SILVER: Fine-Grained and Transparent Protection Domain Primitives in Commodity OS Kernel

Untrusted kernel extensions remain one of the major threats to the security of commodity OS kernels. Current containment approaches still have limitations in terms of security, granularity and flexibility, primarily due to the absence of secure resource management and communication methods. This paper presents SILVER, a framework that offers transparent protection domain primitives to achieve fine-grained access control and secure communication between OS kernel and extensions. SILVER keeps track of security properties (e.g., owner principal and integrity level) of data objects in kernel space with a novel security-aware memory management scheme, which enables fine-grained access control in an effective manner. Moreover, SILVER introduces secure primitives for data communication between protection domains based on a unified integrity model. SILVER’s protection domain primitives provide great flexibility by allowing developers to explicitly define security properties of individual program data, as well as control privilege delegation, data transfer and service exportation. We have implemented a prototype of SILVER in Linux. The evaluation results reveal that SILVER is effective against various kinds of kernel threats with a reasonable performance and resource overhead.