5/24/2021
A team of researchers from the University of Illinois Urbana-Champaign, Carnegie Mellon University, IBM, and RedHat, affiliated with the IBM-Illinois C3SR center, work to defend against exploits of kernel vulnerabilities.
Written by
A team of researchers from the University of Illinois Urbana-Champaign, Carnegie Mellon University, IBM, and RedHat, affiliated with the IBM-Illinois C3SR center, have upstreamed their work on operating system (OS) security to the Linux kernel. As reported by Phoronix (one of the largest open-source news sites), the feature, named constant-action bitmaps, is yielding “a very nice speedup” for system-call security, a cornerstone for protecting shared OS kernels.
System-call security restricts how untrusted applications interact with the OS kernel (system calls are the main interface exposed by OS kernels to the userland). The idea behind this research is to defend against exploits of kernel vulnerabilities by only allowing well-specified system calls and rejecting the others. System-call security is a key building block of modern virtualization technologies (such as Docker, Linux Containers, and Amazon Firecracker) and sandboxing technologies (such as Google Sandboxed API and Firejail), web browsers, Android mobile apps, and many other important systems and applications. With the new feature that the researchers have released in Linux v5.11, the performance overhead of system call checks on Linux will be remarkably reduced.
“The released feature is exciting! It not only improves application performance by minimizing the security checking overhead, but also enables practitioners who take security seriously to implement more thorough security policies,” said Hubertus Franke, a Distinguished Research Staff Member at IBM Research and a core member of the research team. “With containers being a main cloud environment that empowers millions of applications today, the impact is significant.”
The Origin: The Draco Project
Constant-action bitmap is a part of the Draco research project started by the Saburo Muroga Professor of Computer Science (CS) Josep Torrellas and assistant professor Tianyin Xu, also of CS, from the University of Illinois Urbana-Champaign, together with Dimitrios Skarlatos, a former PhD student of Torrellas is now an assistant professor of Computer Science at Carnegie Mellon University. The key insight of Draco is that the patterns of system calls in real-world applications have locality -- an application typically issues the same system calls with the same sets of arguments repeatedly. Therefore, Draco caches system call IDs and argument values in a special cache, after they have been checked and validated. With Draco, on subsequent system calls, the cache is first looked up and, on a hit, the checks can be skipped, eliminating any checking overhead. The research paper that describes Draco was presented at the 53rd ACM/IEEE Symposium on Microarchitecture held in October 2020.
The project name was inspired after Draco or in greek Δρ?κων, the Athens legislator in Ancient Greece who replaced for the first time oral law with written code.
“This is a collaborative team effort. Each member of the Draco team has a unique, complementary expertise, which is key to the success in creating a solution that passes the high bar of adoption by Linux,” said Torrellas, an Information Trust Institute researcher.
While research may show feasibility and promise, transforming research ideas into a practical OS innovation that can directly benefit all the Linux-based containers and applications takes a long journey. The journey was started in a technical meetup organized by the IBM-Illinois C3SR center where Xu met Franke and the two discussed the Draco project in depth.
The potential impact greatly excited Skarlatos, Torrellas, and Xu who teamed up with Franke and his colleague at IBM, Tobin Feldman-Fitzthum. Franke also invited Andrea Arcangeli, a well-known Linux kernel developer at RedHat, to join the team. Arcangeli is the creator of Seccomp, the Linux kernel component for system call security checks on top of which the team built Draco. Xu invited YiFei Zhu, a University of Illinois undergraduate student in his course CS 423 (Operating System Design) to lead the Draco implementation and upstream efforts. The C3SR center supported the work and Zhu was also supported by both NSF and the Office of Undergraduate Research (OUR) of the University of Illinois.
“I’m very grateful to C3SR for generously supporting the Draco upstream effort and helping assemble the all-star team,” said Xu. “Upstreaming research to open-source projects like the Linux kernel is highly impactful and I’m very glad that the center values such impact.”