阅读说明：本技术 在操作系统内核的隔离地址空间中执行系统调用 (Performing system calls in isolated address space of operating system kernel ) 是由 M·拉波波特 J·K·尼德尔 J·巴特利 于 2020-05-15 设计创作，主要内容包括：本系统和方法的实施例可以通过在专用地址空间中执行系统调用以减少对恶意应用可见并因此可由恶意应用利用的共享资源的量来在操作系统内核本身内部提供附加的安全机制。例如,在实施例中,一种在计算机中实现的方法,该计算机可包括处理器、可由处理器访问的存储器以及存储在存储器中且可由处理器执行的计算机程序指令,该方法可以包括：当用户进程进行系统调用时,切换到内核模式,并使用用于用户进程的系统调用页表以执行系统调用处理程序,当系统调用处理程序尝试访问未映射的内核空间存储器时,生成页错误,以及通过确定是否允许对未映射内核空间存储器的尝试访问来处理页错误。(Embodiments of the present systems and methods may provide additional security mechanisms within the operating system kernel itself by performing system calls in a private address space to reduce the amount of shared resources that are visible to and therefore exploitable by malicious applications. For example, in an embodiment, a method implemented in a computer that may include a processor, a memory accessible by the processor, and computer program instructions stored in the memory and executable by the processor may include: the method includes switching to kernel mode when a user process makes a system call and using a system call page table for the user process to execute a system call handler, generating a page fault when the system call handler attempts to access an unmapped kernel space memory, and handling the page fault by determining whether the attempted access to the unmapped kernel space memory is allowed.)

1. A method implemented in a computer comprising a processor, a memory accessible by the processor, and computer program instructions stored in the memory and executable by the processor, the method comprising:

when a user process carries out system calling, switching to a kernel mode, and using a system calling page table for the user process to execute a system calling processing program;

generating a page fault when the system call handler attempts to access an unmapped kernel space memory; and is

Processing the page fault by determining whether the attempted access to unmapped kernel space memory is allowed.

2. The method of claim 1, wherein the computer system operating system is a Linux operating system.

3. The method of claim 2, wherein the system call page table comprises:

a plurality of kernel space address ranges that allow execution of kernel code and access to kernel data.

4. The method of claim 3, wherein the system call page table is created by:

creating a template system call page table including a mapping of kernel code and data required to perform an entry to kernel mode when performing a system call, a table with pointers to system call handlers, and entry code for each system call handler;

creating a copy of the template system call page table for the user process in a process state representation when creating the user process, and populating a per-process entry page table with a user space mapping along with the original template; and is

When it is determined that a page fault is allowed, adding a mapping of a kernel space address range that allows execution of the system call handler that attempts to access kernel space memory.

5. The method of claim 4, further comprising:

terminating execution of the user process making the system call attempting to access kernel space memory when it is determined that a page fault is not allowed.

6. The method of claim 5, further comprising:

removing the mapping of the kernel space address range added during execution of the system call handler when execution of the system call handler is finished.

7. A system comprising a processor, a memory accessible by the processor, and computer program instructions stored in the memory and executable by the processor to:

when the user process carries out system calling, switching to a kernel mode, and executing a system calling processing program by using a system calling page table for the user process;

generating a page fault when the system call handler attempts to access an unmapped kernel space memory; and is

Processing the page fault by determining whether the attempted access to unmapped kernel space memory is allowed.

8. The system of claim 7, wherein the computer system operating system is a Linux operating system.

9. The system of claim 8, wherein the system call page table comprises:

a plurality of kernel space address ranges that allow execution of kernel code and access to kernel data.

10. The system of claim 9, wherein the system call page table is created by:

creating a template system call page table including a mapping of kernel code and data required to perform an entry to kernel mode when performing a system call, a table with pointers to system call handlers, and entry code for each system call handler;

creating a copy of the template system call page table for the user process in a process state representation when creating the user process, and populating a per-process entry page table with a user space mapping along with the original template; and is

When it is determined that a page fault is allowed, adding a mapping of a kernel space address range that allows execution of the system call handler that attempts to access kernel space memory.

