Jeehong Kim

Light-weight kernel instrumentation framework using dynamic binary translation

Mobile platforms such as Android and iOS, which are based on typical operating systems, have been widely adopted in various computing devices from smart phones even to smart TVs. Along with this, the necessity of kernel instrumentation framework has also grown up for efficient development and debugging of a kernel itself and its components. Although the existing approaches are providing some information about the kernel state including physical register value and primitive memory map, it is hard for the developers to understand and exploit the information. Moreover, the excessive analysis overhead in the existing approach makes them impractical to be used in real systems. Meanwhile, there have been a few studies on analyzing the user-level applications using dynamic binary translation and they are now widely used. In this paper, by extending this idea of dynamic binary translation for user-level applications to the kernel, we propose a new dynamic kernel instrumentation framework. Our framework focuses on the modules such as device drivers, rather than the kernel itself, since the modules comprise a large portion of OS development. Because of the frequent execution of kernel modules, the dynamic kernel instrumentation framework should guarantee the quality of the translated target code. However, costly optimizations to achieve high execution performance are rather harmful to the overall performance. Therefore, in order to improve performance of both translations, we suggest light-weight translator based on pseudo-machine instruction representation and tabular-base translation instead of typical intermediate representation. We implement our framework on Linux system, and our experimental evaluations show that it could quite effectively instrument the target with nominal overhead.

MAST: Multi-Level Associated Sector Translation for NAND Flash Memory-Based Storage System

NAND flash memories have been widely adopted as storage on computing devices, since it has strong effectiveness on performance. However, asymmetric operation performance of NAND flash memories still impedes high performance. To mitigate this performance hurdle, most storage devices of NAND flash memories have used Flash Translation Layer (FTL). In this paper, we propose a novel workload-aware FTL mapping policy, called Multi-level Associated Sector Translation (MAST). MAST divides log block depending on characteristics of data, and dynamically detects hot pages to avoid unnecessary merge operations of FTL. In experimental results, we show that our approach outperforms FAST method by 10% and LAST by 3%, respectively.

Usage pattern-based prefetching: quick application launch on mobile devices

The startup time of applications is very important as a user perspective performance. If page faults occur frequently in the startup time, the user experience is subjected to an adverse effect. To reduce page faults, the prefetching scheme is used in the traditional OS. Previous studies proposed various schemes, but the most research was conducted for desktop PCs or special embedded devices. We propose the usage pattern-based prefetching scheme which is suitable to mobile devices. Therefore, this paper focuses on the users applications usage patterns and the improvement of the startup time of application on mobile devices. To inspect the usage patterns, we collect the dataset of the application usage and then analyze collected data. Additionally, considering mobile devices which have relatively poor hardware resources, the lightweight prediction model is employed in the new scheme. The proposed scheme is implemented on both Android 2.2 and Linux kernel 2.6.29. It is tested on the emulator and evaluated by using the dataset. The startup time is improved about 5%, and the accuracy of the prediction is shown up to 59% for the practical dataset.

EIMOS: enhancing interactivity in mobile operating systems

Interactivity is one of the most important factors in the computing systems. There has been a lot of research to improve the interactivity in traditional desktop environments. However, few research studies have been done for interactivity enhancement in mobile systems like smart phones and tablet PCs. Therefore, different approaches are required to improve the interactivity of these systems. Even if multiple processes are running in a mobile system, there is only one topmost process which interacts with the user due to the resource constraints like small screen sizes and limited input methods. In this paper, we propose EIMOS, a system which identifies the topmost process and enhances the interactivity. Our system improves the CPU process scheduler and I/O prefetcher in the mobile operating system. We also implement EIMOS in the Android mobile platform and performed several experiments. The experimental results show that the performance is increased up to 16% compared to that of the existing platform.

Fast and space-efficient defense against jump-oriented programming attacks

Recently, Jump-oriented Programming (JOP) attack has become widespread in various systems including server, desktop, and smart devices. JOP attack rearranges existing code snippets in program to make gadget sequences, and hijacks control flow of program by chaining and executing gadget sequences consecutively. However, existing defense schemes have limitations such as high execution overhead, high binary size increase overhead, and low applicability. In this paper, to solve these problems, we introduce target shepherding, which is a fast and space-efficient defender against general JOP attack. Our defense scheme generates monitoring code to determine whether the target is legitimate or not just before each indirect jump instruction at compile time, and then checks whether a control flow has been subverted by JOP attack at run time. We achieved very low run-time overhead with very small increase in file size. In our experimental results, the performance overhead is 2.36% and the file size overhead is 5.82% with secure execution.

