Institut für Betriebssysteme und Rechnerverbund
- News
- Wir über uns
- Connected and Mobile Systems
- Verlässliche Systemsoftware
  - Übersicht
  - Team
  - Lehre
  - Arbeiten & Jobs
  - Forschung
  - Publikationen
- Algorithmik
- Mikroprozessorlabor
- Studium
- Service
- Spin-Offs
  - Docoloc
  - bliq (formerly AIPARK)
  - Confidential Technologies
- Forschungsverbünde
  - IST.hub

Attack Surface Reduction for Linux

Software projects grow very large as they become popular, due to the support of a large number of new and legacy features. This results in complex systems that often expose a large attack surface for attackers to exploit. The Linux kernel exemplifies this problem, due to the large amount of features that are included by default in current Linux distributions.

In this project, we explore various techniques to reduce the attack surface of the Linux kernel, by identifying and disabling access to unnecessary features. We investigate run time and per-process attack surface reduction (e.g., by automatically deducing the set of kernel functions a process requires), as well as compilation time and system-wide attack surface reduction (e.g., by automatically producing small kernel configurations). We also create metrics to measure those attack surface, to better compare the effectiveness of each approach.

Our results show that such "economy of mechanism" approaches greatly improve overall system security, and also indicates that other large software projects can benefit from such approaches.

Project members

IBM Research GmbH (Switzerland)

Project members at IBR

Prof. Dr. Rüdiger Kapitza
Ehemaliger Abteilungsleiter
rrkapitz[[at]]ibr.cs.tu-bs.de

Dr. Anil Kurmus
Ehemaliger Externer Doktorand

Research assistants at IBR

Jannik Hartung
Hiwi

Signe Rüsch
Ehemalige Wissenschaftliche Mitarbeiterin
ruesch[[at]]ibr.cs.tu-bs.de

Publications

Anil Kurmus, Reinhard Tartler, Daniela Dorneanu, Bernhard Heinloth, Valentin Rothberg, Andreas Ruprecht, Wolfgang Schröder-Preikschat, Daniel Lohmann and Rüdiger Kapitza: Attack Surface Metrics and Automated Compile-Time OS Kernel Tailoring, in Proceedings of the 20th Network and Distributed System Security Symposium (NDSS '13), Internet Society (ISOC), San Diego, CA United States, 2013 (kurmus13ndss, BibTeX)
Anil Kurmus, Alessandro Sorniotti and Rüdiger Kapitza: Attack Surface Reduction For Commodity OS Kernels, in Proceedings of the Fourth European Workshop on System Security, Engin Kirda and Steven Hand, Salzburg,Austria, 2011 (kurmus11ktrim, BibTeX)
Reinhard Tartler, Anil Kurmus, Andreas Ruprecht, Bernhard Heinloth, Valentin Rothberg, Daniela Dorneanu, Rüdiger Kapitza, Wolfgang Schröder-Preikschat and Daniel Lohmann: Automatic OS Kernel TCB Reductionby Leveraging Compile-Time Configurability, in Proceedings of the 8th Workshop on Hot Topics in System Dependability (HotDep '12), USENIX, Hollywood, CA, USA, 2012 (tartler12hotdep, BibTeX)

Theses

Titel	Art	Betreuer	Status
Linux Kernel Attack Surface Reduction Measurement	Masterarbeit	Prof. Dr. Rüdiger Kapitza	abgeschlossen
Kernel as a Service - Custom tailored kernels for the cloud	Bachelorarbeit	Prof. Dr. Rüdiger Kapitza	abgeschlossen 2013

If you are interested in writing a thesis regarding this project, please feel free to contact us.

Attack Surface Reduction for Linux

Project members

Project members at IBR

Research assistants at IBR

Publications

Theses

Links

Für alle

Für Studierende

Interne Tools

Kontakt