11. The system of claim 10, further comprising:

terminating execution of the user process making the system call attempting to access kernel space memory when it is determined that a page fault is not allowed.

12. The system of claim 11, further comprising:

removing the mapping of the kernel space address range added during execution of the system call handler when execution of the system call handler is finished.

13. A computer program product comprising a non-transitory computer readable storage medium having program instructions embodied therewith, the program instructions executable by a computer to cause the computer to perform a method comprising:

when the user process carries out system calling, switching to a kernel mode, and executing a system calling processing program by using a system calling page table for the user process;

generating a page fault when the system call handler attempts to access an unmapped kernel space memory; and is

Processing the page fault by determining whether the attempted access to unmapped kernel space memory is allowed.

14. The computer program product of claim 13, wherein the computer system operating system is a Linux operating system.

15. The computer program product of claim 14, wherein the system call page table comprises:

a plurality of kernel space address ranges that allow execution of kernel code and access to kernel data.

16. The computer program product of claim 15, wherein the system call page table is created by:

creating a template system call page table including a mapping of kernel code and data required to perform an entry to kernel mode when performing a system call, a table with pointers to system call handlers, and entry code for each system call handler;

creating a copy of the template system call page table for the user process in a process state representation when creating the user process, and populating the per-process entry page table with a user space mapping along with the original template; and is

When it is determined that a page fault is allowed, adding a mapping of a kernel space address range that allows execution of the system call handler that attempts to access kernel space memory.

17. The computer program product of claim 16, further comprising:

terminating execution of the user process making the system call attempting to access kernel space memory when it is determined that a page fault is not allowed.

18. The computer program product of claim 17, further comprising:

removing the mapping of the kernel space address range added during execution of the system call handler when execution of the system call handler is finished.

Background

The present invention relates to techniques for providing additional security mechanisms within the operating system kernel itself by performing system calls in a private address space to reduce the amount of shared resources that are visible to and therefore exploitable by malicious applications.

System calls are an important part of the kernel Application Binary Interface (ABI) of an operating system exposed to user space applications, such as Linux. When a system call is executed, the CPU transition from unprivileged mode (e.g., ring-3 on x 86) to supervisor mode (e.g., ring-0 on x 86) and the routine called during system call execution have the highest privilege level and therefore the ability to access and modify system resources. Malicious user-space applications may exploit vulnerabilities in system call implementations to gain access to these system resources and cause system crashes, read sensitive information, or gain supervisor privileges.

The microkernel avoids extensive exposure of privileged state by minimizing the amount of code running in supervisor mode and executing most operating system services with user privileges in an isolated address space. The main drawbacks of the microkernel approach are the performance cost associated with interprocess communication and the complexity of the interface between the different components of the system.

As a mitigation of the Meltdown vulnerability, a Page Table Isolation (PTI) mechanism that completely isolates user and kernel address spaces is added to the Linux kernel. However, even for PTI, the entire kernel code shares the same address space, and the development in any system call handler makes the entire system vulnerable.

Thus, a need has arisen for techniques that provide additional security mechanisms within the operating system kernel itself.

Disclosure of Invention

Embodiments of the present systems and methods may provide additional security mechanisms within the operating system kernel itself by performing system calls in a private address space to reduce the amount of shared resources that are visible to and therefore exploitable by malicious applications.

In an embodiment, when a user space application executes a system call, the kernel entry code may select an address space that is appropriate for the execution of that particular system call. If the execution of the system call attempts to access memory outside of the address space, a page fault occurs. The page fault handler may verify that the requested memory range is allowed to be accessed by the system call handler routine and, if so, may add this range to the private address space. When the system call is complete, the address space definition may be restored to the original.

