Domain Isolated Kernel: A lightweight sandbox for untrusted kernel extensions
| DC Field | Value | Language |
|---|---|---|
| dc.contributor.author | Manes, Valentin J. M. | ko |
| dc.contributor.author | Jang, Daehee | ko |
| dc.contributor.author | Ryu, Chanho | ko |
| dc.contributor.author | Kang, Brent Byunghoon | ko |
| dc.date.accessioned | 2018-04-24T05:05:38Z | - |
| dc.date.available | 2018-04-24T05:05:38Z | - |
| dc.date.created | 2018-04-09 | - |
| dc.date.created | 2018-04-09 | - |
| dc.date.issued | 2018-05 | - |
| dc.identifier.citation | COMPUTERS & SECURITY, v.74, pp.130 - 143 | - |
| dc.identifier.issn | 0167-4048 | - |
| dc.identifier.uri | http://hdl.handle.net/10203/241291 | - |
| dc.description.abstract | Monolithic kernel is one of the prevalent configurations out of various kernel design models. While monolithic kernel excels in performance and management, they are unequipped for runtime system update; and this brings the need for kernel extension. Although kernel extensions are a convenient measure for system management, it is well established that they make the system prone to rootkit attacks and kernel exploitation as they share the single memory space with the rest of the kernel. To address this problem, various forms of isolation (e.g., making into a process), are so far proposed, yet their performance overhead is often too high or incompatible for a general purpose kernel. In this paper, we propose Domain Isolated Kernel (DlKernel), a new kernel architecture which securely isolates the untrusted kernel extensions with minimal performance overhead. DlKernel leverages hardware based memory domain feature in ARM architecture; and prevents system manipulation attacks originated from kernel extensions, such as rootkits and exploits caused by buggy kernel extensions. We implemented DlKernel on top of Linux 4.13 kernel with 1500 LOC. Performance evaluation indicates that DlKernel imposes negligible overhead which is observed by cycle level microbenchmark. (C) 2018 Elsevier Ltd. All rights reserved. | - |
| dc.language | English | - |
| dc.publisher | ELSEVIER ADVANCED TECHNOLOGY | - |
| dc.subject | ARCHITECTURE | - |
| dc.title | Domain Isolated Kernel: A lightweight sandbox for untrusted kernel extensions | - |
| dc.type | Article | - |
| dc.identifier.wosid | 000428098500008 | - |
| dc.identifier.scopusid | 2-s2.0-85041415903 | - |
| dc.type.rims | ART | - |
| dc.citation.volume | 74 | - |
| dc.citation.beginningpage | 130 | - |
| dc.citation.endingpage | 143 | - |
| dc.citation.publicationname | COMPUTERS & SECURITY | - |
| dc.identifier.doi | 10.1016/j.cose.2018.01.009 | - |
| dc.contributor.localauthor | Kang, Brent Byunghoon | - |
| dc.contributor.nonIdAuthor | Manes, Valentin J. M. | - |
| dc.contributor.nonIdAuthor | Jang, Daehee | - |
| dc.contributor.nonIdAuthor | Ryu, Chanho | - |
| dc.description.isOpenAccess | N | - |
| dc.type.journalArticle | Article | - |
| dc.subject.keywordAuthor | Kernel | - |
| dc.subject.keywordAuthor | ARM | - |
| dc.subject.keywordAuthor | DACR | - |
| dc.subject.keywordAuthor | Rootkit | - |
| dc.subject.keywordAuthor | Software vulnerability | - |
| dc.subject.keywordAuthor | Extension | - |
| dc.subject.keywordPlus | ARCHITECTURE | - |
- Appears in Collection
- CS-Journal Papers(저널논문)
- Files in This Item
- There are no files associated with this item.
This item is cited by other documents in WoS
| ⊙ Detail Information in WoSⓡ | Click to see |  |
| ⊙ Cited 10 items in WoS | Click to see citing articles in |  |
Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.