Extensible Kernel Research

There has been a lot of operating systems research in the last 20 years on extensible systems. Following the basic idea of microkernels (which sought to componentize most everything in the kernel) came extensive efforts to build more monolithic kernels that could be extended in various ways:

• Exokernel was really just a logical extension of the microkernel concept [16]. The base kernel provided no abstraction of physical devices, leaving that to applications that needed the devices.
• SPIN allowed modules to be loaded into the kernel, while providing for a variety of safety properties [7]. Modules were to be written in Modula-3 [35], which imposed strong type checking, thus preventing the module from misbehaving outside of its own data structures. SPIN ``spindles'' also were subject to time constraints, so they could not seize the CPU. Abstractly, spindles would register to ``extend'' or ``specialize'' kernel events, and would be added to an event handling chain, rather similar to the way interrupts are commonly handled.
• SCOUT was designed to facilitate continuous flows of information (e.g. audio or video streams), and allowed CODEC stages to be composed into pipelines (or graphs) of appropriate components [34].
• Synthetix sought to allow applications to specialize the operating system to their transient needs [38]. ``Specialization'' meant optimization with respect to ``quasi-invariants'': properties that hold true for a while, but eventually become false. In some cases, quasi-invariants were inferred from application behavior, such as a process opening a file, resulting in a specialized read() system call optimized for the particular process and file. In other cases, quasi-invariants were specified to the kernel using a declarative language [11,43].

All of these extension facilities provided some form of safety, to limit the potential damage that an extension could impose on the rest of the system. Such safety properties, for example, might allow a multimedia application to extend the kernel to support better quality of service, while limiting the multimedia extension so that it does not accidentally corrupt the operating system. The need for such safety in kernel extensions is anecdotally confirmed by the phenomena of unstable Microsoft Windows systems, which are allegedly made unstable in part due to bad 3rd party device drivers, which run in kernel space.

In contrast, LSM imposes no restrictions on modules, which are (normally) written in C and have full, un-typed access to the kernel's address space. The only ``restriction'' is that hooks are mostly of the ``restrictive'' form, making it somewhat more difficult to erroneously grant access when it should have been denied. Rather, LSM depends primarily on programmer skill (modules need to be written with the diligence of kernel code) and root authority (only root may load a module).

It should be noted that LSM can get away with this weak module safety policy precisely because LSM modules are intended to enforce security policy. Unlike more generic kernel extensions such as QoS, the system is entirely at the mercy of the security policy. An administrator who permits an LSM module to be loaded has already made the decision to trust the module providers to be both well-intentioned and skilled at programming, as bugs in a security policy engine can have catastrophic consequences. Further sanity checks on LSM modules are superfluous.

It should also be noted that this is the traditional view of Linux modules: that loading modules into the kernel is privileged for a reason, and that care should be taken in the writing and selection of kernel modules. LSM module developers are cautioned to be especially diligent in creating modules. Not only do LSM modules run with the full authority of all kernel code, but they are especially trusted to enforce security policy correctly. Third party review of LSM modules' source code is recommended.

Finally, we note that LSM is much less intrusive to the Linux kernel than the other large modular interface: VFS (Virtual Filesystem). The need for support for multiple filesystems in Linux was recognized long ago, and thus a rich infrastructure was built. The VFS layer of the kernel abstracts the features of most filesystems, so that other parts of the kernel can access the filesystem without what knowing what kind of filesystem is in use. Anecdotally, the VFS layer is reported to be a nest of function pointers that was very difficult to debug. This difficulty may explain, in part, why the Linux community would like the LSM interface to be as minimally intrusive as possible.