基于硬件虚拟化的内核同层多域隔离模型

为了解决内核不可信带来的问题，很多工作提出了同层可信基的架构，即在内核同一硬件特权水平构建可部署安全机制的唯一保护域.但是，实际过程中往往面临多样化的安全需求，将多种对应的安全机制集中于唯一的保护域必然导致只要其中任何一个安全机制被攻陷，同一个保护域内其它所有安全机制都可能被攻击者恶意篡改或者破坏.为了解决上述问题，本文提出了内核同层多域隔离模型，即在内核同一硬件特权水平构建多个保护域实现了不同安全机制的内部隔离，缓解了传统方法将所有安全机制绑定在唯一保护域带来的安全风险.本文实现了内核同层多域隔离模型的原型系统Decentralized-KPD，其利用硬件虚拟化技术和地址重映射技术，将不同安全机制部署在与内核同一特权水平的多个保护域中，并不会引起较大的性能开销.总体而言，实验结果展示了内核同层多域隔离模型的安全性和实用性.

Kernel-level multi-domain isolation model based on hardware virtualization

In order to solve the problem caused by untrusted kernel, the trusted base architecture at the same privilege of the kernel, has been proposed by a lot of works..It provides the only one protection domain to deploy security mechanism at the same hardware privilege level of the kernel. However, in practice, it is often faced with diversified security requirements. Moreover, it is high risk to make multiple corresponding security mechanisms concentrated into a single protection domain. All other security mechanisms in the same protection domain may be maliciously tampered or destructed, as long as any one of the security mechanisms is compromised by the attacker. To address this problem, we propose a kernel-level multi-domain isolation model in this paper, which constructs multiple protection domains at the same hardware privilege level with the kernel to achieve internal isolation of different security mechanisms, and it will alleviate the security risks of traditional method which bind all security mechanisms into a single protection domain. In this paper, we have-implemented the Decentralized-KPD prototype system of the kernel-level multi-domain isolation model, which uses hardware virtualization technology and address remapping technology to deploy different security mechanisms in multiple protection domains at the kernel privilege level and it will not cause a large performance overhead. Overall, our experimental results demonstrate the security and utility of the kernel-level multi-domain isolation model.