Where Do You Want to Go Today? Escalating

Total Page:16

File Type:pdf, Size:1020Kb

Where Do You Want to Go Today? Escalating Where Do You Want to Go Today? ∗ Escalating Privileges by Pathname Manipulation Suresh Chari Shai Halevi Wietse Venema IBM T.J. Watson Research Center, Hawthorne, New York, USA Abstract 1. Introduction We analyze filename-based privilege escalation attacks, In this work we take another look at the problem of where an attacker creates filesystem links, thereby “trick- privilege escalation via manipulation of filesystem names. ing” a victim program into opening unintended files. Historically, attention has focused on attacks against priv- We develop primitives for a POSIX environment, provid- ileged processes that open files in directories that are ing assurance that files in “safe directories” (such as writable by an attacker. One classical example is email /etc/passwd) cannot be opened by looking up a file by delivery in the UNIX environment (e.g., [9]). Here, an “unsafe pathname” (such as a pathname that resolves the mail-delivery directory (e.g., /var/mail) is often through a symbolic link in a world-writable directory). In group or world writable. An adversarial user may use today's UNIX systems, solutions to this problem are typ- its write permission to create a hard link or symlink at ically built into (some) applications and use application- /var/mail/root that resolves to /etc/passwd. A specific knowledge about (un)safety of certain directories. simple-minded mail-delivery program that appends mail to In contrast, we seek solutions that can be implemented in the file /var/mail/root can have disastrous implica- the filesystem itself (or a library on top of it), thus providing tions for system security. Other historical examples involve protection to all applications. privileged programs that manipulate files under the world- writable /tmp directory [11], or even in a directory of the Our solution is built around the concept of pathname attacker's choice [10]. manipulators, which are roughly the users that can influ- Over time, privileged programs have implemented safety ence the result of a file lookup operation. For each user, we mechanisms to prevent pathname resolution attacks. These distinguish unsafe pathnames from safe pathnames accord- mechanisms, however, are tailored specifically to the pro- ing to whether or not the pathname has any manipulators gram's purpose, are typically implemented in the program other than that user or root. We propose a safe-open itself, and rely on application-specific knowledge about the procedure that keeps track of the safety of the current path- directories where files reside. We believe, however, that the name as it resolves it, and that takes extra precautions while application is fundamentally the wrong place to implement opening files with unsafe pathnames. We prove that our so- these safety mechanisms. lution can prevent a common class of filename-based privi- Recent vulnerability statistics support our position. The lege escalation attacks, and describe our implementation of US National Vulnerability Database [16] lists at least 177 the safe-open procedure as a library function over the entries, since the start of 2008, for symlink-related vulnera- POSIX filesystem interface. We tested our implementation bilities that allow an attacker to either create or delete files, on several UNIX variants to evaluate its implications for or to modify the content or permissions of files. No doubt, systems and applications. Our experiments suggest that this the vast majority of these entries are due to application writ- solution can be deployed in a portable way without break- ers who simply were not aware of the problem. However, ing existing systems, and that it is effective against this class there are even vulnerabilities in system programs, which of pathname resolution attacks. are typically better scrutinized. For example, an unsafe file open vulnerability was reported in the inetd daemon in Solaris 10 [12] when debug logging is enabled. This daemon runs with root privileges and logs debug mes- ∗ This work was supported in part by the Department of Homeland Se- sages to the file /var/tmp/inetd.log if that file ex- curity under grant FA8750-08-2-0091. ists. The file is opened using fopen(DEBUG LOG FILE, "r+"). Since /var/tmp is a world writable directory (such as access/open races [20, 4]). Rather, we directly ad- a local unprivileged user can create a link to any file on dresses the privilege-escalation threat, which is the main the system, and overwrite that file as root with inetd motivation for many of these attacks. Here we focus on the debug messages. A similar example, related to unsafe pathname resolution mechanism, identify a simple security unlink operation, is a reported vulnerability in the Linux property that can be met even in the presence of race con- rc.sysinit script [13] in the initscripts package ditions, and show that this property can be used to prevent before version 8.76.3-1. That vulnerability could be used privilege-escalation attacks. by unprivileged users to delete arbitrary files by creating symbolic links from specific user-writable directories. 