Operating systems play a central role in securing most of today's systems. In particular, cloud services often rely on the OS to enforce isolation between tenants. For instance, containers are increasingly used in PaaS clouds, and tenant isolation is therefore hinged on the trustworthiness of the OS kernel.
We explore novel mechanisms that improve the security of the OS kernel in a practical and efficient way. Examples of such techniques include kernel attack surface reduction, kernel hardening, as well as static and dynamic analysis techniques to find vulnerabilities in OS kernels.
Conventional wisdom dictates that general purpose commodity OS kernels such as Linux offer a very large attack surface, and that it is necessary to reduce it in order to improve kernel security.
We reckon that what the kernel attack surface is, and how one can quantify it, however, is often ill-defined. In our opinion, this hinders the development of attack surface reduction mechanisms: indeed, without an objective way of comparing their effectiveness, it is not possible to improve on existing mechanisms. We fill this gap in our NDSS 2013 paper.
For a given set of assumptions on the operation of the kernel and on the attacker's interaction with the kernel (e.g., the attacker controls an unprivileged process), we formally define what the attack surface represents. In turn, we use this to derive attack surface metrics that are used to measure and compare attack surfaces.
We perform attack surface measurements not only on current distribution kernels, but also for kernels with kernel attack surface reduction mechanisms we have developed.
An example of kernel attack surface measurements.
(Click to enlarge)
