期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

一种内核模块的指针错误隔离方法

Pointer Fault Isolation Method for Kernel Modules
下载PDF
导出
摘要 现代操作系统的驱动程序和文件系统都以内核模块形式出现,而内核模块的操作大多使用指针,因此内核模块中指针使用的可靠性直接决定着操作系统能否长久稳定运行.设计了一种内核模块的指针错误隔离方法(PFI)来有效地阻止指针相关的错误运行,并且不用修改系统内核,该方法基于LLVM编译架构进行实现,分为变量标记和数据检测两个工作阶段.变量标记是指在程序编译时根据代码上下文语义找到确定错误,从而大大降低程序运行时带来额外的开销;数据检测通过在潜在错误前面插装对敏感数据的检查代码,并在运行时进行动态检测,从而准确地发现数据动态变化时产生的错误.文中所述的PFI方法在Linux操作系统中进行了实现,并结合网卡驱动进行了评测,实验结果表明通过使用动静结合的方式,PFI能够有效地对模块中的错误进行隔离,并且不会带来显著的性能影响. Drivers and file systems run in form of kernel modules in modem operation system, and most operations in kernel modules need pointers, so the reliability of pointers in kernel modules decides the steady of operation system. In this paper, we present PFI, a pointer fault isolation method for kernel modules to prevent bugs about pointers without modifying kernel, which is based on LLVM compilation framework. The method is divided into two parts : variable marking and data detection. On one hand, variable marking finds certain bugs based on code context in compilation time, which can reduce mntime overhead. On the other hand, data detection inserts checking code before the potential bug to detect fault in mntime, which may precisely find bugs about data changed. We achieved PFI in Linux system and make experiments on the network driver. The test result shows that PFI can isolate module faults effectively by dynamic and static combination and the overhead is acceptable.
作者 白家驹 刘虎球 王瑀屏
机构地区 清华大学计算机科学与技术系
出处 《小型微型计算机系统》 CSCD 北大核心 2015年第5期1127-1132,共6页 Journal of Chinese Computer Systems
基金 国家"八六三"高技术研究发展计划项目(2011AA01A203)资助
关键词 内核模块 指针 错误隔离 变量标记 数据检测 kernel module LLVM fault isolation variable marking data detection
分类号 TP312 [自动化与计算机技术—计算机软件与理论]
  • 相关文献

参考文献1

二级参考文献11

  • 1Common vulnerabilities and exposures [EB/OL]. http://cve. mitre. org/ cgi-binl cvekey. cgi? keyword = linux + kernel + 2010, National Institute of Standards and Technology, 2013-03-02.
  • 2Boyd-Wickizer S, Zeldovich N. Tolerating malicious device drivers in Linux[C]. In Proceedings of the 2010 USENIX Annual Technical Confernece, Boston, MA, 2010: 117 -130.
  • 3Wright C, Cowan C, Morris J, et al. Linux security modules: general security support for the Linux kernel [C]. Proceedings of the 11 th Annual USENIX Security Symposium, USENIX Association, 2002: 17-31.
  • 4Wang X, Chen H, Jia Z, et al, Improving integer security for systems with KINT[C]. Proceedings of the 10th USENIX Conference on Operating Systems Design and Implementation, USENIX Association, 2012: 163-177.
  • 5Klein G, Elphinstone K, Heiser G, et al. seL4: formal verification of an OS kernel [C]. Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles, ACM, 2009: 207 -220.
  • 6Castro M, Costa M, Martin J P, et al. Fast byte-granularity software fault isolation [C]. Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles, ACM, 2009: 45 -58.
  • 7Seshadri A, Luk M, Qu N, et al. See'Visor , a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes [C]. In Proceedings of the 21 st ACM Symposium on Operating Systems Principles, Stevenson, WA, October 2007: 335-350.
  • 8Mao Y, Chen H, Zhou D, et al. Software fault isolation with API integrity and multi-principal modules [C]. Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, ACM, 2011: 115-128.
  • 9Kadav A, Renzelmann M, Swift M M. Fine-grained fault tolerance using device check-points [C]. In Proceedings of the 18th ACM Architectural Support for Programming Languages and Operating Systems, Houston, TX, 2013: 235-251.
  • 10Ruprecht A, W Schrtlder-Preikschat, Lohmann D, et al. Attack surface metrics and automated compile-time OS kernel tailoring [C]. In Proceedings of the 20th Network and Distributed System Security Symposium, 2013: 67-73.
小型微型计算机系统
2015年 第5期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部