Results 11 - 20
of
40
Arrakis: A case for the end of the empire
- In Proceedings of the 14th USENIX Conference on Hot Topics in Operating Systems, HotOS’13
, 2013
"... In this paper, we argue that recent device hardware trends enable a new approach to the design of operating sys-tems: instead of the operating system mediating access to hardware, applications run directly on top of virtual-ized I/O devices, where the kernel provides only control plane services. Thi ..."
Abstract
-
Cited by 3 (1 self)
- Add to MetaCart
(Show Context)
In this paper, we argue that recent device hardware trends enable a new approach to the design of operating sys-tems: instead of the operating system mediating access to hardware, applications run directly on top of virtual-ized I/O devices, where the kernel provides only control plane services. This new division of labor is transpar-ent to the user, except that applications are able to offer more robust extensibility, security and performance than was previously possible. We discuss some of the hard-ware and software challenges to realizing this vision. 1
The nonkernel: A Kernel Designed for the Cloud
"... Infrastructure-as-a-Service (IaaS) cloud computing is causing a fundamental shift in the way computing resources are bought, sold, and used. We foresee a fu-ture whereby every CPU cycle, every memory word, and every byte of network bandwidth in the cloud would have a constantly changing market-drive ..."
Abstract
-
Cited by 2 (0 self)
- Add to MetaCart
(Show Context)
Infrastructure-as-a-Service (IaaS) cloud computing is causing a fundamental shift in the way computing resources are bought, sold, and used. We foresee a fu-ture whereby every CPU cycle, every memory word, and every byte of network bandwidth in the cloud would have a constantly changing market-driven price. We argue that, in such an environment, the underlying resources should be exposed directly to applications without kernel or hypervisor involve-ment. We propose the nonkernel, an architecture for operating system kernel construction designed for such cloud computing platforms. A nonkernel uses modern architectural support for machine virtualiza-tion to securely provide unprivileged user programs
MultiLibOS: An OS architecture for Cloud Computing
"... Cloud computing allows consumers on-demand access to massive computational capacity. Researchers have argued that new operating systems are needed to address the challenges of scale, elasticity, and fault tolerance inherent to the cloud. The cloud not only introduces new challenges, but also simplif ..."
Abstract
-
Cited by 1 (0 self)
- Add to MetaCart
(Show Context)
Cloud computing allows consumers on-demand access to massive computational capacity. Researchers have argued that new operating systems are needed to address the challenges of scale, elasticity, and fault tolerance inherent to the cloud. The cloud not only introduces new challenges, but also simplifies the role of the operating system. We describe how these simplifications enable a new model for developing and deploying OS functionality that we call MultiLibOS. This model can be used to enable many, potentially domain specific, runtimes and operating systems to address the challenges and broaden the applicability of cloud computing. The model allows OS, hardware and application researchers to innovate unconstrained by the requirements of backwards compatibility while still providing a strategy to enable full compatibility with commodity operating systems. 1
Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege Separation
"... Monolithic operating system designs undermine the security of computing systems by allowing single exploits anywhere in the kernel to enjoy full supervisor privilege. The nested kernel operating system architecture addresses this problem by “nesting ” a small isolated kernel within a traditional mon ..."
Abstract
-
Cited by 1 (0 self)
- Add to MetaCart
(Show Context)
Monolithic operating system designs undermine the security of computing systems by allowing single exploits anywhere in the kernel to enjoy full supervisor privilege. The nested kernel operating system architecture addresses this problem by “nesting ” a small isolated kernel within a traditional monolithic kernel. The “nested kernel ” interposes on all updates to virtual memory translations to assert protections on physical memory, thus significantly reducing the trusted computing base for memory access control enforcement. We incorporated the nested kernel architecture into FreeBSD on x86-64 hardware while allowing the entire operating system, including untrusted components, to operate at the highest hardware privilege level by write-protecting MMU translations and de-privileging the untrusted part of the kernel. Our implementation inherently enforces kernel code integrity while still allowing dynamically loaded kernel modules, thus defending against code injection attacks. We also demonstrate that the nested kernel architecture allows kernel developers to isolate memory in ways not possible in monolithic kernels by introducing write-mediation and write-logging services to protect critical system data struc-tures. Performance of the nested kernel prototype shows modest overheads: < 1 % average for Apache and 2.7 % for kernel compile. Overall, our results and experience show that the nested kernel design can be retrofitted to existing monolithic kernels, providing important security benefits.
