Detecting Malicious Data in Shared Kernel Objects under Compartmentalization

Determine principled criteria and runtime or static analysis techniques to decide whether the content of shared kernel objects that are co-owned by a de-privileged compartment and the rest of the kernel is malicious, in compartmentalization settings that maintain multiple synchronized copies of shared objects (such as approaches exemplified by LVD and KSplit).

Background

In OS kernel compartmentalization, some resources must be shared between the compartment and the rest of the kernel for functionality. Prior systems (e.g., LVD and KSplit) manage such shared objects by maintaining multiple copies and synchronizing them as needed, which addresses correctness and consistency but not necessarily the integrity of the shared data.

Within the paper’s setting of on-the-fly kernel compartmentalization enforced via eBPF, the authors acknowledge that despite mechanisms to copy and synchronize shared objects, reliably determining whether the data stored in these shared objects has been maliciously manipulated remains unresolved. This creates a critical gap for preventing attacks that might propagate through shared state.

References

While these works provide mechanisms to maintain multiple copies of shared objects and synchronize the data when required, determining whether the stored data is malicious or not remains an open challenge thus far.

When eBPF Meets Machine Learning: On-the-fly OS Kernel Compartmentalization  (2401.05641 - Wang et al., 2024) in Section: Discussion and Future Works, Shared Objects