sesa 15(3): e1

Research Article

Salus: Kernel Support for Secure Process Compartments

Download551 downloads
  • @ARTICLE{10.4108/sesa.2.3.e1,
        author={Raoul Strackx and Pieter Agten and Niels Avonds and Frank Piessens},
        title={Salus: Kernel Support for Secure Process Compartments},
        journal={EAI Endorsed Transactions on Security and Safety},
        volume={2},
        number={3},
        publisher={ICST},
        journal_a={SESA},
        year={2015},
        month={1},
        keywords={Privilege separation, principle of least privilege, modularization},
        doi={10.4108/sesa.2.3.e1}
    }
    
  • Raoul Strackx
    Pieter Agten
    Niels Avonds
    Frank Piessens
    Year: 2015
    Salus: Kernel Support for Secure Process Compartments
    SESA
    ICST
    DOI: 10.4108/sesa.2.3.e1
Raoul Strackx1,*, Pieter Agten1,*, Niels Avonds1,*, Frank Piessens1,*
  • 1: iMinds-DistriNet - KU Leuven, Celestijnenlaan 200A, 3001 Heverlee, Belgium
*Contact email: raoul.strackx@cs.kuleuven.be, pieter.agten@cs.kuleuven.be, niels.avonds@gmail.com, frank.piessens@cs.kuleuven.be

Abstract

Consumer devices are increasingly being used to perform security and privacy critical tasks. The software used to perform these tasks is often vulnerable to attacks, due to bugs in the application itself or in included software libraries. Recent work proposes the isolation of security-sensitive parts of applications into protected modules, each of which can be accessed only through a predefined public interface. But most parts of an application can be considered security-sensitive at some level, and an attacker who is able to gain inapplication level access may be able to abuse services from protected modules.

We propose Salus, a Linux kernel modification that provides a novel approach for partitioning processes into isolated compartments sharing the same address space. Salus significantly reduces the impact of insecure interfaces and vulnerable compartments by enabling compartments (1) to restrict the system calls they are allowed to perform, (2) to authenticate their callers and callees and (3) to enforce that they can only be accessed via unforgeable references. We describe the design of Salus, report on a prototype implementation and evaluate it in terms of security and performance. We show that Salus provides a significant security improvement with a low performance overhead, without relying on any non-standard hardware support.