For example, in an embodiment, a method implemented in a computer that may include a processor, a memory accessible by the processor, and computer program instructions stored in the memory and executable by the processor may include: the method includes switching to kernel mode when a user process makes a system call and using a system call page table for the user process to execute a system call handler, generating a page fault when the system call handler attempts to access an unmapped kernel space memory, and handling the page fault by determining whether the attempted access to the unmapped kernel space memory is allowed.

In an embodiment, the computer system operating system may be a Linux operating system. The system call page table may include a plurality of kernel space address ranges that allow execution of kernel code and access to kernel data. The system call page table may be created by: creating a template system call page table comprising a mapping of kernel code and data required to perform an entry to kernel mode when performing a system call, a table with pointers to system call handlers, and entry code for each system call handler, when creating a user process, creating a copy of the template system call page table for the user process in a process state representation and populating the per-process entry page table with a user space mapping along with the original template, and when it is determined that a page fault is allowed, adding a mapping of a kernel space address range allowing execution of a system call handler attempting to access kernel space memory. The method may further comprise: when it is determined that the page fault is not allowed, execution of the user process making the system call attempting to access the kernel space memory is terminated. The method may further comprise: when the execution of the system call handler is finished, the mapping of the kernel space address range added during the execution of the system call handler is removed.

In an embodiment, a system may include a processor, a memory accessible by the processor, and computer program instructions stored in the memory and executable by the processor to: when a user process makes a system call, switching to kernel mode and executing a system call handler using a system call page table for the user process, generating a page fault when the system call handler attempts to access the unmapped kernel space memory, and handling the page fault by determining whether the attempted access to the unmapped kernel space memory is allowed.

In an embodiment, a computer program product may include a non-transitory computer-readable storage medium having program instructions embodied therewith, the program instructions executable by a computer to cause the computer to perform a method, the method may include: when a user process makes a system call, switching to kernel mode and executing a system call handler using a system call page table for the user process, generating a page fault when the system call handler attempts to access the unmapped kernel space memory, and handling the page fault by determining whether the attempted access to the unmapped kernel space memory is allowed.

Drawings

The details of the present invention, both as to its structure and operation, can best be understood in reference to the accompanying drawings, in which like reference numerals and designations refer to like elements.

FIG. 1 is an exemplary schematic diagram of a system memory space in accordance with embodiments of the present systems and methods.

Fig. 2 is an exemplary flow chart of a process of operation of an embodiment of the present systems and methods.

FIG. 3 is an exemplary block diagram of a computer system in which processes involved in embodiments described herein may be implemented.

Detailed Description

Embodiments of the present systems and methods may provide additional security mechanisms within the operating system kernel itself by performing system calls in a private address space to reduce the amount of shared resources that are visible to and therefore exploitable by malicious applications. A conventional monolithic operating system kernel (such as a Linux kernel) that runs code in only a single address space may be modified to run code in multiple address spaces to increase security. Additional attributes may be used to enhance security. For example, in a system call environment, code in multiple address spaces may run in a kernel (privileged) mode, which may be used to ensure that if an entity performing a system call attempts an access outside of its allowed address space, the attempted access may be securely detected and processed. The address space may be created per user process and may be used to enforce security attributes for the user processes.

In an embodiment, when a user space application executes a system call, the kernel entry code may select an address space that is appropriate for the execution of that particular system call. If the execution of the system call attempts to access memory outside of the address space, a page fault occurs. The page fault handler may verify that the requested memory range is allowed to be accessed by the system call handler routine and, if so, may add this range to the private address space. When the system call is complete, the address space definition may be restored to the original.

