tuning and machine learning these kernel selection processes can be deployed with little developer effort to achieve high performance on new hardware.
  arXiv  Detail & Related papers  (2020-03-15T11:23:36Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.