DOCSLIB.ORG

Intra-Unikernel Isolation with Intel Memory Protection Keys

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Intra-Unikernel Isolation with Intel Memory Protection Keys Mincheol Sung Pierre Olivier∗ Virginia Tech, USA The University of Manchester, United Kingdom [email protected] [email protected] Stefan Lankes Binoy Ravindran RWTH Aachen University, Germany Virginia Tech, USA [email protected] [email protected] Abstract ACM Reference Format: Mincheol Sung, Pierre Olivier, Stefan Lankes, and Binoy Ravin- Unikernels are minimal, single-purpose virtual machines. dran. 2020. Intra-Unikernel Isolation with Intel Memory Protec- This new operating system model promises numerous bene- tion Keys. In 16th ACM SIGPLAN/SIGOPS International Conference fits within many application domains in terms of lightweight- on Virtual Execution Environments (VEE ’20), March 17, 2020, Lau- ness, performance, and security. Although the isolation be- sanne, Switzerland. ACM, New York, NY, USA, 14 pages. https: tween unikernels is generally recognized as strong, there //doi.org/10.1145/3381052.3381326 is no isolation within a unikernel itself. This is due to the use of a single, unprotected address space, a basic principle 1 Introduction of unikernels that provide their lightweightness and perfor- Unikernels have gained attention in the academic research mance benefits. In this paper, we propose a new design that community, offering multiple benefits in terms of improved brings memory isolation inside a unikernel instance while performance, increased security, reduced costs, etc. As a keeping a single address space. We leverage Intel’s Memory result, the application domains for these minimal, single- Protection Key to do so without impacting the lightweight- application virtual machines are plentiful, encompassing ness and performance benefits of unikernels. We implement cloud- and edge-deployed micro-services/SaaS/FaaS-based our isolation scheme within an existing unikernel written software [6, 21, 22, 30, 44], server applications [22, 28, 29, 44, in Rust and use it to provide isolation between trusted and 53], NFV [12, 29–31], IoT [12, 15], HPC [25], efficient VM untrusted components: we isolate (1) safe kernel code from introspection/malware analysis [52], and regular desktop unsafe kernel code and (2) kernel code from user code. Eval- applications [36, 47]. uation shows that our system provides such isolation with One of the fundamental principles of unikernels is the very low performance overhead. Notably, the unikernel with elimination of the separation between kernel and user parts our isolation exhibits only 0.6% slowdown on a set of macro- of the address space. Thus, a unikernel instance running an benchmarks. application alongside the unikernel’s Library Operating Sys- tem (LibOS) possess a single and unprotected address space. CCS Concepts: • Software and its engineering ! Virtual Because of this particularity, it is possible for unikernels machines; Operating systems; Memory management; • Secu- to present interesting opportunities for performance ben- rity and privacy ! Virtualization and security; Oper- efits, such as replacing traditional system calls with regu- ating systems security. lar function calls [11, 34] so that significant mode switch overhead [45] can be avoided. However, from a security per- Keywords: Unikernels, Memory Protection Keys, Memory spective, a single and unprotected address space makes it so Safety that the entire unikernel must be viewed as a single unit of trust. Subversion of a kernel or application component will ∗Part of this work was done while Pierre Olivier was at Virginia Tech. result in the subversion of the entire unikernel with serious consequences, such as arbitrary code execution, critical data leaks or tampering, etc. VEE ’20, March 17, 2020, Lausanne, Switzerland We argue that the current level of isolation provided by © 2020 Association for Computing Machinery. unikernels is too coarse-grained for many scenarios. First, a This is the author’s version of the work. It is posted here for your personal single application may be made of mutually-untrusting com- use. Not for redistribution. The definitive Version of Record was published ponents [2, 49], such as if they came from different sources in 16th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE ’20), March 17, 2020, Lausanne, Switzerland, https://doi. with variable security coding standards. Second, regarding org/10.1145/3381052.3381326. the LibOS, although some are written in a memory-safe language [9, 24, 29, 51], they generally rely on untrusted VEE ’20, March 17, 2020, Lausanne, Switzerland Mincheol Sung, Pierre Olivier, Stefan Lankes, and Binoy Ravindran components for low level operations by using a traditional that should be enforced by the kernel. Our design allows unsafe language [9, 29, 51] or by using unsafe code blocks protecting the trusted components of the kernel from at- for languages such as Rust. Other unikernel LibOSes are tacks leveraging vulnerabilities in untrusted ones. We also written entirely in an unsafe language [18, 19, 25]. Third, in protect kernel space from unauthorized access by subverted scenarios where mutually untrusting components belong- user code. Our isolation techniques have a low overhead; ing to the same application need to be isolated [2, 16, 49], in particular, we still maintain the low system call latency a computing base that is trusted from the tenant point of feature