An exemplary schematic diagram of a system memory space 100 is shown in FIG. 1. This example shows kernel page tables 102, system call page tables 104, and user page tables 106. In addition, there may be a template system call page table 126 described below. In this example, kernel page tables 102 may be associated with a particular user process and may include user space entries 108, kernel entry page tables 110, and kernel space entries 112. User space entries 108 may include user space address mappings used when the system is operating in kernel (privileged) mode. Kernel space entries 112 may include a kernel space address map used when the system is operating in kernel (privileged) mode. The kernel entry page table 110 may include a CPU entry region that maps structures necessary to perform a switch from unprivileged to kernel (privileged) mode. The user page tables 106 may be associated with a particular user space process, and the user space entries 114 may include only the user space mappings used by the user space process. The kernel entry page table 116 may include a CPU entry region that maps structures necessary to perform a switch from unprivileged to kernel (privileged) mode. This separation of page tables, including kernel entry page tables 110, 116, and 120, may mitigate security breaches.

The user process typically runs in an unprivileged mode and has access to user page tables 106 that include only user space entries 114 and kernel entry page tables 116. Previously, when a user process made a system call, the system would switch from non-privileged mode to kernel (privileged) mode, and the process would have access to the entire kernel page table including user space entries 108, kernel entry page tables 110, and kernel space entries 112. However, in embodiments of the present system and method, when a user process makes a system call, the system may switch from non-privileged mode to kernel (privileged) mode, and the process may access the system call page table 104. The system call page table 104 may extend the user process visible mapping with an additional system call (syscall) entry page table 122. The Syscall entry page tables 122 may allow user processes to access a limited kernel space address range to execute a limited additional portion of code or access to data after switching from an unprivileged mode to a kernel (privileged) mode. The Syscall entry page tables 122 may provide access to a portion of code that is limited enough to prevent malicious access to kernel code and data, but provide access to more code than is accessible from the user space entries 118. When accessing code through the syscall entry page table 122, the secure code block 124 can verify that any access made is secure. In embodiments, any of a variety of verifications may be performed by the secure code block 124. For example, in an embodiment, the secure code block 124 may verify that access is only to known symbols.

An exemplary flow chart of a process 200 of operation of an embodiment of the present systems and methods is shown in fig. 2. This is best seen in conjunction with fig. 1. The process 200 begins at 202, where during Linux kernel initialization, the additional template system call page tables 126 shown in fig. 3 may be created. The template system call page table 126 may be used to create a functional system call page table 104 for executing a system call handler in the isolated address space. The template system call page table 126 may have a mapping 128 of kernel code and data required to execute an entry to kernel (privileged) mode when a system call is executed, a table with pointers to system call handlers, and entry code for each system call handler in the syscall entry page table 122. In addition, the template system call page table 126 may have a populated kernel entry page table 120 and an empty user space page table 118.

At 204, when a process is created, the template system call page tables 126 may be copied to a process state representation to form the operating system call page tables 104. The empty user space page tables 118 of the per-process system call page tables 104 may be populated with user space mappings in the same manner as normal process page tables, except for the original template, which includes the populated kernel entry page tables 120 and syscall entry page tables 122.

At 206, the user space process may perform a system call. The CPU may transition to kernel (privileged) mode and may call a general system call entry routine. The route may switch the CPU page table pointer register to use the system call page table 104 for the process, and may jump to a particular system call handler.

At 208, any access to the kernel space kernel code and/or data during execution of the system call handler may cause a page fault. The page fault handler of the secure block 124 may verify whether the requested memory access is secure or allowed. If the access is found to be secure or allowed, a mapping of the requested memory range may be added to the per-process system call page table 104. If access is deemed to be unsafe or disallowed, the user space process may be terminated and/or other secure actions may be taken.

At 210, when execution of the system call handler is complete, control may be transferred back to the general system call entry routine. The routine may clean the per-process system call page table 104 and may remove mappings added during execution of the system call handler.

