一种在不可信操作系统内核中高效保护应用程序的方法

在现代操作系统中,内核运行在最高特权层,管理底层硬件并向上层应用程序提供系统服务,因而安全敏感的应用程序很容易受到来自底层不可信内核的攻击.提出了一种在不可信操作系统内核中保护应用程序的方法AppFort.针对现有方法的高开销问题,AppFort结合x86硬件机制(操作数地址长度)、内核代码完整性保护和内核控制流完整性保护,对不可信内核的硬件操作和软件行为进行截获和验证,从而高效地保证应用程序的内存、控制流和文件I/O安全.实验结果表明:AppFort的开销极小,与现有工作相比明显提高了性能.     

基于数据特征的内核恶意软件检测

内核恶意软件对操作系统的安全造成了严重威胁.现有的内核恶意软件检测方法主要从代码角度出发,无法检测代码复用、代码混淆攻击,且少量检测数据篡改攻击的方法因不变量特征有限导致检测能力受限.针对这些问题,提出了一种基于数据特征的内核恶意软件检测方法,通过分析内核运行过程中内核数据对象的访问过程,构建了内核数据对象访问模型;然后,基于该模型讨论了构建数据特征的过程,采用动态监控和静态分析相结合的方法识别内核数据对象,利用EPT监控内存访问操作构建数据特征;最后讨论了基于数据特征的内核恶意软件检测算法.在此基础上,实现了内核恶意软件检测原型系统MDS-DCB,并通过实验评测MDS-DCB的有效性和性能.实验结果表明：MDS-DCB能够有效检测内核恶意软件,且性能开销在可接受的范围内.     

多核平台共享内存操作系统性能瓶颈分析及解决

共享内存操作系统使用精心设计的锁来保护各种共享数据,对这些数据的访问需要首先获得对应的锁,当内核中同时有多个流程(系统调用、内核线程或中断处理程序等)试图获得同一个锁时会产生竞争,相关流程越多竞争就越激烈.随着系统中处理单元数目的增长,这些流程的数量也在不断增加,此时,对锁的竞争会影响系统的整体性能,甚至成为瓶颈.另一方面,操作系统与应用程序在同一处理器核上交替运行,因为硬件cache容量有限,导致操作系统的代码和数据经常替换掉应用程序的代码和数据.当应用程序重新被调度运行时,需从更慢速的cache,甚至从内存中读取这些代码和数据,从而降低了性能.通过在一台16核AMD节点上的相关测试,以上问题得到了量化验证,并针对这些问题提出了一种异构操作系统模型.在此模型下,应用程序和操作系统分别运行在不同的处理器核上,实验显示这种模式可以有效降低对锁的竞争和对cache的污染.     

基于AMD硬件内存加密机制的关键数据保护方案

长期以来,保护应用程序关键数据（如加密密钥、用户隐私信息等）的安全一直是个重要问题,操作系统本身巨大的可信计算基使其不可避免的具有许多漏洞,而这些漏洞则会被攻击者利用进而威胁到应用程序的关键数据安全。虚拟化技术的出现为解决此类问题提供了一定程度的帮助,虚拟化场景下虚拟机监控器实际管理物理内存,可以通过拦截虚拟机的关键操作为应用程序提供保护,而硬件内存加密机制则能够解决应用程序在运行时内存中明文数据被泄露的问题。本文基于虚拟化技术和AMD的硬件内存加密机制,提出了一套高效的关键数据保护方案,并通过应用解耦和技术将关键数据与代码与其余的正常数据与代码分离并置于隔离的安全环境中运行从而达到保护关键数据的目的。测试显示,软件带来的系统性能开销小于1%,关键部分的性能开销小于6%,常见应用的延迟在接受范围内。系统能够成功保护应用程序如私钥等关键数据免受恶意操作系统的读取与Bus Snooping、Cold Boot等物理攻击。     

Windows 2000异步过程调用的分析与应用

异步过程调用(APC)是Windows 2000操作系统的一种重要的工作机制,APC实现了内核模式驱动程序与用户模式程序之间的程序凋用,系统组件I/0管理器与内存管理器频繁地使用APC机制.APC对于内核模式驱动程序的设计也是一种重要的手段,尤其是与用户模式应用程序联系紧密的文件系统驱动程序.分析了APC的概念、定义、特性及使用方法,对于应用程序与驱动程序的开发者都具有参考意义.     

