Interrupt Stack Protection for Linux Kernel in Hardware Virtualization Layer of ARM64 Architecture

Kernel security is of paramount importance in computer systems. As the number of vulnerabilities in the kernel continues to grow, computer systems security risks are increasing. To prevent the kernel interrupt stack from being attacked, researchers provide discussion over complete hypervisor supervision and kernel co-layer security domain techniques. Complete hypervisor supervision brings a heavy overhead and co-layer security domain techniques cannot achieve privilege-level isolation. We focus on memory-based security threats in kernel security vulnerabilities, protecting the kernel at a higher level by using virtualization technology. Compared with the existing work, our implementation method achieves a small performance loss to protect the interrupt stack. We have implemented our system on openEuler operating systems and Phytium processors. Although the deployment of protection code will result in increased kernel interrupt latency and processor overhead, experimental verification shows that the overall system overhead is acceptable.