-
Notifications
You must be signed in to change notification settings - Fork 2
/
params.json
1 lines (1 loc) · 3.12 KB
/
params.json
1
{"name":"Nested Kernel Operating System Architecture","tagline":"Enabling Privilege Separation in Commodity Operating Systems","body":"### Welcome to the Nested Kernel.\r\nMonolithic operating system designs undermine the security of computing systems\r\nby allowing single exploits anywhere in the kernel to enjoy full supervisor\r\nprivileges. The nested kernel operating system architecture addresses this\r\nproblem by “nesting” a small, isolated kernel within a traditional monolithic\r\nkernel. The “nested kernel” interposes on all updates to virtual memory\r\ntranslations to assert protections on physical memory, thus significantly\r\nreducing the trusted computing base for memory access control enforcement.\r\n\r\nWe incorporated the nested kernel architecture into FreeBSD on x86-64 hardware\r\nby write-protecting MMU translations and de- privileging the untrusted part of\r\nthe kernel, thereby enabling the entire operating system, trusted and untrusted\r\ncomponents alike, to operate at the highest hardware privilege level. Our\r\nimplementation inherently enforces kernel code integrity while still allowing\r\ndynamically loaded kernel modules, thus defending against code injection\r\nattacks.\r\n\r\nWe also demonstrate, by introducing write-mediation and write-logging services,\r\nthat the nested kernel architecture allows kernel developers to isolate memory\r\nin ways not possible in monolithic kernels. Performance of the nested kernel\r\nprototype shows modest overheads: < 1% average for Apache, <3.7% average for\r\nSSHD, and 2.7% average for kernel compile. Overall, our results and experience\r\nshow that the nested kernel design can be retrofitted to existing monolithic\r\nkernels, providing important security benefits.\r\n\r\n### Links\r\nOur full ASPLOS '15 paper can be found on\r\n[here](http://nathandautenhahn.com/downloads/publications/asplos200-dautenhahn.pdf).\r\n\r\nA link to the presentation given at ASPLOS '15:\r\nhttp://prezi.com/in6qr3l92ffc/?utm_campaign=share&utm_medium=copy\r\n\r\n### Build Instructions\r\n\r\n!!!!!! These Are Under Construction and Require Testing !!!!!!\r\n\r\nOur current nested kernel implementation for x86-64 FreeBSD is called\r\nPerspicuOS.\r\n\r\n1. Install FreeBSD 9.0:\r\n http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases/amd64/ISO-IMAGES/9.0/\r\n1. In FreeBSD 9.0 System, clone the repo\r\n $ clone [email protected]:nestedkernel/nestedkernel.git nestedkernel\r\n2. Build the nested kernel\r\n $ cd nestedkernel\r\n $ make\r\n3. Configure FreeBSD /etc/src.conf\r\n \\# This setting to build world without -Werror:\r\n NO_WERROR=\r\n \\# This setting to build kernel without -Werror:\r\n WERROR=\r\n \\# Set the library path to the nested kernel lib\r\n CFLAGS+=-I/PATH/TO/NESTEDKERNEL/include\r\n4. Make PerspicuOS: Use FreeBSD building instructions\r\n selecting the NK kernel configuration\r\n5. Install and Boot (you can use either the base harddrive or\r\n a VM tool Like Qemu, VirtualBox, or VMWare)\r\n\r\n### Comment on Code\r\n","google":"UA-61522619-1","note":"Don't delete this file! It's used internally to help with page regeneration."}