Operating systems play a central role in securing most of today's systems. In particular, cloud services often rely on the OS to enforce isolation between tenants. For instance, containers are increasingly used in PaaS clouds, and tenant isolation is therefore hinged on the trustworthiness of the OS kernel.
We explore novel mechanisms that improve the security of the OS kernel in a practical and efficient way. Examples of such techniques include kernel attack surface reduction, kernel hardening, as well as static and dynamic analysis techniques to find vulnerabilities in OS kernels.
Run-time kernel trimming also aims to reduce the attack surface but at a finer granularity and without requiring the kernel to be recompiled. Selectively instrumenting kernel functions also incurs minimal performance overhead.
Evaluation results show that the attack surface can be reduced significantly more than via tailoring.
Further details can be found in our Eurosec'11 and DIMVA'14 papers.