Jitsu: Just-In-Time Summoning of Unikernels
"... Abstract. Network latency is a problem for all cloud services. It can be mitigated by moving computation out of remote datacenters by rapidly instantiating local ser-vices near the user. This requires an embedded cloud platform on which to deploy multiple applications se-curely and quickly. We prese ..."
Abstract
-
Cited by 1 (1 self)
- Add to MetaCart
(Show Context)
Abstract. Network latency is a problem for all cloud services. It can be mitigated by moving computation out of remote datacenters by rapidly instantiating local ser-vices near the user. This requires an embedded cloud platform on which to deploy multiple applications se-curely and quickly. We present Jitsu, a new Xen tool-stack that satisfies the demands of secure multi-tenant isolation on resource-constrained embedded ARM de-vices. It does this by using unikernels: lightweight, compact, single address space, memory-safe virtual ma-chines (VMs) written in a high-level language. Using fast shared memory channels, Jitsu provides a directory service that launches unikernels in response to network traffic and masks boot latency. Our evaluation shows Jitsu to be a power-efficient and responsive platform for hosting cloud services in the edge network while preserv-ing the strong isolation guarantees of a type-1 hypervisor. 1
Glider: A GPU Library Driver for Improved System Security
, 2014
"... Legacy device drivers implement both device resource man-agement and isolation. This results in a large code base with a wide high-level interface making the driver vulnerable to security attacks. This is particularly problematic for increas-ingly popular accelerators like GPUs that have large, comp ..."
Abstract
-
Cited by 1 (1 self)
- Add to MetaCart
(Show Context)
Legacy device drivers implement both device resource man-agement and isolation. This results in a large code base with a wide high-level interface making the driver vulnerable to security attacks. This is particularly problematic for increas-ingly popular accelerators like GPUs that have large, complex drivers. We solve this problem with library drivers, a new driver architecture. A library driver implements resource man-agement as an untrusted library in the application process address space, and implements isolation as a kernel module that is smaller and has a narrower lower-level interface (i.e., closer to hardware) than a legacy driver. We articulate a set of device and platform hardware properties that are required to retrofit a legacy driver into a library driver. To demonstrate the feasibility and superiority of library drivers, we present Glider, a library driver implementation for two GPUs of pop-ular brands, Radeon and Intel. Glider reduces the TCB size and attack surface by about 35 % and 84 % respectively for a Radeon HD 6450 GPU and by about 38 % and 90 % respec-tively for an Intel Ivy Bridge GPU. Moreover, it incurs no performance cost. Indeed, Glider outperforms a legacy driver for applications requiring intensive interactions with the de-vice driver, such as applications using the OpenGL immediate mode API. 1.
Lightweight snapshots and system-level backtracking
- in HotOS
"... We propose a new system-level abstraction, the lightweight immutable execution snapshot, which combines the immutable characteristics of checkpoints with the direct integration into the virtual memory subsystem of standard mutable address spaces. The abstraction can give arbitrary x86 programs and ..."
Abstract
-
Cited by 1 (0 self)
- Add to MetaCart
(Show Context)
We propose a new system-level abstraction, the lightweight immutable execution snapshot, which combines the immutable characteristics of checkpoints with the direct integration into the virtual memory subsystem of standard mutable address spaces. The abstraction can give arbitrary x86 programs and libraries system-level support for backtracking (akin to logic programming) and the ability to manipulate an entire address space as an immutable data structure (akin to functional programming). Our proposed implementation leverages modern x86 hardware-virtualization support.
