SILVER: Fine-grained and transparent protection domain primitives in commodity OS kernel

Xi Xiong, Peng Liu

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Scopus citations

Abstract

Untrusted kernel extensions remain one of the major threats to the security of commodity OS kernels. Current containment approaches still have limitations in terms of security, granularity and flexibility, primarily due to the absence of secure resource management and communication methods. This paper presents SILVER, a framework that offers transparent protection domain primitives to achieve fine-grained access control and secure communication between OS kernel and extensions. SILVER keeps track of security properties (e.g., owner principal and integrity level) of data objects in kernel space with a novel security-aware memory management scheme, which enables fine-grained access control in an effective manner. Moreover, SILVER introduces secure primitives for data communication between protection domains based on a unified integrity model. SILVER's protection domain primitives provide great flexibility by allowing developers to explicitly define security properties of individual program data, as well as control privilege delegation, data transfer and service exportation. We have implemented a prototype of SILVER in Linux. The evaluation results reveal that SILVER is effective against various kinds of kernel threats with a reasonable performance and resource overhead.

Original languageEnglish (US)
Title of host publicationResearch in Attacks, Intrusions, and Defenses - 16th International Symposium, RAID 2013, Proceedings
Pages103-122
Number of pages20
DOIs
StatePublished - Dec 2 2013
Event16th International Symposium on Research in Attacks, Intrusions, and Defenses, RAID 2013 - Rodney Bay, Saint Lucia
Duration: Oct 23 2013Oct 25 2013

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume8145 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other16th International Symposium on Research in Attacks, Intrusions, and Defenses, RAID 2013
CountrySaint Lucia
CityRodney Bay
Period10/23/1310/25/13

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • Computer Science(all)

Fingerprint Dive into the research topics of 'SILVER: Fine-grained and transparent protection domain primitives in commodity OS kernel'. Together they form a unique fingerprint.

Cite this