显式授权机制及对应的可信安全计算机

现代计算机系统对恶意程序窃取、破坏信息无能为力的根本原因在于系统强行代替用户行使对信息的支配权，却又不能忠实履行用户的意愿．对此提出显式授权机制，给出了信息窃取、破坏型恶意程序的精确定义，并证明基于显式授权机制的计算机能够实时、可靠抵御恶意程序的窃取、破坏攻击；给出了基于该机制的两种可信安全计算机系统．第一种可信安全计算机系统是直接将显式授权机制融入到操作系统中，能够实时、可靠抵御任意恶意程序和隐藏恶意的应用程序的信息攻击，同时与现有计算机系统具有很好的软硬件兼容性．第二种可信安全计算机系统对现有计算机硬件结构、操作系统均有小改动，但具有更强的抗攻击性能，能够实时、可靠阻止恶意操作系统自身发起的破坏攻击．     

应用协同的进程组内存管理支撑技术

云计算进行资源聚合的一种重要方式是将不同用户、不同特征的应用聚合起来进行混合部署、同时运行。相比之下,用户态应用的垃圾回收器对服务个体的内存管理针对性更好,而操作系统对整体内存资源分配能力更强。现有内核的机制仅能保证服务在全局内存或进程组内存使用达到上限时被动地进行垃圾回收。结合Linux内核中的进程控制组机制以及eventfd事件通知机制,设计实现了一个简单高效的应用协同分组内存管理的内核支撑机制。通过在内核中增加应用协同的内存管理机制,进一步增加了系统对应用自主管理内存的支撑能力。实验表明,新的机制没有给原有的操作系统带来明显的性能影响。     

应用协同的进程组内存管理支撑技术

云计算进行资源聚合的一种重要方式是将不同用户、不同特征的应用聚合起来进行混合部署、同时运行。相比之下,用户态应用的垃圾回收器对服务个体的内存管理针对性更好,而操作系统对整体内存资源分配能力更强。现有内核的机制仅能保证服务在全局内存或进程组内存使用达到上限时被动地进行垃圾回收。结合Linux内核中的进程控制组机制以及eventfd事件通知机制,设计实现了一个简单高效的应用协同分组内存管理的内核支撑机制。通过在内核中增加应用协同的内存管理机制,进一步增加了系统对应用自主管理内存的支撑能力。实验表明,新的机制没有给原有的操作系统带来明显的性能影响。     

EP9312在ARM Linux下的内存控制与DMA探讨

嵌入式开发过程中,程序员一般会使用kmalloc()或malloc()动态分配内存,但是动态分配内存带有不可预测性和不可靠性.操作系统运行一段时间后,内存中会产生大量的碎片,程序员不得不花费大量的代码去探测操作系统中能分配的最大空间,也就是程序能获得的最小空间,而且这种探测很可能会不成功,尤其是在需要分配较大并且连续的物理空间时.一旦分配不成功,程序将不得不被挂起来等待,从而影响了系统整体的性能.受到内存分段思想的启发,笔者将某段内存空间从操作系统中分离出来,这块空间并没有完全脱离操作系统,只是操作系统内核无法使用它;然后开发一个内核模块,程序员通过该模块从用户空间控制这块空间.将操作系统自身分配空间和程序员分配空间两个行为分离开,不仅有利于操作系统本身的稳定,而且开发出来的程序更有利于调试与预测.     

