Intra-unikernel isolation with Intel memory protection keys

Sung, Mincheol; Olivier, Pierre; Lankes, Stefan; Ravindran, Binoy

doi:10.1145/3381052.3381326

Cited by 39 publications

(16 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…• Single protection level: There should be no user-/kernel-space separation to avoid costly processor mode switches. This does not preclude compartmentalization (e.g., of micro-libraries), which can be achieved at reasonable cost [69]. • Static linking: Enable compiler features, e.g., Dead…”

Section: Design Principles and Solution Spacementioning

confidence: 99%

Unikraft

Kuenzer

Bădoiu

Lefeuvre

et al. 2021

Proceedings of the Sixteenth European Conference on Computer Systems

View full text Add to dashboard Cite

Unikernels are famous for providing excellent performance in terms of boot times, throughput and memory consumption, to name a few metrics. However, they are infamous for making it hard and extremely time consuming to extract such performance, and for needing significant engineering effort in order to port applications to them. We introduce Unikraft, a novel micro-library OS that (1) fully modularizes OS primitives so that it is easy to customize the unikernel and include only relevant components and (2) exposes a set of composable, performance-oriented APIs in order to make it easy for developers to obtain high performance.Our evaluation using off-the-shelf applications such as nginx, SQLite, and Redis shows that running them on Unikraft results in a 1.7x-2.7x performance improvement compared to Linux guests. In addition, Unikraft images for these apps are around 1MB, require less than 10MB of RAM to run, and boot in around 1ms on top of the VMM time (total boot time 3ms-40ms). Unikraft is a Linux Foundation open source project and can be found at www.unikraft.org.

show abstract

Section: Design Principles and Solution Spacementioning

confidence: 99%

Unikraft

Kuenzer

Bădoiu

Lefeuvre

et al. 2021

Proceedings of the Sixteenth European Conference on Computer Systems

View full text Add to dashboard Cite

show abstract

“…More recently, OSes providing security through software isolation brought by safe languages [7,13,25,36,39] have been proposed. In SASOSes, isolation has been provided with traditional page tables [10,23,32] and recently through intra-address-space hardware isolation mechanisms [34,42,45,47]. Formal verification offers deterministic security guarantees, but has trouble scaling to modern OSes' large codebases [28,29].…”

Section: Related Workmentioning

confidence: 99%

“…Second, hardware isolation, SH and runtime property checking can be used to check that certain correctness properties hold (e.g. when specified as pre and post conditions), thus relieving the user from needing to prove code correctness statically against a specification [47]. Third, both software verification and protection domains can be used to ensure (a form of) control-flow integrity between components, guaranteeing that code execution starts only at well-defined entry points, without needing software runtime checks [53].…”

Section: Introductionmentioning

confidence: 99%

FlexOS

Lefeuvre

Bădoiu

Teodorescu

et al. 2021

Proceedings of the Workshop on Hot Topics in Operating Systems

Self Cite

View full text Add to dashboard Cite

OS design is traditionally heavily intertwined with protection mechanisms. OSes statically commit to one or a combination of (1) hardware isolation, (2) runtime checking, and (3) software verification early at design time. Changes after deployment require major refactoring; as such, they are rare and costly. In this paper, we argue that this strategy is at odds with recent hardware and software trends: protections break (Meltdown), hardware becomes heterogeneous (Memory Protection Keys, CHERI), and multiple mechanisms can now be used for the same task (software hardening, verification, HW isolation, etc). In short, the choice of isolation strategy and primitives should be postponed to deployment time.We present FlexOS, a novel, modular OS design whose compartmentalization and protection profile can seamlessly be tailored towards a specific application or use-case at build time. FlexOS offers a language to describe components' security needs/behavior, and to automatically derive from it a compartmentalization strategy. We implement an early prototype of FlexOS that can automatically generate a large array of different OSes implementing different security strategies. CCS Concepts• Software and its engineering → Operating systems; • Security and privacy → Operating systems security.

show abstract

“…Many other compartmentalization abstractions can be used for platforms that do not support hardware capabilities, relying on various isolation mechanisms. These can be process-based isolation leveraging page tables [36], [37]; VM-based isolation using hardware-assisted virtualization [38], [39]; trusted execution environments [40], [41] and other ISA extensions such as Intel MPK [42]- [45]; and finally software-only solutions such as SFI [46]. These techniques offer various security/performance trade-offs and generally require a particular porting effort to manage data shared between compartments.…”

Section: A Isolating Librariesmentioning

confidence: 99%

Towards a Hybrid Approach to Protect Against Memory Safety Vulnerabilities

Bhayat¹,

Cordeiro²,

Reger³

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

Memory corruption bugs continue to plague low-level systems software generally written in unsafe programming languages. In order to detect and protect against such exploits, many pre- and post-deployment techniques exist. In this position paper, we propose and motivate the need for a <i>hybrid</i> approach for the protection against memory safety vulnerabilities, combining techniques that can identify the presence (and absence) of vulnerabilities pre-deployment with those that can detect and mitigate such vulnerabilities post-deployment. Our hybrid approach involves three layers: hardware runtime protection provided by capability hardware, software runtime protection provided by compiler instrumentation, and static analysis provided by bounded model checking and symbolic execution. The key aspect of the proposed hybrid approach is that the protection offered is greater than the sum of its parts -- the expense of post-deployment runtime checks is reduced via information obtained during pre-deployment analysis. During pre-deployment analysis, static checking can be guided by runtime information. <br>

show abstract

Intra-unikernel isolation with Intel memory protection keys

Cited by 39 publications

References 29 publications

Unikraft

Unikraft

FlexOS

Towards a Hybrid Approach to Protect Against Memory Safety Vulnerabilities

Contact Info

Product

Resources

About