Withdraw
Loading…
Protection in commodity monolithic operating systems
Dautenhahn, Nathan D
Loading…
Permalink
https://hdl.handle.net/2142/92699
Description
- Title
- Protection in commodity monolithic operating systems
- Author(s)
- Dautenhahn, Nathan D
- Issue Date
- 2016-05-16
- Director of Research (if dissertation) or Advisor (if thesis)
- Adve, Vikram
- Doctoral Committee Chair(s)
- Adve, Vikram
- Committee Member(s)
- Nahrstedt, Klara
- Gunter, Carl A.
- Bugnion, Edouard
- King, Samuel T.
- Department of Study
- Computer Science
- Discipline
- Computer Science
- Degree Granting Institution
- University of Illinois at Urbana-Champaign
- Degree Name
- Ph.D.
- Degree Level
- Dissertation
- Keyword(s)
- intra-kernel isolation
- operating system architecture
- malicious operating systems
- virtual memory
- nested kernel
- security kernel
- security monitor
- Abstract
- "This dissertation suggests and partially demonstrates that it is feasible to retrofit real privilege separation within commodity operating systems by ""nesting"" a small memory management protection domain inside a monolithic kernel's single-address space: all the while allowing both domains to operate at the same hardware privilege level. This dissertation also demonstrates a microarchitectural return-integrity protection domain that efficiently asserts dynamic ""return-to-sender"" semantics for all operating system return control-flow operations. Employing these protection domains, we provide mitigations to large classes of kernel attacks such as code injection and return-oriented programming and deploy information protection policies that are not feasible with existing systems. Operating systems form the foundation of information protection in multiprogramming environments. Unfortunately, today's commodity operating systems employ monolithic kernel design, where any single exploit in the vast code base undermines all information protection in the system because all kernel code operates with full supervisor privileges, meaning that even perfectly secure applications are vulnerable. This dissertation explores an approach that retrofits fundamental information protection design principles into commodity monolithic operating systems, the aim of which is a micro-evolution of commodity system design that incrementally decomposes monolithic operating systems from the ground up, thereby applying microkernel-like security properties for billions of users worldwide. The key contribution is the creation of a new operating system organization, the Nested Kernel Architecture, which ""nests"" a new, efficient intra-kernel memory isolation mechanism into a traditional monolithic operating system design. Using the Nested Kernel Architecture we introduce write-protection services for kernel developers to deploy security policies in ways not possible in current systems—while greatly reducing the trusted computing base—and demonstrate the value of these services by deploying three special data protection policies. Overall, the Nested Kernel Architecture demonstrates practical in-place protections that require only minor code modifications with minimal run- time overheads."
- Graduation Semester
- 2016-08
- Type of Resource
- text
- Permalink
- http://hdl.handle.net/2142/92699
- Copyright and License Information
- Copyright 2016 by Nathan Daniel Dautenhahn. All rights reserved.
Owning Collections
Dissertations and Theses - Computer Science
Dissertations and Theses from the Dept. of Computer ScienceGraduate Dissertations and Theses at Illinois PRIMARY
Graduate Theses and Dissertations at IllinoisManage Files
Loading…
Edit Collection Membership
Loading…
Edit Metadata
Loading…
Edit Properties
Loading…
Embargoes
Loading…