Lock-in-pop: Securing privileged operating system kernels by keeping on the beaten path

Yiwen Li, Brendan Dolan-Gavitt, Sam Weber, Justin Cappos

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    Virtual machines (VMs) that try to isolate untrusted code are widely used in practice. However, it is often possible to trigger zero-day flaws in the host Operating System (OS) from inside of such virtualized systems. In this paper, we propose a new security metric showing strong correlation between “popular paths” and kernel vulnerabilities. We verify that the OS kernel paths accessed by popular applications in everyday use contain significantly fewer security bugs than less-used paths. We then demonstrate that this observation is useful in practice by building a prototype system which locks an application into using only popular OS kernel paths. By doing so, we demonstrate that we can prevent the triggering of zero-day kernel bugs significantly better than three other competing approaches, and argue that this is a practical approach to secure system design.

    Original languageEnglish (US)
    Title of host publicationProceedings of the 2017 USENIX Annual Technical Conference, USENIX ATC 2017
    PublisherUSENIX Association
    Pages1-13
    Number of pages13
    ISBN (Electronic)9781931971386
    StatePublished - 2019
    Event2017 USENIX Annual Technical Conference, USENIX ATC 2017 - Santa Clara, United States
    Duration: Jul 12 2017Jul 14 2017

    Publication series

    NameProceedings of the 2017 USENIX Annual Technical Conference, USENIX ATC 2017

    Conference

    Conference2017 USENIX Annual Technical Conference, USENIX ATC 2017
    Country/TerritoryUnited States
    CitySanta Clara
    Period7/12/177/14/17

    ASJC Scopus subject areas

    • General Computer Science

    Fingerprint

    Dive into the research topics of 'Lock-in-pop: Securing privileged operating system kernels by keeping on the beaten path'. Together they form a unique fingerprint.

    Cite this