Title: Salus: Kernel support for secure process compartments
Authors: Strackx, Raoul ×
Agten, Pieter
Avonds, Niels
Piessens, Frank #
Issue Date: 30-Jan-2015
Publisher: European Alliance for Innovation
Series Title: EAI Endorsed Transactions on Security and Safety vol:15 issue:3
Article number: 1
Abstract: Consumer devices are increasingly being used to perform security and privacy critical tasks. The software used to perform these tasks is often vulnerable to attacks, due to bugs in the application itself or in included software libraries. Recent work proposes the isolation of security-sensitive parts of applications into protected modules, each of which can be accessed only through a predefined public interface. But most parts of an application can be considered security-sensitive at some level, and an attacker who is able to gain in-application level access may be able to abuse services from protected modules.

We propose Salus, a Linux kernel modification that provides a novel approach for partitioning processes into isolated compartments sharing the same address space. Salus significantly reduces the impact of insecure interfaces and vulnerable compartments by enabling compartments (1) to restrict the system calls they are allowed to perform, (2) to authenticate their callers and callees and (3) to enforce that they can only be accessed via unforgeable references. We describe the design of Salus, report on a prototype implementation and evaluate it in terms of security and performance. We show that Salus provides a significant security improvement with a low performance overhead, without relying on any non-standard hardware support.
ISSN: 2032-9393
Publication status: published
KU Leuven publication type: IT
Appears in Collections:Informatics Section
× corresponding author
# (joint) last author

Files in This Item:
File Description Status SizeFormat
salus_journal.pdf Accepted 260KbAdobe PDFView/Open


All items in Lirias are protected by copyright, with all rights reserved.