An exemplary block diagram of a computer system 300 is shown in FIG. 3, in which processes involved in embodiments described herein may be implemented. The computer system 300 may be implemented using one or more programmed general-purpose computer systems (e.g., embedded processors, system-on-a-chip, personal computers, workstations, server systems, and minicomputers or mainframe computers) or in a distributed, networked computing environment. The computer system 300 may include one or more processors (CPUs) 302A-302N, input/output circuitry 304, a network adapter 306, and memory 308. The CPUs 302A-302N execute program instructions to perform the functions of the present communication system and method. Typically, CPUs 302A-302N are one or more microprocessors, such as INTELA processor. FIG. 3 illustrates an embodiment in which computer system 300 is implemented as a single multi-processor computer system in which multiple processors 302A-302N share system resources, such as memory 308, input/output circuitry 304, and a network adapter 306. However, the present communications system and method also includes embodiments in which the computer system 300 is implemented as multiple networked computer systems, which may be single-processor computer systems, multi-processor computer systems, or a mixture thereof.

Input/output circuitry 304 provides the ability to input data to computer system 300 or output data from computer system 300. For example, input/output circuitry may include input devices (such as keyboards, mice, touch pads, trackballs, scanners, analog-to-digital converters, and so forth), output devices (such as video adapters, monitors, printers, and so forth), and input/output devices (such as modems and so forth). The network adapter 306 interfaces the device 300 with a network 310. Network 310 may be any public or private LAN or WAN, including but not limited to the Internet.

Memory 308 stores program instructions executed by CPU 302 and data used and processed by CPU 302 to perform the functions of computer system 300. The memory 308 may include, for example, electronic memory devices such as Random Access Memory (RAM), Read Only Memory (ROM), Programmable Read Only Memory (PROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory, etc., as well as electromechanical memory such as magnetic disk drives, magnetic tape drives, optical disk drives, etc., which may use an Integrated Drive Electronics (IDE) interface or variations or enhancements thereof, such as enhanced IDE (eide) or Ultra Direct Memory Access (UDMA), or Small Computer System Interface (SCSI) -based interfaces or variations or enhancements thereof, such as fast SCSI, wide SCSI, fast and wide SCSI, Serial Advanced Technology Attachment (SATA) or variations or enhancements thereof, or a fibre channel arbitrated loop (FC-AL) interface.

The contents of memory 308 may vary depending on the function that computer system 300 is programmed to perform. In the example shown in FIG. 3, exemplary memory contents representing routines and data for embodiments of the above-described process are shown. However, those skilled in the art will recognize that these routines and the memory contents associated with these routines may not be included on one system or device, but may be distributed across multiple systems or devices, based on well-known engineering considerations. The present communication system and method may include any and all such arrangements.

In the example illustrated in FIG. 3, memory 308 may include kernel space 312, user space 314, secure block routines 324, and other operating system routines 322. Kernel space 312 may include code and data that reside in the promoted system state, and it may include protected memory space and full access to hardware. Kernel space 312 may include kernel page tables 316, system call (syscall) page tables 318, and template system call page tables 320. The kernel page tables 316 may be associated with a particular user process and may include the user space page tables 108, the kernel entry page tables 110, and the kernel space page tables 112, as shown in fig. 1 and described above. The system call page table 318 may extend the user process visible mapping with the additional syscall entry page table 122, as shown in fig. 1 and described above. The template system call page table 320 may be used to create the functional system call page table 104 for executing the system call handler in the isolated address space, as described above. User space 314 may include user applications, programs, tasks, processes, etc., that may be executed with reduced privileges, where they may access only a subset of the available resources of the hardware and software. User space 314 may include user page tables 322 that may be mapped to user space unprivileged access. The secure block routine 324 may verify that any access using the system call page table 318 is secure or allowed. Other operating system routines 322 may provide additional system functionality.

