Operating systems play a central role in securing most of today's systems. In particular, cloud services often rely on the OS to enforce isolation between tenants. For instance, containers are increasingly used in PaaS clouds, and tenant isolation is therefore hinged on the trustworthiness of the OS kernel.
We explore novel mechanisms that improve the security of the OS kernel in a practical and efficient way. Examples of such techniques include kernel attack surface reduction, kernel hardening, as well as static and dynamic analysis techniques to find vulnerabilities in OS kernels.
Compile-time kernel tailoring, is a kernel protection technique that aims to reduce attack surface. We show it is possible to automatically generate a set of kernel configuration option for a given workload (via kernel tracing), and that the resulting kernel can be shown to provide a smaller attack surface.
