BULKHEAD: Secure, Scalable, and Efficient Kernel Compartmentalization with PKS

TL;DR

BULKHEAD introduces a hardware-assisted kernel compartmentalization method that enhances security, scalability, and efficiency by isolating kernel components using Intel's PKS, with minimal performance impact.

Contribution

The paper presents BULKHEAD, a novel kernel compartmentalization system leveraging Intel PKS for bi-directional isolation and scalability to unlimited compartments.

Findings

Achieves an average overhead of 2.44% on real-world applications.

Supports up to unlimited compartments with minimal performance degradation.

Effectively enforces security invariants like data integrity and execute-only memory.

Abstract

The endless stream of vulnerabilities urgently calls for principled mitigation to confine the effect of exploitation. However, the monolithic architecture of commodity OS kernels, like the Linux kernel, allows an attacker to compromise the entire system by exploiting a vulnerability in any kernel component. Kernel compartmentalization is a promising approach that follows the least-privilege principle. However, existing mechanisms struggle with the trade-off on security, scalability, and performance, given the challenges stemming from mutual untrustworthiness among numerous and complex components. In this paper, we present BULKHEAD, a secure, scalable, and efficient kernel compartmentalization technique that offers bi-directional isolation for unlimited compartments. It leverages Intel's new hardware feature PKS to isolate data and code into mutually untrusted compartments and benefits from its fast compartment switching. With untrust in mind, BULKHEAD introduces a lightweight in-kernel monitor that enforces multiple important security invariants, including data integrity, execute-only memory, and compartment interface integrity. In addition, it provides a locality-aware two-level scheme that scales to unlimited compartments. We implement a prototype system on Linux v6.1 to compartmentalize loadable kernel modules (LKMs). Extensive evaluation confirms the effectiveness of our approach. As the system-wide impacts, BULKHEAD incurs an average performance overhead of 2.44% for real-world applications with 160 compartmentalized LKMs. While focusing on a specific compartment, ApacheBench tests on ipv6 show an overhead of less than 2%. Moreover, the performance is almost unaffected by the number of compartments, which makes it highly scalable.