Windows2000异步过程调用的分析与应用

异步过程调用（APC）是Windows2000操作系统的一种重要的工作机制,APC实现了内核模式驱动程序与用户模式程序之间的程序调用,系统组件I／O管理器与内存管理器频繁地使用APC机制。APC对于内核模式驱动程序的设计也是一种重要的手段,尤其是与用户模式应用程序联系紧密的文件系统驱动程序。分析了APC的概念、定义、特性及使用方法,对于应用程序与驱动程序的开发者都具有参考意义。     

CAS-DSM: A Compiler Assisted Software Distributed Shared Memory

Traditional software Distributed Shared Memory (DSM) systems rely on the virtual memory management mechanisms to detect accesses to shared memory locations and maintain their consistency. The resulting involvement of the OS (kernel) and the associated overhead which is significant, can be avoided by careful compile time analysis and code instrumentation. In this paper, we propose such a Compiler Assisted Software support approach (CAS-DSM). In the CAS-DSM implementation, the involvement of the OS kernel is avoided by instrumenting the application code at the source level. The overhead caused by the execution of the instrumented code is reduced through several aggressive compile time optimizations. Finally, we also address the issue of reducing certain overheads in polling-based implementation of receiving asynchronous messages. We used SUIF, a public domain compiler tool, to implement compile time analysis, instrumentation and optimizations. We modified CVM, a publicly available software DSM to support the instrumentation inserted by the compiler. Detailed performance evaluation of CAS-DSM is reported using a set of Splash/Splash2 parallel application benchmarks on a distributed memory IBM SP-2 machine. CAS-DSM achieved moderate to good performance improvements for most of the applications compared to the original CVM implementation. Reducing the overheads in polling-based implementation improves the performance of CAS-DSM significantly resulting in an overall improvement of 12–52% over the original CVM implementation.     

VMMB: Virtual Machine Memory Balancing for Unmodified Operating Systems

Virtualization technology has been widely adopted in Internet hosting centers and cloud-based computing services, since it reduces the total cost of ownership by sharing hardware resources among virtual machines (VMs). In a virtualized system, a virtual machine monitor (VMM) is responsible for allocating physical resources such as CPU and memory to individual VMs. Whereas CPU and I/O devices can be shared among VMs in a time sharing manner, main memory is not amendable to such multiplexing. Moreover, it is often the primary bottleneck in achieving higher degrees of consolidation. In this paper, we present VMMB (Virtual Machine Memory Balancer), a novel mechanism to dynamically monitor the memory demand and periodically re-balance the memory among the VMs. VMMB accurately measures the memory demand with low overhead and effectively allocates memory based on the memory demand and the QoS requirement of each VM. It is applicable even to guest OS whose source code is not available, since VMMB does not require modifying guest kernel. We implemented our mechanism on Linux and experimented on synthetic and realistic workloads. Our experiments show that VMMB can improve performance of VMs that suffers from insufficient memory allocation by up to 3.6 times with low performance overhead (below 1%) for monitoring memory demand.     

A policy‐centric approach to protecting OS kernel from vulnerable LKMs

Loadable kernel modules (LKMs) that contain vulnerabilities are a big threat to modern operating systems (OSs). The primary reason is that there is no protection mechanism inside the kernel space when the LKM is executed. As a result, kernel module exploitation can seriously affect the OS kernel security. Although many protection systems have been developed to address this problem in the past few years, there still remain some challenges: (1) How to automatically generate a security policy before the kernel module is enforced? (2) How to properly mediate the interactions between the kernel module and the OS kernel without modifications on the existing OS, hardware, and kernel module structure? To address these challenges, we present LKM guard (LKMG), a policy‐centric system that can protect commodity OS kernel from vulnerable LKMs. Compared with previous systems, LKMG is able to generate a security policy from a kernel module and then enforce the policy during the run time. Generally, the working process of LKMG can be divided into 2 stages. First, we utilize static analysis to extract the kernel code and data access patterns from a kernel module's source code and then combine these patterns with the related memory address information to generate a security policy. Second, by leveraging the hardware‐assisted virtualization technology, LKMG isolates the kernel module from the rest of the kernel and then enforces the kernel module's execution to obey the derived policy. The experiments show that our system can defend against various attacks launched by the compromised kernel module effectively with moderate performance cost.     

