Journal of Software:2016.27(5):1309-1324

(计算机软件新技术国家重点实验室(南京大学), 江苏南京 210023;南京大学计算机科学与技术系, 江苏南京 210023)
Method to Efficiently Protect Applications from Untrusted OS Kernel
DENG Liang,ZENG Qing-Kai
(State Key Laboratory for Novel Software Technology(Nanjing University), Nanjing 210023, China;Department of Computer Science and Technology, Nanjing University, Nanjing 210023, China)
Chart / table
Similar Articles
Article :Browse 1852   Download 1781
Received:June 29, 2015    Revised:September 23, 2015
> 中文摘要: 在现代操作系统中,内核运行在最高特权层,管理底层硬件并向上层应用程序提供系统服务,因而安全敏感的应用程序很容易受到来自底层不可信内核的攻击.提出了一种在不可信操作系统内核中保护应用程序的方法AppFort.针对现有方法的高开销问题,AppFort结合x86硬件机制(操作数地址长度)、内核代码完整性保护和内核控制流完整性保护,对不可信内核的硬件操作和软件行为进行截获和验证,从而高效地保证应用程序的内存、控制流和文件I/O安全.实验结果表明:AppFort的开销极小,与现有工作相比明显提高了性能.
Abstract:In commodity OS, the OS kernel runs in the highest privilege layer to manage hardware resources and provides system services. Thus, security-sensitive applications are vulnerable to compromises the underlying untrusted kernel. In this paper, an approach named AppFort is proposed to protect applications from an untrusted OS kernel. To address the high overheads of existing solutions, AppFort makes use of the unique combination of an x86 hardware feature (operand address size), kernel code integrity protection and kernel control flow integrity protection, to intercept and verify both hardware and software operations of the untrusted kernel. As a result, AppFort efficiently protects application's memory, control flows and file I/O, even if the kernel is fully compromised. Experimental results demonstrate that AppFort only incurs very small overhead, which is much better than previous work.
文章编号:     中图分类号:    文献标志码:
基金项目:国家自然科学基金(61170070,61572248,61431008,61321491);国家科技支撑计划(2012BAK26B01);南京大学优秀博士研究生创新能力提升计划B(2015) 国家自然科学基金(61170070,61572248,61431008,61321491);国家科技支撑计划(2012BAK26B01);南京大学优秀博士研究生创新能力提升计划B(2015)
Foundation items:National Natural Science Foundation of China (61170070, 61572248, 61431008, 61321491); National Key Technology R&D Program of China (2012BAK26B01); Program B for Outstanding Ph.D. Candidate of Nanjing University of China (2015)
Reference text:


DENG Liang,ZENG Qing-Kai.Method to Efficiently Protect Applications from Untrusted OS Kernel.Journal of Software,2016,27(5):1309-1324