Cloud computing dramatically impacted the way we play, work and live. It has been widely adopted in many sectors mainly because it reduces the cost of performing tasks in a flexible, scalable and reliable way. The highest possible level of protection must be applied in order to provide a secure cloud computing architecture. Unfortunately, the cloud computing paradigm introduces new scenarios where security protection techniques are weakened or disabled to obtain better performance and resources exploitation. An important case is the memory deduplication mechanism which is canceled by the address space layout randomization (ASLR) protection technique. In this paper, we present a precise analysis of the impact on the memory deduplication technique when kernel randomization is enabled. Our experiments show that the memory overhead to run 24 kernels is increased by 534% (from 613 MiB to 3.9 GiB) when kernel ASLR is enabled.
Given the significance that the cloud paradigm has in modern society, it is extremely important to provide security to users at all levels, especially at the most fundamental ones since these are the most sensitive and potentially harmful in the event of an attack. However, the cloud computing paradigm brings new challenges in which security mechanisms are weakened or deactivated to improve profitability and exploitation of the available resources. Kernel randomization is an important security mechanism that is currently present in all main operating systems. Function-Granular Kernel Randomization is a new step that aims to be the future of the kernel randomization, because it provides much more security than current kernel randomization approaches. Unfortunately, function-granular kernel randomization also impacts significantly on the performance and potential benefits of memory deduplication. Both functiongranular kernel randomization and memory deduplication are desired and beneficial; the first for the strong protection it gives, and the second for the reduction of costs in terms of memory consumption. In this paper, we analyse the impact of function-granular kernel randomization on memory deduplication revealing why it cannot offer maximum security and shareability of memory simultaneously. We also discuss the reasons why having a full position independent kernel code counter-intuitively does not solve the problem introducing a challenge to kernel randomization designers. To solve these problems, we propose a functiongranular kernel randomization modification for cloud systems that enables full function-granular kernel randomization while reduces memory deduplication cancellations to almost zero. The proposed approach forces guest kernels of the same tenant to have the same random memory layout of memory regions with high impact on deduplication, ensuring a high rate of deduplicated pages while the kernel randomization is fully enabled. Our approach enables cloud providers to have both, high levels of security and an efficient use of resources.
Due to the impracticability of generating true randomness by running deterministic algorithms in computers, boot-loaders and operating systems undergo the lack of enough supplies of entropy at boot-time. This problem remains a challenge and affects all computer systems, including virtualization technologies. Unfortunately, this situation leads to undesired side effects, affecting the security of important kernel components and causing large blocking waits in the start-up of userland processes. For example, SSHD is delayed up to 4 minutes. In this paper, we analyze the boot-time entropy starvation problem, performing a comprehensive analysis of the Linux kernel boot process revealing that the problem not only affects userland applications but up to 33 kernel functions at boot time. Those functions are weakly fed by random numbers from a non-initialized CSPRNG. To overcome this problem, we propose E-Boot, a novel technique that provides high-quality random numbers to guest virtual machines. E-Boot is the first technique that completely satisfies the entropy demand of virtualized boot-loaders and operating systems at boot time. We have implemented E-Boot in Linux v5.3 and our experiments show that it effectively solves the boot-time entropy starvation problem. Our proposal successfully feeds bootloaders and boot time Linux kernel hardening techniques with high-quality random numbers, reducing also to zero the number of userspace blocks and delays. The total time overhead introduced by E-Boot is around 2 µs and has zero memory overhead, since the memory is freed before the kernel boot ends, which makes E-boot a practical solution for cloud systems.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.