Privilege escalation occurs very commonly in monolithic operating systems where applications associated with a lesser privilege set of restrictions are able to impersonate applications of a higher privilege or influence applications of higher privilege to gain access to OS resources on behalf of the low privilege application.
LynxSecure mitigates these forms of attacks by hosting guest OSs in isolated, self-sufficient virtual machine containers that run in the unprivileged mode of the CPU. Furthermore, the LynxSecure design completely omits the abstract concept of user, process, and resource access runtime control models that are common to monolithic operating systems.
Protection Against Code Injection
Code injections attacks cause a change in code execution such that a set of unauthorized code is executing instructions on the hardware platform unbeknownst to the user and potentially the operating system. Code injections most commonly occur by changing executable memory to malicious code and cause the CPU instruction pointer to jump to the malicious code.
LynxSecure mitigates this potent attack in three ways:
- Static Resource Allocation - LynxSecure statically allocates and isolating hardware resources for each guest OS and LSA ensuring resources may never be reclaimed and repurposed by the separation kernel. This method prohibits attackers from exploiting shared data structures as a code injection attack vector.
- Memory Execution Control – The LynxSecure development tools allow developers to set memory regions at non-executable using the Intel execute disable (XD) feature.
- Self-assisted LSA runtime and Virtualization –LynxSecure runs LSAs and Guest OS in a self-assisted container that does not require any application run-time support from the separation kernel to limit the number of exploitable software interfaces.
Protection against Hardware Subversion
Hardware subversion is an attack where system BIOS firmware, a device’s firmware, or a device’s runtime configuration parameters are modified to change the security state of the operating system by modifying physical memory through DMA transactions or by changing critical configuration parameters like system memory maps. LynxSecure mitigates hardware manipulation attacks by explicitly controlling which subjects are authorized to access specific physical device and system firmware interfaces, and also controls device access to system memory.
LynxSecure uses its hardware isolation capabilities to give subject exclusive control over the Trusted Platform Module to perform crypto graphic functions useful for system designs that require advanced initialization protection, self-encryption, and remote attestation.
Protection against System Rootkits
LynxSecure requires no runtime file system or persistent state. This unique attribute of non-persistent operation allows LynxSecure to sever the physical connection of the runtime environment to the boot image media, which will prevent any malware running on a platform to infiltrate the initialization logic to subvert the system.
Protection against Guest OS Rootkits
Fully virtualized guest OSs running on LynxSecure have an active reference monitor protecting the boot sector of guest OS to prohibit guest OS malware from subverting the guest OS by changing the guest OS initialization logic.
LynxSecure provides a least privilege security audit feature that allows security architects to give subject to the ability to read and write audit data. Additionally the LynxSecure development tools allow developers to create user defined audit events and create custom event handling policies.
LynxSecure provides an independent runtime environment and libraries to build high assurance LynxSecure applications (LSAs) that run directly on the CPU cores without relying on the assistance of a guest operating system. LSAs are extremely useful for computing environments that require assurance that application logic is correct. By removing the complex dependencies from an operating system, verifying correctness of these high assurance applications becomes drastically simpler.