-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathindex.html
100 lines (77 loc) · 4.43 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
<!DOCTYPE html>
<html>
<head>
<meta charset='utf-8'>
<meta http-equiv="X-UA-Compatible" content="chrome=1">
<meta name="description" content="Nested Kernel Operating System Architecture : Enabling Privilege Separation in Commodity Operating Systems">
<link rel="stylesheet" type="text/css" media="screen" href="stylesheets/stylesheet.css">
<title>Nested Kernel Operating System Architecture</title>
</head>
<body>
<!-- HEADER -->
<div id="header_wrap" class="outer">
<header class="inner">
<a id="forkme_banner" href="https://github.com/nestedkernel">View on GitHub</a>
<h1 id="project_title">Nested Kernel Operating System Architecture</h1>
<h2 id="project_tagline">Enabling Privilege Separation in Commodity Operating Systems</h2>
</header>
</div>
<!-- MAIN CONTENT -->
<div id="main_content_wrap" class="outer">
<section id="main_content" class="inner">
<h3>
<a id="welcome-to-the-nested-kernel" class="anchor" href="#welcome-to-the-nested-kernel" aria-hidden="true"><span class="octicon octicon-link"></span></a>Welcome to the Nested Kernel.</h3>
<p>Monolithic operating system designs undermine the security of computing systems
by allowing single exploits anywhere in the kernel to enjoy full supervisor
privileges. The nested kernel operating system architecture addresses this
problem by “nesting” a small, isolated kernel within a traditional monolithic
kernel. The “nested kernel” interposes on all updates to virtual memory
translations to assert protections on physical memory, thus significantly
reducing the trusted computing base for memory access control enforcement.</p>
<p>We incorporated the nested kernel architecture into FreeBSD on x86-64 hardware
by write-protecting MMU translations and de- privileging the untrusted part of
the kernel, thereby enabling the entire operating system, trusted and untrusted
components alike, to operate at the highest hardware privilege level. Our
implementation inherently enforces kernel code integrity while still allowing
dynamically loaded kernel modules, thus defending against code injection
attacks.</p>
<p>We also demonstrate, by introducing write-mediation and write-logging services,
that the nested kernel architecture allows kernel developers to isolate memory
in ways not possible in monolithic kernels. Performance of the nested kernel
prototype shows modest overheads: < 1% average for Apache, <3.7% average for
SSHD, and 2.7% average for kernel compile. Overall, our results and experience
show that the nested kernel design can be retrofitted to existing monolithic
kernels, providing important security benefits.</p>
<h3>
<a id="links" class="anchor" href="#links" aria-hidden="true"><span class="octicon octicon-link"></span></a>Links</h3>
<p>Our full ASPLOS '15 paper can be found on
<a href="http://nathandautenhahn.com/downloads/publications/asplos200-dautenhahn.pdf">here</a>.</p>
<p>A link to the presentation given at ASPLOS '15 --- 20 minute version:
<a href="http://prezi.com/in6qr3l92ffc/?utm_campaign=share&utm_medium=copy">Nested Kernel Presentation 20 Minutes</a></p>
<p>A link to the presentation given at FreeBSD Dev Summit '15 --- 50 minute
version:
<a href="http://prezi.com/hlylrelpxkfj/?utm_campaign=share&utm_medium=copy&rc=ex0share">Prezi Nested Kernel Presentation 45 Minutes</a></p>
<a href="http://nestedkernel.org/downloads/nestedkernel-prezi-pdf.pdf">PDF: Nested Kernel Presentation 45 Minutes</a></p>
<p> Details on our prototype nested kernel, PerspicuOS, can be found <a
href="http://nestedkernel.org/PerspicuOS/">here</a>. PerspicuOS retrofits
the nested kernel design into FreeBSD 9.0 for the AMD64 architecture.
</section>
</div>
<!-- FOOTER -->
<div id="footer_wrap" class="outer">
<footer class="inner">
<p>Published with <a href="https://pages.github.com">GitHub Pages</a></p>
</footer>
</div>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-61522619-1");
pageTracker._trackPageview();
} catch(err) {}
</script>
</body>
</html>