According to security researchers, Linux vulnerabilities could be entirely mitigated or “decreased” to “less-than-critical” severity via an OS design which is based on a verified microkernel.
To prove their point, a group of academic and government-backed researchers carry out an exhaustive study on critical Linux flaws. Their findings prove that there’s hardly a flaw that cannot be mitigated to less than critical. Furthermore, the study reveals that 40% of flaws could be fully exterminated, with the help of a verified microkernel. The researchers form a group from Data61, the Australian government’s Commonwealth Scientific and Industrial Research Organisation (CSIRO) and the University of New South Wales in Sydney.
The study is about to be presented during APSys 2018 (ACM Asia-Pacific Workshop on Systems). Their paper says that:
The security benefits of keeping a system’s trusted computing base (TCB) small has long been accepted as a truism, as has the use of internal protection boundaries for limiting the damage caused by exploits. Applied to the operating system, this argues for a small microkernel as the core of the TCB, with OS services separated into mutually-protected components (servers) – in contrast to ‘monolithic’ designs.
Relying on a microkernel design makes most components isolated from one another, running with reduced security privileges. This makes it more difficult for a vulnerability to lead to the compromise of the whole system. This also provides fine-grained control over access rights in the system, thus enabling a least-privilege design, researchers point out. This in turn provides fine-grained control over access rights in the system, and enables a true least-privilege design.
In a monolithic OS, compromising one (kernel-provided) service compromises the whole system, therefore the whole multi-million-SLOC kernel is in every application’s TCB. In contrast, in a microkernel-based system, the TCB of an application becomes highly dependent on the system services it uses.
This rule may also apply to Windows and macOS, even though the paper is only focused on Linux. The Windows kernel, for instance, is becoming bigger, with a recent version said to be 60 to 65 MSLOC, the paper says.
How was the research conducted?
The researchers analyzed every critical security flaw in the Linux kernel which is listed in the CVE repository in 2017. With this analysis, the researchers wanted to see whether a microkernel approach would improve the state of security. Their findings show that 96% of critical Linux bugs would cease to be critical if a microkernel-based design is introduced. Furthermore, 40% of these flaws could be completely eliminated with a verified microkernel, and 29% would be exterminated with an unverified microkernel.
A good example here is the CVE-2015-4001 flaw which is described as a Buffer overflow in the stellaris_enet_receive function in hw/net/stellaris_enet.c in QEMU, when the Stellaris ethernet controller is configured to accept large packets. The vulnerability allows remote attackers to cause a denial of service (QEMU crash) via a large packet.
Apparently, this vulnerability is completely eliminated by a microkernel:
An example of this category is CVE-2015-4001, which describes an integer signedness error in the OZWPAN driver. This driver is a USB host controller device driver which does not have a hardware device associated with it, but instead is used to communicate with a wireless peripheral over Wi-Fi. The integer signedness error can lead to the result of a subtraction becoming negative, causing a memcpy operation to interpret the value as an intention to copy large amounts of network-supplied data into a heap buffer. An attacker can insert a payload into a crafted packet to trigger the error and inject data. Since Linux loads the driver into the kernel, it could cause a denial of service by crashing the kernel, or could possibly execute arbitrary code with kernel privileges.
For full technical disclosure, refer to the full paper.