Fork-nox: a new virtualization technique to enforce system security
Team work: Jean-François Dumollard presented "Fork-nox: a new virtualization technique to enforce system security" (Compas'24) at 4A312 the 24/5/2024 at 10h30.
Abstract
Operating system security is a major concern, because vulnerabilities discovered at this layer would endanger the whole software stack. Despite many efforts, kernel security mechanisms are not isolated enough from the kernel to offer strong integrity guarantees. Indeed, the trusted computing base of these mechanisms incorporates by design the whole kernel and its drivers. In the case of Linux, this represents nearly 25 millions lines of code, difficult to trust and hard to debug. With this project, we argue that integrity guarantees on kernel security can be achieved using a more privileged layer without sacrificing the semantics. Building on this idea, we employ hardware virtualization to run Fork-nox, a small security hypervisor. We implement Fork-nox as a Linux module, which separates itself from the kernel to gain more privileges, deploying necessary hypervisor features. Moreover, we have designed it to be a minimal, independent and auditable codebase. With this project, we demonstrate the efficiency of our tool by enforcing memory protection, keeping in mind that we eventually target hardening of kernel security interposition. Hence, our goal is to assert integrity over the kernel security system. We target hardening, firstly of the security mechanisms, creating a trusted computing base around them, and secondly of the execution paths to the control hooks. Thus, we envision a hardened hook mechanism inspired by Linux’s Kprobes to perform advanced security checks and livepatching through a secured interface allowing to define on-demand policies.