As shown in fig. 3, the present communication system and method may include implementation on one or more systems that provide multi-processor, multi-task, multi-process, and/or multi-threaded computing, as well as implementation on systems that provide only single-processor, single-threaded computing. Multiprocessor computing involves performing computations using more than one processor. Multitasking computing involves performing computations using more than one operating system task. A task refers to the operating system concept of a combination of the program being executed and bookkeeping information used by the operating system. Each time a program is executed, the operating system creates a new task for it. The task is similar to the envelope of the program in that it identifies the program with a task number and appends other bookkeeping information to the program. Many operating systems (including Linux,And) Capable of running many tasks simultaneously and are referred to as multitasking operating systems. Multitasking is the ability of an operating system to execute more than one executable file at the same time. Each executable runs in its own address space, which means that executables cannot share any of their memories. This is achieved byThis is advantageous because any program is unlikely to damage the execution of any other program running on the system. However, programs have no way to exchange any information other than through the operating system (or by reading files stored on the file system). Multiprocessing computing is similar to multitasking computing in that the terms task and process are often used interchangeably, although some operating systems distinguish between the two.

The present invention may be any possible system, method and/or computer program product that integrates a level of technical detail. The computer program product may include a computer-readable storage medium (or media) having computer-readable program instructions thereon for causing a processor to perform aspects of the invention. The computer readable storage medium may be a tangible device that can retain and store instructions for use by an instruction execution device.

The computer readable storage medium may be, for example, but is not limited to, an electronic memory device, a magnetic memory device, an optical memory device, an electromagnetic memory device, a semiconductor memory device, or any suitable combination of the foregoing. A non-exhaustive list of more specific examples of the computer-readable storage medium includes the following: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a Static Random Access Memory (SRAM), a portable compact disc read-only memory (CD-ROM), a Digital Versatile Disc (DVD), a memory stick, a floppy disk, a mechanical coding device (such as punch cards) or a raised structure in a recess having instructions recorded thereon), and any suitable combination of the foregoing. A computer-readable storage medium as used herein should not be interpreted as a transitory signal per se, such as a radio wave or other freely propagating electromagnetic wave, an electromagnetic wave propagating through a waveguide or other transmission medium (e.g., optical pulses through a fiber optic cable), or an electrical signal transmitted through a wire.

The computer-readable program instructions described herein may be downloaded from a computer-readable storage medium to a corresponding computing/processing device, or to an external computer or external storage device via a network (e.g., the internet, a local area network, a wide area network, and/or a wireless network). The network may include copper transmission cables, optical transmission fibers, wireless transmissions, routers, firewalls, switches, gateway computers and/or edge servers. The network adapter card or network interface in each computing/processing device receives computer-readable program instructions from the network and forwards these computer-readable program instructions for storage in a computer-readable storage medium within the corresponding computing/processing device.

Computer readable program instructions for carrying out operations of the present invention may be assembler instructions, Instruction Set Architecture (ISA) instructions, machine-related instructions, microcode, firmware instructions, state setting data, configuration data for an integrated circuit, or source code or object code written in any combination of one or more programming languages, including an object oriented Smalltalk, C + + or the like programming languages, such as the "C" programming language or similar programming languages. The computer-readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider). In some embodiments, an electronic circuit, including, for example, a programmable logic circuit, a Field Programmable Gate Array (FPGA), or a Programmable Logic Array (PLA), may personalize the electronic circuit by executing computer-readable program instructions with state information of the computer-readable program instructions in order to perform aspects of the present invention.

Aspects of the present invention are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions.

These computer-readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer-readable program instructions may also be stored in a computer-readable storage medium that can direct a computer, a programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer-readable storage medium having the instructions stored therein comprise an article of manufacture including instructions which implement aspects of the function/act specified in the flowchart and/or block diagram block or blocks.

The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer, other programmable apparatus or other devices implement the functions/acts specified in the flowchart and/or block diagram block or blocks.

The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative embodiments, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

While specific embodiments of the invention have been described, those skilled in the art will appreciate that there are other embodiments of the invention that are equivalent to the described embodiments. Accordingly, it is to be understood that the invention is not to be limited by the specifically illustrated embodiments, but only by the scope of the appended claims.