Cherub: Fine-grained application protection with on-demand virtualization

Cherub is an on-demand virtualization mechanism aiming to provide fine-grained application protection in untrusted environments. By leveraging late launch technology, Cherub dynamically inserts a lightweight virtual machine monitor (VMM) under a commodity operating system (OS) when critical pieces of an application code or data are to be processed. The novel design of Cherub with a double-shadowed page table extends VMM level memory protection into application level, such that it can isolate selected memory pages of a target process from the rest and other processes in the same OS environment. With this, Cherub enables fine-grained memory access control and therefore flexible security objectives. Compared to existing approaches, Cherub has the benefits of small code size, low performance overhead, no change to existing applications and commodity OS, and selective protection capability within a single application space. We implement Cherub in Linux and our analysis and evaluation demonstrate its effectiveness and practicality.     

EMERALDS: a small-memory real-time microkernel

EMERALDS (Extensible Microkernel for Embedded, ReAL-time, Distributed Systems) is a real-time microkernel designed for small-memory embedded applications. These applications must run on slow (15-25 MHz) processors with just 32-128 kbytes of memory, either to keep production costs down in mass produced systems or to keep weight and power consumption low. To be feasible for such applications, the OS must not only be small in size (less than 20 kbytes), but also have low overhead kernel services. Unlike commercial embedded OSs which rely on carefully optimized code to achieve efficiency, EMERALDS takes the approach of redesigning the basic OS services of task scheduling, synchronization, communication, and system call mechanism by using characteristics found in small-memory embedded systems, such as small code size and a priori knowledge of task execution and communication patterns. With these new schemes, the overheads of various OS services are reduced 20-40 percent without compromising any OS functionality     

基于Linux内核的流量分析方法

通过分析Linux操作系统数据包处理流程，提出了一种基于Linux内核的流量分析方法，采用该方法实现了基于Linux内核的流量分析模块KTAM。分析显示KTAM降低了系统调用和内存拷贝等开销，提高了流量分析性能，比基于Libpcap的工具能力提高近50％。     

面向SGX2代新型可信执行环境的内存优化系统

可信执行环境(trusted execution environment, TEE)是一种应用于隐私计算保护场景的体系结构方案,能为涉及隐私相关的数据和代码提供机密性和完整性的保护,近年来成为机器学习隐私保护、加密数据库、区块链安全等场景的研究热点.主要讨论在新型可信硬件保护下的系统的性能问题:首先对新型可信硬件(IntelSGX2代)进行性能剖析,发现在配置大安全内存的前提下, Intel SGX1代旧有的换页开销不再成为主要矛盾.配置大容量安全内存引起了两个新的问题:首先,普通内存的可用范围被压缩,导致普通应用,尤其是大数据应用的换页开销加剧;其次,安全内存通常处于未被用满阶段,导致整体物理内存的利用率不高.针对以上问题,提出一种全新的轻量级代码迁移方案,将普通应用的代码动态迁入安全内存中,而数据保留在原地不动.迁移后的代码可使用安全内存,避免因磁盘换页导致的剧烈性能下降.实验结果表明:该方法可将普通应用因为磁盘换页导致的性能开销降低73.2%-98.7%,同时不影响安全应用的安全隔离和正常使用.     

Memory Optimization System for SGXv2 Trusted Execution Environment

Trusted Execution Environment (TEE) is an architectural solution for secure computing that requires confidentiality and integrity for private data and code. In recent years, TEE has become the research hotspot for machine learning privacy protection, encrypted database, blockchain security, etc. This paper addresses the performance problem of the system under this new trusted hardware. We analyze the performance of the new trusted hardware, i.e., Intel SGXv2. We find that the paging overhead in SGXv1 is no longer the main issue in SGXv2 under the premise of configuring large secure memory. However, the setup of large secure memory leads to two new problems. First, the available range of normal memory is narrowed down, which increases the memory pressure of normal applications, especially big data applications. Second, secure memory is usually underutilized, resulting in low overall physical memory utilization. To solve the above problems, this paper proposes a new lightweight code migration approach, which dynamically migrates the code of normal applications into secure memory, while leaving the data in place. The migrated code can use secure memory and avoid the drastic performance degradation caused by disk swapping. Experimental results show that the proposed approach can reduce the runtime overhead of normal applications by 73.2\% to 98.7\% without affecting the isolation and the use of secure applications.