CHERI: A RISC capability machine for practical memory safety
, 2014
"... ISSN 1476-2986 This work presents CHERI, a practical extension of the 64-bit MIPS instruction set to sup-port capabilities for fine-grained memory protection. Traditional paged memory protection has proved inadequate in the face of escalating security threats and proposed solutions include fine-grai ..."
Abstract
-
Cited by 1 (0 self)
- Add to MetaCart
(Show Context)
ISSN 1476-2986 This work presents CHERI, a practical extension of the 64-bit MIPS instruction set to sup-port capabilities for fine-grained memory protection. Traditional paged memory protection has proved inadequate in the face of escalating security threats and proposed solutions include fine-grained protection tables (Mondrian Memory Protection) and hardware fat-pointer protection (Hardbound). These have emphasised transparent protection for C executables but have lacked flexibility and practicality. Intel’s recent memory protection extensions (iMPX) attempt to adopt some of these ideas and are flexible and optional but lack the strict correctness of these proposals. Capability addressing has been the classical solution to efficient and strong memory protection but it has been thought to be incompatible with common instruction sets and also with modern program structure which uses a flat memory space with global pointers. CHERI is a fusion of capabilities with a paged flat memory producing a program-managed fat pointer capability model. This protection mechanism scales from application sandboxing to efficient byte-level memory
USENIX Association 12th USENIX Symposium on Networked Systems Design and Implementation (NSDI ’15) 559 Jitsu: Just-In-Time Summoning of Unikernels
"... Abstract. Network latency is a problem for all cloud services. It can be mitigated by moving computation out of remote datacenters by rapidly instantiating local ser-vices near the user. This requires an embedded cloud platform on which to deploy multiple applications se-curely and quickly. We prese ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract. Network latency is a problem for all cloud services. It can be mitigated by moving computation out of remote datacenters by rapidly instantiating local ser-vices near the user. This requires an embedded cloud platform on which to deploy multiple applications se-curely and quickly. We present Jitsu, a new Xen tool-stack that satisfies the demands of secure multi-tenant isolation on resource-constrained embedded ARM de-vices. It does this by using unikernels: lightweight, compact, single address space, memory-safe virtual ma-chines (VMs) written in a high-level language. Using fast shared memory channels, Jitsu provides a directory service that launches unikernels in response to network traffic and masks boot latency. Our evaluation shows Jitsu to be a power-efficient and responsive platform for hosting cloud services in the edge network while preserv-ing the strong isolation guarantees of a type-1 hypervisor. 1
Performance Optimizations for Isolated Driver Domains
, 2014
"... In most of today’s operating system architectures, device drivers are tightly coupled with other kernel components. In such systems, a fault caused by a malicious or faulty device driver often leads to complete system failure, thereby reducing the overall reliability of the system. Even though a maj ..."
Abstract
- Add to MetaCart
(Show Context)
In most of today’s operating system architectures, device drivers are tightly coupled with other kernel components. In such systems, a fault caused by a malicious or faulty device driver often leads to complete system failure, thereby reducing the overall reliability of the system. Even though a majority of the operating systems provide protection mechanisms at the user level, they do not provide the same level of protection for kernel components. Using virtualization, device drivers can be executed in separate, isolated virtual machines, called driver domains. Such domains provide the same level of isolation to device drivers as operating systems provide to user level applications [20]. Domain-based isolation has the advantage that it is compatible with existing drivers and transparent to the kernel. However, domain-based isolation incurs significant performance overhead due to the nec-essary interdomain communication. This thesis investigates techniques for reducing this overhead. The key idea is to replace the interrupt-based notification between domains with a spinning-based approach, thus trading CPU capacity for increased throughput. We implemented a prototype, called the Isolated Device Driver system (IDDR), which in-cludes front-end and back-end drivers and a communication module. We evaluated the im-
