FlexC: Flexible Compartmentalization Through Automatic Policy Generation

The single address space in monolithic kernels enables vulnerabilities to compromise the entire kernel and system. An effective approach to prevent and mitigate these vulnerabilities is compartmentalization. Previous work has mostly focused on the enforcement of compartmentalization policies; to date little research has addressed the creation of such policies. Users are assumed to manually create and supply policies via annotation. Automating this would allow policies to be optimized for different systems. Therefore, our goal is to build a system for creation and enforcement of policies that is automatic, easy to use, and allows exploration of multiple policies, tailored to the needs of the systems. We introduce a mechanism for Flexible Compartmentalization through automatic policy generation, FlexC, which both creates and enforces arbitrary compartmentalization policies. FlexC automatically creates a code and data flow graph to represent the system being compartmentalized, based on static and dynamic analyses. It allows the user to select how to prioritize the static or dynamic information in the edges of the graph. Then, it merges vertices using a greedy algorithm, into a number of compartments specified by the user, creating a compartmentalization policy that is then enforced using an LLVM pass. For systems with higher security sensitivity, FlexC can create hundreds of compartments, while users that need to prioritize performance can create as few as desired. Additionally, users can easily explore the impact of different policies on their systems, and select whichever is most appropriate. We evaluated FlexC on a Linux kernel 5.10, and measured the impact on a FAT file system. Results showed an overhead with a geometric mean between 10% and 13.5% for policies with different number of compartments. Fine-grained policies can reduce the number compartments that have permission to access FAT file system compartments by 60%.