1.1. Our contribution In addition to these examples, experiments that we run in the course of this work uncovered a number of (latent) We focus on tightening the connection between files and privilege escalation vulnerabilities, where system processes their names. In most filesystems, programs access files by write or create files as root in directories that are writable providing names (the pathnames), and rely on the filesys- by unprivileged system process. In these cases, a com- tem to resolve these names into pointers to the actual files promise of the unprivileged system process could result in (the file handles). Unfortunately, the relation between files further privilege escalation. These vulnerabilities are de- and their names in POSIX filesystems is murky: Files can scribed in Section 5.3. have more than one name (e.g., due to hard or symbolic These examples demonstrate that it is unrealistic to ex- links), these names can be changed dynamically (e.g., by pect every application (or even every “important applica- renaming a directory), filename resolution may depend on tion”) to implement defenses against these attacks. We con- the current context (e.g., the current working directory), etc. tend that a system-level safety net would be more effective This murky relation obscures the semantics of the name-to- at stopping these problems than trying to fix every affected file translation, and provides system administrators and ap- application, or trying to educate current and future gener- plications writers with ample opportunities to introduce se- ations of application writers. In a world where applica- curity vulnerabilities. Our solution builds on the following tions (and their fragments) are used in environments that concepts: are vastly different from what the application designers had in mind, it is unreasonable to expect that the applications • themselves will distinguish between files that are safe to Ignoring the partition to directories and subdirectories, open and ones that are not. we view the entire path as just one name and examine In this work we seek a general-purpose mechanism that its properties. We introduce the concept of the ma- can be implemented in the file system or in a system library, nipulators of a name, which roughly captures “anyone that allows programs to open files that exist in an “unsafe” who can change the outcome of resolving that name.” environment, knowing that they will not be “tricked” into In POSIX filesystems, the manipulators of a path are opening files that exist in a “safe” environment. Specifi- roughly the users and groups that have write permis- cally, we show how such a mechanism can be implemented sion in any directory along this path. More precisely, over POSIX filesystems. U belongs to the manipulators of a name if the reso- lution of that name visits any directory that is either In a nutshell, our solution can be viewed as identifying owned by U or that U has write permissions for. “unsafe subtrees” of the filesystem directory tree, and tak- ing extra precautions whenever we visit any of them during • Using the concept of manipulators, we distinguish be- the resolution of a pathname. Roughly, a directory is unsafe tween safe names and unsafe names. Roughly, a name for a certain user if anyone other than that user (or root) is safe for some user if only that user can manipu- can write in it. Our basic solution consists of resolving a late it. Specializing this concept to UNIX systems, pathname component by component, enforcing the condi- we call a name “system safe” if its only manipula- tions that once we visit an unsafe node, in the remainder tor is root, and call it “safe for U” if the only ma- of the path we will no longer follow symbolic links or al- nipulators of it are root and U. For example, typi- low pathname elements of `..', nor will we open a file that cally the name /etc/passwd is “system safe”, the has multiple hardlinks. Thus, once we resolve through an name /home/joe/mbox is safe for user joe, and unsafe node, we will not visit nodes that exist outside the the name /var/mail/jane is not safe for anyone subtree rooted at that node.1 (as /var/mail is group or world writable). In contrast with many prior works on filename-based at- tacks, our work is not primarily focused on race conditions • Once we have safe and unsafe pathnames, we can state 1We describe in Section 6.1 a more permissive variant that still provides our main security guarantee. We provide a procedure the same protection against privilege-escalation attacks. safe-open that ensures the following property: If a file has safe names for user U, then a more formal analysis with experimental validation was safe-open will not open it for U using done by Bishop and Dilger [2].
Recommended publications
  • Configuring UNIX-Specific Settings: Creating Symbolic Links : Snap
    Configuring UNIX-specific settings: Creating symbolic links Snap Creator Framework NetApp September 23, 2021 This PDF was generated from https://docs.netapp.com/us-en/snap-creator- framework/installation/task_creating_symbolic_links_for_domino_plug_in_on_linux_and_solaris_hosts.ht ml on September 23, 2021. Always check docs.netapp.com for the latest. Table of Contents Configuring UNIX-specific settings: Creating symbolic links . 1 Creating symbolic links for the Domino plug-in on Linux and Solaris hosts. 1 Creating symbolic links for the Domino plug-in on AIX hosts. 2 Configuring UNIX-specific settings: Creating symbolic links If you are going to install the Snap Creator Agent on a UNIX operating system (AIX, Linux, and Solaris), for the IBM Domino plug-in to work properly, three symbolic links (symlinks) must be created to link to Domino’s shared object files. Installation procedures vary slightly depending on the operating system. Refer to the appropriate procedure for your operating system. Domino does not support the HP-UX operating system. Creating symbolic links for the Domino plug-in on Linux and Solaris hosts You need to perform this procedure if you want to create symbolic links for the Domino plug-in on Linux and Solaris hosts. You should not copy and paste commands directly from this document; errors (such as incorrectly transferred characters caused by line breaks and hard returns) might result. Copy and paste the commands into a text editor, verify the commands, and then enter them in the CLI console. The paths provided in the following steps refer to the 32-bit systems; 64-bit systems must create simlinks to /usr/lib64 instead of /usr/lib.