Page allocation scheme for anti-fragmentation on smart devices

In embedded smart devices, efficient memory management is critical because they have relatively small main memory to reduce cost and power consumption. Though Input Output Memory Management Unit (IOMMU), which is recently adopted on embedded smart devices, gives more free spaces in system memory, it increases memory allocation time when memory space is highly fragmented. In this paper, we propose a new page allocation scheme, called A-GPBM, to reduce fragmentation of anonymous pages and secure more physically contiguous pages. Experimental results show that our algorithm decreases unusable free space index for order 4 from 0.93 to 0.32.

Page coloring synchronization for improving cache performance in virtualization environment

The paging scheme randomly translates the virtual address into the physical address. Thus, it can lead to some serious problems like performance non-determinism and poor cache performance. In order to resolve these problems, page coloring is applied to operating systems such as Solaris, FreeBSD, and Windows. However, there is a problem applying page coloring in virtualization environment. The paging scheme translates the virtual address of the guest into the physical address of the guest which is not the real physical address. In this paper, we introduce a technique that can be used for synchronizing the page color between guest virtual machine (VM) and host machine. We name this technique page coloring synchronization. Our technique has some advantages such as reducing performance non-determinism and improving cache performance in virtualization environment. Our experiments demonstrate that if our technique is applied to the virtual machine monitor (VMM), it improves the performance up to 6.3%. Also, our experiments show that our technique can reduce performance non-determinism.

Remote-Launch: Borrowing Secure TCB for Constructing Trustworthy Computing Platform

Commodity operating systems have become extremely large to provide a lot of services, and then their vulnerability has been targeted by malicious attack. In order to increase security in operating system, there have been many attempts to reduce the size of Trust Computing Base (TCB). However, most of the approaches have applicability limitations due to hypervisor vulnerability and additional hardware requirements. To address these limitations, instead of reducing TCB size, we propose a novel approach to enhance the security of the system. We hide secure TCB for sensitive applications, and thus build an isolated secure environment using a well-equipped infrastructure. For evaluation, we implement a prototype, called Remote-Launch, which runs a security-sensitive process on the borrowed secure TCB.

Design and Implementation of a Dynamic Instrumentation Framework based on Light-weight Dynamic Binary Translation

Dynamic binary instrumentation is a code insertion technique for debugging a program without scattering its execution flow, while the program is running. Most dynamic instrumentations are implemented using dynamic binary translation techniques. Existing studies translated program codes dynamically by parsing the machine code stream to intermediate representation (IR) and then applying compilation techniques for IRs. However, they have high overhead during translation, which is a major cause of difficulty in applying the dynamic binary translation technique to the program which requires high responsiveness. In this paper, we introduce a light-weight dynamic binary instrumentation framework based on a novel dynamic binary translation technique which has low overhead while translating the program code. In order to reduce the translation overhead, our approach adopts a tabular-based address translation and exploits a translation bypassing scheme, which stores the translated address of a frequently called library function in advance. It then accesses the translated address and executes function codes without code translation when calling the function. Our experiment results demonstrated that the proposed approach outperforms the prior dynamic binary translation techniques from 2% up to 65%.

Design and Implementation of Efficient Mitigation against Return-oriented Programming

An ROP attack creates gadget sequences which consist of existing code snippets in a program, and hijacks the control flow of a program by chaining and executing gadget sequences consecutively. Existing defense schemes have limitations in that they cause high execution overhead, an increase in the binary size overhead, and a low applicability. In this paper, we solve these problems by introducing zero-sum defender, which is a fast and space-efficient mitigation scheme against ROP attacks. We find a fundamental property of gadget execution in which control flow starts in the middle of a function without a call instruction and ends with a return instruction. So, we exploit this property by monitoring whether the execution is abused by ROP attacks. We achieve a very low runtime overhead with a very small increase in the binary size. In our experimental results, we verified that our defense scheme prevents real world ROP attacks, and we showed that there is only a 2% performance overhead and a 1% binary size increase overhead in several benchmarks.