Add report on the nested kernel project

Approved by: hrs (mentor, implicit)
svn path=/head/; revision=46554
2015-04-15 03:47:10 +00:00 · 2015-04-15 03:47:10 +00:00 · edae37d14f · 2020-12-08 03:00:23 +00:00
commit edae37d14f
parent 1b22bc5abe
1 changed files with 160 additions and 0 deletions
--- a/en_US.ISO8859-1/htdocs/news/status/report-2015-01-2015-03.xml
+++ b/en_US.ISO8859-1/htdocs/news/status/report-2015-01-2015-03.xml
@ -1851,4 +1851,164 @@ WITHOUT_FORTH=y</pre>

    <sponsor>The &os; Foundation</sponsor>
  </project>
+
+  <project cat='arch'>
+    <title>Nested Kernel</title>
+
+    <contact>
+      <person>
+	<name>
+	  <given>Nathan</given>
+	  <common>Dautenhahn</common>
+	</name>
+	<email>dautenh1@illinois.edu</email>
+      </person>
+
+      <person>
+	<name>
+	  <given>Theodoros</given>
+	  <common>Kasampalis</common>
+	</name>
+	<email>kasampa2@illinois.edu</email>
+      </person>
+
+      <person>
+	<name>
+	  <given>Will</given>
+	  <common>Dietz</common>
+	</name>
+	<email>wdietz2@illinois.edu</email>
+      </person>
+    </contact>
+
+    <links>
+      <url href="nestedkernel.org">Home page for the project that includes links to papers and build instructions.</url>
+      <url href="http://web.engr.illinois.edu/~dautenh1//downloads/publications/asplos200-dautenhahn.pdf">Conference publication detailing the problem, design, implementation, and evaluation of our prototype.</url>
+      <url href="http://prezi.com/in6qr3l92ffc/?utm_campaign=share&amp;utm_medium=copy">Presentation on the nested kernel</url>
+      <url href="https://github.com/HardenedBSD/hardenedBSD/tree/hardened/9/kernsep">HardenedBSD branch of the nested kernel being refactored.</url>
+    </links>
+
+    <body>
+      <p>This work on a nested kernel architecture is part of
+	Nathan's doctoral thesis work at the University of Illinois at
+	Urbana-Champaign.  It attempts to improve upon the traditional
+	monolithic operating sytsem kernel, where a single exploit
+	anywhere in the kernel grants the attacker full superuser
+	privileges.  The nested kernel operating system architecture
+	addresses this problem by "nesting" a small, isolated kernel
+	within a traditional monolithic kernel.  This "nested kernel"
+	interposes on all updates to virtual memory translations to
+	assert protections on physical memory, thus significantly
+	reducing the trusted computing base for memory access control
+	enforcement.  We incorporated the nested kernel
+	architecture into &os; on x86-64 hardware by write-protecting
+	Memory-Management Unit (MMU) translations and de-privileging the
+	untrusted part of the kernel, thereby enabling the entire
+	operating system, trusted and untrusted components alike, to
+	operate at the highest hardware privilege level.  Our
+	implementation inherently enforces kernel code integrity while
+	still allowing dynamically loaded kernel modules, thus defending
+	against code injection attacks.  We also demonstrate, by
+	introducing write-mediation and write-logging services, that the
+	nested kernel architecture allows kernel developers to isolate
+	memory in ways not possible in monolithic kernels.  The
+	performance of the nested kernel prototype shows modest
+	overheads: less than 1% average for Apache, 3.7% average for
+	sshd, and 2.7% average for kernel compilation.  Overall, our
+	results and experience show that the nested kernel design can be
+	retrofitted onto existing monolithic kernels, providing defense
+	in depth.</p>
+
+      <p>The basic idea is that the nested kernel initializes the
+	system so that all page tables are mapped as read-only.  Then
+	all MMU-modifying operations are removed from the untrusted
+	portion of the kernel; runtime code integrity is enforced by
+	write-protecting all code pages, marking all non-code
+	pages as non-executable (NX-bit), and preventing execution of
+	privileged MMU operations located in userspace mappings
+	(Supervisor Mode Execution Prevention, SMEP).  Because the
+	nested kernel has control of the page tables it can enforce
+	these integrity properties leading to virtualization of the
+	MMU.</p>
+
+      <p>The links include a recent conference publication that
+	details the design, implementation, and evaluation of our
+	prototype nested kernel architecture on top of &os; 9.0.  We are
+	also bringing up a site with instructions on how to get the
+	source and build the project.  There is also a link to a
+	presentation on the nested kernel.</p>
+
+      <p>We are very interested in feedback on the design of the
+	nested kernel, and having discussions about how it might get
+	upstreamed.  This is our first time contributing to an open
+	source project, so even simple advice is likely to be useful.</p>
+
+      <p>We are also hoping to gain additional contributors and
+	interest in the project!  The nested kernel has the potential to
+	enhance commodity operating system design, and &os; is a major
+	operating system in use today which has high impact.  The source
+	code of our research prototype as evaluated for the paper are in
+	the process of being made available &mdash; the website and code
+	are almost ready but may take another week to complete.
+	However, the implementation is merely a research prototype and
+	requires significant effort to make production-ready (see the
+	list of tasks).  Some of this work is underway during
+	refactoring for an implementation in the <a
+	href="https://www.freebsdfoundation.org/journal/articles">HardenedBSD
+	project</a>, which is a much cleaner version of the core system
+	and is integrated into the &os; build system, but is only about
+	50% completed.</p>
+
+      <p>Finally, we have developed an interface to write-protect
+	data structures in the kernel and are soliciting ideas for uses
+	of this service.  Section 2.4 in the paper details the
+	interface, and section 4 presents some simple uses of the nested
+	kernel services.  We are interested in ways that the nested
+	kernel could be used to protect critical kernel data structures
+	from malware or even just buggy code.</p>
+    </body>
+
+    <sponsor>University of Illinois at Urbana-Champaign</sponsor>
+    <sponsor>ONR via grant number N00014-12-1-0552</sponsor>
+
+    <help>
+      <task>
+	<p>Finish implementing core mechanisms: verify DMAP is
+	  properly protected and that we are not using superpages (I think
+	  we have this completed but need to fully verify), full NX
+	  support for all non-kernel code pages (we might need to
+	  specially consider the stack if it is used to execute code),
+	  protect IDT and SMM, and add IOMMU protections.  We also need to
+	  do some optimizations where we batch calls into the nested
+	  kernel on process creation (FORK) and mmap operations.  The
+	  motivation for these implementation directives can be reviewed
+	  in the paper.</p>
+      </task>
+
+      <task>
+	<p>Implement SMP functionality and evaluate performance.</p>
+      </task>
+
+      <task>
+	<p>Port and refactor for a newer version of &os;.  The
+	  current implementation is a research prototype and requires some
+	  refactoring to make it clean and consistent, as well as make it
+	  relevant to modern versions of &os;.</p>
+      </task>
+
+      <task>
+	<p>The nested kernel isolation depends upon certain
+	  hardware instructions to be completely removed from a subset of
+	  the kernel.  Therefore, we need to utilize automated linker/loader
+	  techniques to identify and remove privileged MMU operations from
+	  untrusted kernel components to make it maintainable in
+	  practice.</p>
+      </task>
+
+      <task>
+	<p>Detailed review on the design and implementation with
+	  particular focus on a plan for upstreaming.</p>
+      </task>
+    </help>
+  </project>
 </report>