Permission is granted for noncommercial reproduction of the work for educational or research purposes. This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Safety Checking of Kernel Extensions There are many places in operating systems today where extending the running kernel with small and fast extensions is an interesting thing to do. For example, the Berkeley Packet Filter (BPF) allows code for a virtual machine to be uploaded intoarunningkernel and executed at packet reception, allowing fairly arbitrary ltering of packets before they cross the expensive kernel to user interface. Whatever mechanism is used needs to provide some reasonable guarantees about the safety of the resulting code, which makes this problem complex. This paper describes a simple x86 bytecode veri er that is intended to be used to verify that a small program that is to be loaded obeys a reasonable safety policy. For program constructs that it is able to reason about, it can verify that code does not execute privileged instructions, only accesses known memory locations, and terminates. It cannot reason about arbitrary programs, but can reason about simple programs and developers that know the prover's limitations can write their code to be recognizable by the veri er. The contribution of this workistoshow that a very limited prover can operate on native machine code and can e ciently reason about a small but still interesting set of programs.
To submit an update or takedown request for this paper, please submit an Update/Correction/Removal Request.