    [Show full text]
  • IT1100 : Introduction to Operating Systems Chapter 15 What Is a Partition? What Is a Partition? Linux Partitions What Is Swap? M
    IT1100 : Introduction to Operating Systems Chapter 15 What is a partition? A partition is just a logical division of your hard drive. This is done to put data in different locations for flexibility, scalability, ease of administration, and a variety of other reasons. One reason might be so you can install Linux and Windows side-by-side. What is a partition? Another reason is to encapsulate your data. Keeping your system files and user files separate can protect one or the otherfrom malware. Since file system corruption is local to a partition, you stand to lose only some of your data if an accident occurs. Upgrading and/or reformatting is easier when your personal files are stored on a separate partition. Limit data growth. Runaway processes or maniacal users can consume so much disk space that the operating system no longer has room on the hard drive for its bookkeeping operations. This will lead to disaster. By segregating space, you ensure that things other than the operating system die when allocated disk space is exhausted. Linux Partitions In Linux, a minimum of 1 partition is required for the / . Mounting is the action of connecting a filesystem/partition to a particular point in the / root filesystem. I.e. When a usb stick is inserted, it is assigned a particular mount point and is available to the filesytem tree. - In windows you might have an A:, or B:, or C:, all of which point to different filesystems. What is Swap? If RAM fills up, by running too many processes or a process with a memory leak, new processes will fail if your system doesn’t have a way to extend system memory.
    [Show full text]
  • Ubuntu Kung Fu
    Prepared exclusively for Alison Tyler Download at Boykma.Com What readers are saying about Ubuntu Kung Fu Ubuntu Kung Fu is excellent. The tips are fun and the hope of discov- ering hidden gems makes it a worthwhile task. John Southern Former editor of Linux Magazine I enjoyed Ubuntu Kung Fu and learned some new things. I would rec- ommend this book—nice tips and a lot of fun to be had. Carthik Sharma Creator of the Ubuntu Blog (http://ubuntu.wordpress.com) Wow! There are some great tips here! I have used Ubuntu since April 2005, starting with version 5.04. I found much in this book to inspire me and to teach me, and it answered lingering questions I didn’t know I had. The book is a good resource that I will gladly recommend to both newcomers and veteran users. Matthew Helmke Administrator, Ubuntu Forums Ubuntu Kung Fu is a fantastic compendium of useful, uncommon Ubuntu knowledge. Eric Hewitt Consultant, LiveLogic, LLC Prepared exclusively for Alison Tyler Download at Boykma.Com Ubuntu Kung Fu Tips, Tricks, Hints, and Hacks Keir Thomas The Pragmatic Bookshelf Raleigh, North Carolina Dallas, Texas Prepared exclusively for Alison Tyler Download at Boykma.Com Many of the designations used by manufacturers and sellers to distinguish their prod- ucts are claimed as trademarks. Where those designations appear in this book, and The Pragmatic Programmers, LLC was aware of a trademark claim, the designations have been printed in initial capital letters or in all capitals. The Pragmatic Starter Kit, The Pragmatic Programmer, Pragmatic Programming, Pragmatic Bookshelf and the linking g device are trademarks of The Pragmatic Programmers, LLC.
    [Show full text]
  • File Formats
    man pages section 4: File Formats Sun Microsystems, Inc. 4150 Network Circle Santa Clara, CA 95054 U.S.A. Part No: 817–3945–10 September 2004 Copyright 2004 Sun Microsystems, Inc. 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved. This product or document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this product or document may be reproduced in any form by any means without prior written authorization of Sun and its licensors, if any. Third-party software, including font technology, is copyrighted and licensed from Sun suppliers. Parts of the product may be derived from Berkeley BSD systems, licensed from the University of California. UNIX is a registered trademark in the U.S. and other countries, exclusively licensed through X/Open Company, Ltd. Sun, Sun Microsystems, the Sun logo, docs.sun.com, AnswerBook, AnswerBook2, and Solaris are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and other countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc. The OPEN LOOK and Sun™ Graphical User Interface was developed by Sun Microsystems, Inc. for its users and licensees. Sun acknowledges the pioneering efforts of Xerox in researching and developing the concept of visual or graphical user interfaces for the computer industry. Sun holds a non-exclusive license from Xerox to the Xerox Graphical User Interface, which license also covers Sun’s licensees who implement OPEN LOOK GUIs and otherwise comply with Sun’s written license agreements.
    [Show full text]
  • Mac Keyboard Shortcuts Cut, Copy, Paste, and Other Common Shortcuts
    Mac keyboard shortcuts By pressing a combination of keys, you can do things that normally need a mouse, trackpad, or other input device. To use a keyboard shortcut, hold down one or more modifier keys while pressing the last key of the shortcut. For example, to use the shortcut Command-C (copy), hold down Command, press C, then release both keys. Mac menus and keyboards often use symbols for certain keys, including the modifier keys: Command ⌘ Option ⌥ Caps Lock ⇪ Shift ⇧ Control ⌃ Fn If you're using a keyboard made for Windows PCs, use the Alt key instead of Option, and the Windows logo key instead of Command. Some Mac keyboards and shortcuts use special keys in the top row, which include icons for volume, display brightness, and other functions. Press the icon key to perform that function, or combine it with the Fn key to use it as an F1, F2, F3, or other standard function key. To learn more shortcuts, check the menus of the app you're using. Every app can have its own shortcuts, and shortcuts that work in one app may not work in another. Cut, copy, paste, and other common shortcuts Shortcut Description Command-X Cut: Remove the selected item and copy it to the Clipboard. Command-C Copy the selected item to the Clipboard. This also works for files in the Finder. Command-V Paste the contents of the Clipboard into the current document or app. This also works for files in the Finder. Command-Z Undo the previous command. You can then press Command-Shift-Z to Redo, reversing the undo command.
    [Show full text]
  • Powershell Integration with Vmware View 5.0
    PowerShell Integration with VMware® View™ 5.0 TECHNICAL WHITE PAPER PowerShell Integration with VMware View 5.0 Table of Contents Introduction . 3 VMware View. 3 Windows PowerShell . 3 Architecture . 4 Cmdlet dll. 4 Communication with Broker . 4 VMware View PowerCLI Integration . 5 VMware View PowerCLI Prerequisites . 5 Using VMware View PowerCLI . 5 VMware View PowerCLI cmdlets . 6 vSphere PowerCLI Integration . 7 Examples of VMware View PowerCLI and VMware vSphere PowerCLI Integration . 7 Passing VMs from Get-VM to VMware View PowerCLI cmdlets . 7 Registering a vCenter Server . .. 7 Using Other VMware vSphere Objects . 7 Advanced Usage . 7 Integrating VMware View PowerCLI into Your Own Scripts . 8 Scheduling PowerShell Scripts . 8 Workflow with VMware View PowerCLI and VMware vSphere PowerCLI . 9 Sample Scripts . 10 Add or Remove Datastores in Automatic Pools . 10 Add or Remove Virtual Machines . 11 Inventory Path Manipulation . 15 Poll Pool Usage . 16 Basic Troubleshooting . 18 About the Authors . 18 TECHNICAL WHITE PAPER / 2 PowerShell Integration with VMware View 5.0 Introduction VMware View VMware® View™ is a best-in-class enterprise desktop virtualization platform. VMware View separates the personal desktop environment from the physical system by moving desktops to a datacenter, where users can access them using a client-server computing model. VMware View delivers a rich set of features required for any enterprise deployment by providing a robust platform for hosting virtual desktops from VMware vSphere™. Windows PowerShell Windows PowerShell is Microsoft’s command line shell and scripting language. PowerShell is built on the Microsoft .NET Framework and helps in system administration. By providing full access to COM (Component Object Model) and WMI (Windows Management Instrumentation), PowerShell enables administrators to perform administrative tasks on both local and remote Windows systems.
    [Show full text]
  • Tinkertool System 7 Reference Manual Ii
    Documentation 0642-1075/2 TinkerTool System 7 Reference Manual ii Version 7.5, August 24, 2021. US-English edition. MBS Documentation 0642-1075/2 © Copyright 2003 – 2021 by Marcel Bresink Software-Systeme Marcel Bresink Software-Systeme Ringstr. 21 56630 Kretz Germany All rights reserved. No part of this publication may be redistributed, translated in other languages, or transmitted, in any form or by any means, electronic, mechanical, recording, or otherwise, without the prior written permission of the publisher. This publication may contain examples of data used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. This publication could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. The publisher may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Make sure that you are using the correct edition of the publication for the level of the product. The version number can be found at the top of this page. Apple, macOS, iCloud, and FireWire are registered trademarks of Apple Inc. Intel is a registered trademark of Intel Corporation. UNIX is a registered trademark of The Open Group. Broadcom is a registered trademark of Broadcom, Inc. Amazon Web Services is a registered trademark of Amazon.com, Inc.
    [Show full text]
  • File Permissions Do Not Restrict Root
    Filesystem Security 1 General Principles • Files and folders are managed • A file handle provides an by the operating system opaque identifier for a • Applications, including shells, file/folder access files through an API • File operations • Access control entry (ACE) – Open file: returns file handle – Allow/deny a certain type of – Read/write/execute file access to a file/folder by – Close file: invalidates file user/group handle • Access control list (ACL) • Hierarchical file organization – Collection of ACEs for a – Tree (Windows) file/folder – DAG (Linux) 2 Discretionary Access Control (DAC) • Users can protect what they own – The owner may grant access to others – The owner may define the type of access (read/write/execute) given to others • DAC is the standard model used in operating systems • Mandatory Access Control (MAC) – Alternative model not covered in this lecture – Multiple levels of security for users and documents – Read down and write up principles 3 Closed vs. Open Policy Closed policy Open Policy – Also called “default secure” • Deny Tom read access to “foo” • Give Tom read access to “foo” • Deny Bob r/w access to “bar” • Give Bob r/w access to “bar • Tom: I would like to read “foo” • Tom: I would like to read “foo” – Access denied – Access allowed • Tom: I would like to read “bar” • Tom: I would like to read “bar” – Access allowed – Access denied 4 Closed Policy with Negative Authorizations and Deny Priority • Give Tom r/w access to “bar” • Deny Tom write access to “bar” • Tom: I would like to read “bar” – Access
    [Show full text]
  • 21Files2.Pdf
    Here is a portion of a Unix directory tree. The ovals represent files, the rectangles represent directories (which are really just special cases of files). A simple implementation of a directory consists of an array of pairs of component name and inode number, where the latter identifies the target file’s inode to the operating system (an inode is data structure maintained by the operating system that represents a file). Note that every directory contains two special entries, “.” and “..”. The former refers to the directory itself, the latter to the directory’s parent (in the case of the slide, the directory is the root directory and has no parent, thus its “..” entry is a special case that refers to the directory itself). While this implementation of a directory was used in early file systems for Unix, it suffers from a number of practical problems (for example, it doesn’t scale well for large directories). It provides a good model for the semantics of directory operations, but directory implementations on modern systems are more complicated than this (and are beyond the scope of this course). Here are two directory entries referring to the same file. This is done, via the shell, through the ln command which creates a (hard) link to its first argument, giving it the name specified by its second argument. The shell’s “ln” command is implemented using the link system call. Here are the (abbreviated) contents of both the root (/) and /etc directories, showing how /unix and /etc/image are the same file. Note that if the directory entry /unix is deleted (via the shell’s “rm” command), the file (represented by inode 117) continues to exist, since there is still a directory entry referring to it.
    [Show full text]
  • You Cannot Close Ms Word Application By
    You Cannot Close Ms Word Application By Tucked Alley still axes: tamest and veilless Fremont reformulated quite unblushingly but gormandise her gunfight terrifyingly. Manuel often mell reproductively when primsie Ewan manumit chiefly and turtle her garrulousness. Ferruginous Mattias dissipating, his synergy gabs beeswaxes above-board. Start on your document in the training as Thorough knowledge of all system application will allow you cannot close ms word application by microsoft word keeps freezing is one you had zero interest payments from reporting services. There are by an issue. When working in Microsoft Word, the program may suddenly freeze up, becoming unresponsive. But just like the previous one, we also have a solution for this. Your email address will not be published. This links to the native file; that is, the original file as created in its associated application. We cannot close ms word application you cannot close microsoft word. Which of the following series type is not valid for Fill Series dialog box? If you cannot use range objects in handy in windows operating systems with word application you cannot close ms edge from word in microsoft office can go into a type is. Not receive a better job is where required by selecting the ms word application you by signing and later. For this condition occurs if you cannot close by word application recovery process. Windows is the easiest and fastest way to free up space on your hard drive. Are you sure you want to delete this link? But this may have unexpected side effects. Check to see if data can be copied and pasted from a word file.
    [Show full text]
  • Switch Windows 10 from RAID/IDE to AHCI Switch Windows 10 from RAID/IDE to AHCI
    Portal > Knowledgebase > Microsoft Windows > Switch Windows 10 from RAID/IDE to AHCI Switch Windows 10 from RAID/IDE to AHCI Support Team - 2021-09-23 - 46 Comments - in Microsoft Windows Some systems will have the Windows operating system installed using RAID drivers including the Intel Rapid Storage Technology. SSD drives typically perform better using AHCI drivers. There is in fact a way to switch operation from either IDE / RAID to AHCI within Windows 10 without having to reinstall. Here are the steps: Click the Start Button and type cmd Right-click the result and select Run as administrator Type this command and press ENTER: bcdedit /set {current} safeboot minimal (ALT: bcdedit /set safeboot minimal) Restart the computer and enter BIOS Setup Change the SATA Operation mode to AHCI from either IDE or RAID Save changes and exit Setup and Windows will automatically boot to Safe Mode. Right-click the Windows Start Menu once more. Choose Command Prompt (Admin). Type this command and press ENTER: bcdedit /deletevalue {current} safeboot (ALT: bcdedit /deletevalue safeboot) Reboot once more and Windows will automatically start with AHCI drivers enabled. Tags AHCI Intel Rapid Storage RAID Windows Windows 10 Windows 7 Windows 8 Comments (46) Chris Tue, 13th Nov 2018 8:30am Correction. There *must* be a space between bcdedit and the forward slash. There is no command called "bcdedit/set" (for good reason) Good information and thank you - it worked nicely. :) Waron Thu, 22nd Nov 2018 8:22am this works, thanks I used the ALT commands Jeffrey Wed, 2nd Jan 2019 1:50pm This approach worked on my Windows 10 machine - which should have been set up with AHCI in the first place since all of my drives are SSD.
    [Show full text]
  • An Incremental Path Towards a Safer OS Kernel
    An Incremental Path Towards a Safer OS Kernel Jialin Li Samantha Miller Danyang Zhuo University of Washington University of Washington Duke University Ang Chen Jon Howell Thomas Anderson Rice University VMware Research University of Washington LoC Abstract Incremental Progress Tens of Linux Safe Linux Linux has become the de-facto operating system of our age, Millions FreeBSD but its vulnerabilities are a constant threat to service availabil- Hundreds of Singularity ity, user privacy, and data integrity. While one might scrap Thousands Biscuit Linux and start over, the cost of that would be prohibitive due Theseus Thousands RedLeaf seL4 to Linux’s ubiquitous deployment. In this paper, we propose Hyperkernel Safety an alternative, incremental route to a safer Linux through No Type Ownership Functional proper modularization and gradual replacement module by Guarantees Safety Safety Verification module. We lay out the research challenges and potential Figure 1: Our vision and the current state of systems. solutions for this route, and discuss the open questions ahead. security vulnerabilities are reported each year, and lifetime CCS Concepts analysis suggests that the new code added this year has intro- duced tens of thousands of more bugs. ! • Software and its engineering Software verification; While operating systems are far from the only source of se- ! • Computer systems organization Reliability. curity vulnerabilities, it is hard to envision building trustwor- Keywords thy computer systems without addressing operating system correctness. kernel safety, verified systems, reliable systems One attractive option is to scrap Linux and start over. Many ACM Reference Format: past works focus on building more secure and correct op- Jialin Li, Samantha Miller, Danyang Zhuo, Ang Chen, Jon Howell, erating systems from the ground up: ones based on strong and Thomas Anderson.
    [Show full text]