BULKHEAD: Secure, Scalable, and Efficient Kernel Compartmentalization with PKS
Yinggang Guo, Zicheng Wang, Weiheng Bai, Qingkai Zeng, Kangjie Lu
TL;DR
BULKHEAD addresses the pervasive security risk of monolithic kernels by introducing PKS-based bi-directional isolation for unlimited kernel compartments. It combines a lightweight in-kernel monitor, execute-only memory, data integrity guarantees, and a novel two-level compartmentalization scheme to achieve secure, scalable performance on commodity hardware. The approach is validated on Linux v6.1 with 160 loadable kernel modules, showing average system-wide overhead of $2.44\%$ and sub-$2\%$ overhead for IPv6 workloads, while maintaining scalability as compartments grow. These results indicate that principled kernel compartmentalization using PKS can effectively confine exploits with practical performance, enabling safer kernel extensions and cloud deployments.
Abstract
The endless stream of vulnerabilities urgently calls for principled mitigation to confine the effect of exploitation. However, the monolithic architecture of commodity OS kernels, like the Linux kernel, allows an attacker to compromise the entire system by exploiting a vulnerability in any kernel component. Kernel compartmentalization is a promising approach that follows the least-privilege principle. However, existing mechanisms struggle with the trade-off on security, scalability, and performance, given the challenges stemming from mutual untrustworthiness among numerous and complex components. In this paper, we present BULKHEAD, a secure, scalable, and efficient kernel compartmentalization technique that offers bi-directional isolation for unlimited compartments. It leverages Intel's new hardware feature PKS to isolate data and code into mutually untrusted compartments and benefits from its fast compartment switching. With untrust in mind, BULKHEAD introduces a lightweight in-kernel monitor that enforces multiple important security invariants, including data integrity, execute-only memory, and compartment interface integrity. In addition, it provides a locality-aware two-level scheme that scales to unlimited compartments. We implement a prototype system on Linux v6.1 to compartmentalize loadable kernel modules (LKMs). Extensive evaluation confirms the effectiveness of our approach. As the system-wide impacts, BULKHEAD incurs an average performance overhead of 2.44% for real-world applications with 160 compartmentalized LKMs. While focusing on a specific compartment, ApacheBench tests on ipv6 show an overhead of less than 2%. Moreover, the performance is almost unaffected by the number of compartments, which makes it highly scalable.