-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathconclusion.tex
19 lines (17 loc) · 1.18 KB
/
conclusion.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
\section{Conclusion}
\label{sec.conclusion}
In this paper, we propose a new security metric based on quantitative measures of kernel code execution when running user applications.
Our metric evaluates if the lines of kernel code executed have the potential to trigger zero-day bugs.
Our key discovery is that popular kernel paths contain significantly fewer bugs than other paths.
Based on this insight, we devise a new design for a secure virtual machine called \lip.
As the name implies, the design scheme locks away access to all
kernel code except that found in paths frequently used by
popular programs. We test the \lip idea by implementing a prototype virtual machine
called Lind, which features a minimized TCB and prevents direct access to application
calls from less-used, riskier paths.
Instead, Lind supports complex system calls by securely re-creating
essential OS functionalities inside a sandbox.
In tests against Docker, LXC, and Graphene, Lind emerged as the most effective system in preventing
zero-day Linux kernel bugs.
So that other researchers may replicate our results, we make all of the kernel
trace data, benchmark data, and source code for this paper available \cite{Lind}.