Episode 3 -
Systems software such as Operating Systems (OS) or hypervisors are a cornerstone of modern computer systems' security: they aim to protect and isolate user applications, while being themselves resilient against various types of attacks. In this talk I will present a set of contributions exploring the use of multi-ISA systems as well as emerging isolation technologies for systems software security. In a first part of the talk, I will present HeterSec, a framework allowing to secure applications by executing them on top of multi-ISA systems composed of commodity servers. Next, I will present LibHermitMPK, a unikernel (library OS) written in Rust and leveraging the Memory Protection Keys (MPK) technology to provide isolation between user and kernel space, as well as between safe and unsafe kernel components. Finally, I will talk about ongoing work regarding the development of FlexOS, a flexible and modular OS design whose compartmentalization and protection profile can easily and cost-efficiently be tailored towards a specific application or use-case at build time, rather than at design time as it is the case for traditional OSes.
Relevant links:
Information protection has been a challenge since the inception of computing, where modern environments prioritize functionality over security, resulting in permiscuous monolithic runtimes that allow access to more information than necessary. As a result, we continue to see attacks from the low-level (e.g. control-flow hijack) to the high-level (e.g. privilege escalation, information leakage, confused deputies). Least-authority compartmentalization is the standard solution, however, most techniques are single purpose, hard to use, and inefficient.
In this talk, I describe the Nested Kernel architecture, a general purpose operating system organization and methodology that nests an efficient, tamper-proof security monitor directly into monolithic runtimes. The Nested Kernel is then used to provide data protection and separation services for decomposing and securing elements inside the system. One of the core insights is to virtualize privilege using self-protection techniques. Similar to but much smaller than a microkernel, a nested kernel provides isolation within single-address space environments for the sake of performance, ease of integration, and programmable protection. Although similar to an Exokernel, the Nested Kernel is a specialized kernel that limits access by virtualizing a thin interface so that protection can be enforced on that runtime itself, rather than safely exporting its use.
The Nested Kernel has been implemented in many prototypes, demonstrating efficient and portable protection in diverse system software (Xen, FreeBSD, Linux, Android, UNIX Processes) while using commodity and custom hardware (ARM-PT, ARM-TZ, ARM-NPT, x86-64, VT-x, SFI, VMFUNC, and MPK), and even influenced the design of custom Apple hardware. Nested Kernel prototypes demonstrate that it is possible to retrofit security into existing and popular systems with programmable, powerful, and incrementally deployable intra-space protection services, providing the foundation for future work in securing our systems. I conclude by sketching a path forward for a "micro-evolution" of monolithic systems.
Relevant links: