Salus: Kernel Support for Secure Process Compartments

Strackx, Raoul and Agten, Pieter and Avonds, Niels and Piessens, Frank (2015) Salus: Kernel Support for Secure Process Compartments. EAI Endorsed Transactions on Security and Safety, 2 (3). e1. ISSN 2032-9393

[thumbnail of sesa.2.3.e1.pdf]
Available under License Creative Commons Attribution No Derivatives.

Download (892kB) | Preview


Consumer devices are increasingly being used to perform security and privacy critical tasks. The software used to perform these tasks is often vulnerable to attacks, due to bugs in the application itself or in included software libraries. Recent work proposes the isolation of security-sensitive parts of applications into protected modules, each of which can be accessed only through a predefined public interface. But most parts of an application can be considered security-sensitive at some level, and an attacker who is able to gain inapplication level access may be able to abuse services from protected modules.

We propose Salus, a Linux kernel modification that provides a novel approach for partitioning processes into isolated compartments sharing the same address space. Salus significantly reduces the impact of insecure interfaces and vulnerable compartments by enabling compartments (1) to restrict the system calls they are allowed to perform, (2) to authenticate their callers and callees and (3) to enforce that they can only be accessed via unforgeable references. We describe the design of Salus, report on a prototype implementation and evaluate it in terms of security and performance. We show that Salus provides a significant security improvement with a low performance overhead, without relying on any non-standard hardware support.

Item Type: Article
Uncontrolled Keywords: Privilege separation, principle of least privilege, modularization
Subjects: H Social Sciences > H Social Sciences (General)
Q Science > QA Mathematics > QA75 Electronic computers. Computer science
QA75 Electronic computers. Computer science
Depositing User: EAI Editor IV
Date Deposited: 26 Mar 2021 13:50
Last Modified: 26 Mar 2021 13:50

Actions (login required)

View Item
View Item