Attack surface reduction for commodity OS kernels: Trimmed garden plants may attract less bugs

Abstract

Kernel vulnerabilities are a major current practical security problem, as attested by the weaknesses and flaws found in many commodity operating system kernels in recent years. Ever-growing code size in those projects, due to the addition of new features and the reluctance to remove legacy support, indicate that this problem will remain a severe system security threat in the foreseeable future. Reactive measures such as bug fixes via code reviews and testing, while effective, can only alleviate the issue. Furthermore, common practices in system hardening often focus on complex and sometimes hard to achieve goals that require extensive manual intervention such as security policies for sandboxing. In this paper, we explore an alternative, automated and effective way of reducing the attack surface in commodity operating system kernels, which we call trimming. Trimming is a two-fold process: an initial analysis of a given system for unused kernel code sections is followed by an enforcement phase, in which the unused sections are removed or prevented from being executed. We discuss the requirements that should be reflected in the design of a trimming infrastructure, and present a lightweight and flexible implementation example for the Linux kernel by using dynamic binary instrumentation as provided by kprobes. Our evaluations show we can, in the case of a web server, reduce the attack surface of the kernel (in terms of the number of kernel functions accessible from unprivileged users) by about 88%. Copyright © 2011 ACM.