of unikernels. view has to be established to enforce that isolation. In the current state of the unikernel model, this Trusted Comput- 2 Background and Motivation ing Base (TCB) cannot be the guest kernel as it is not itself In this section, we first describe the motivation for intra- isolated from the application. This implies falling back on unikernel isolation. Next, we give some background infor- the hypervisor to be this TCB, which is suboptimal from a mation about the unikernel we work with in this paper, performance standpoint. RustyHermit [24], as well as the programming language Several isolation mechanisms have been proposed in the it is written in (Rust) and the Intel MPK technology we use past to isolate an application’s untrusting components. They to provide isolation. operate at various levels: using hardware assisted virtualiza- 2.1 Unikernel and Isolation tion [3, 20], running components in different processes/using different page tables [2, 23], or using ISA extensions such A unikernel [29] consists of a single application compiled and as Intel SGX [1, 7]. None of these techniques can be easily statically linked with a minimal kernel LibOS. Unikernels single purpose applied to unikernels without breaking the single address are , i.e. one instance corresponds to one guest space principle and thus not only canceling the resulting VM running a single application on top of a hypervisor. A single and unprotected performance benefits but also introducing non-negligible unikernel instance also presents a address space additional performance overheads in the form of switching shared between the kernel and the application. costs [49]. All the code executes with the highest privilege level (for In this paper, we propose addressing the aforementioned example, ring 0 in x86-64) and thus there is no memory unikernel security issues by providing intra-unikernel iso- protection between kernel and user code/data in that address lation while maintaining the single address space feature space. of this OS model. To do so, we leverage the Intel Memory Such a model brings significant benefits in several do- Protection Keys (MPK) [10] technology. MPK is a new hard- mains [34], in particular in terms of performance [19, 25, 34]: ware primitive that provides per-thread permission control due to the elimination of kernel/user separation, system calls over groups of pages in a single address space with negli- can be replaced with regular function calls. This significantly gible switching overhead [35, 49], making it a compelling reduces system call latency, as there is no longer a costly candidate for use in unikernels. world switch between privilege levels [25]; expensive opera- We identify the various areas composing the address space tions such as page table switching [34] are eliminated. As a of a unikernel, i.e. the kernel’s safe/unsafe memory regions result, unikernels have been shown to outperform traditional (static data section, stack, and heap), and the user memory OSes in system intensive workloads [11]. regions (static data section, stack, and heap). Those areas are However, the lack of isolation within a unikernel (intra- isolated from each other by using MPK-based mechanisms to unikernel isolation) raises serious security concerns. Even enforce per-thread permissions on each memory area. Our if it executes a unique application, viewing a unikernel in- design principles are: it should (1) preserve a single address stance as a single and atomic unit of trust is too coarse- space; (2) isolate the various areas of the address space; and grained in current scenarios: a vulnerability in a relatively (3) have negligible cost. untrusted/vulnerable application component automatically We demonstrate our techniques on RustyHermit [24], a leads to the attacker taking over the entire system. In a unikernel written in Rust. This is done using an efficient unikernel, this concern also include kernel components, as isolation method for intra-unikernel components that relies there is no isolation between kernel and user space. We di- on easy-to-use code annotations made by the unikernel Li- vide intra-unikernel isolation issues into two categories: (1) bOS programmer. On top of that mechanism we implement the lack of isolation between kernel and user space and (2) two isolation policies. First, we isolate safe from unsafe Rust the lack of isolation between trusted and untrusted kernel kernel code so as to limit the possibilities for an attacker components in memory-safe unikernels. to exploit a vulnerability in the unsafe kernel code. Second, Lack of Isolation between Kernel and User Space. Mod- we re-introduce kernel and user space separation by isolat- ern applications are made of components (such as libraries) ing kernel from user code.
Recommended publications
  • Deciding Memory Safety for Single-Pass Heap-Manipulating Programs

    Deciding Memory Safety for Single-Pass Heap-Manipulating Programs

    Deciding Memory Safety for Single-Pass Heap-Manipulating Programs UMANG MATHUR, University of Illinois, Urbana-Champaign, USA ADITHYA MURALI, University of Illinois, Urbana-Champaign, USA PAUL KROGMEIER, University of Illinois, Urbana-Champaign, USA P. MADHUSUDAN, University of Illinois, Urbana-Champaign, USA MAHESH VISWANATHAN, University of Illinois, Urbana-Champaign, USA We investigate the decidability of automatic program verification for programs that manipulate heaps, andin particular, decision procedures for proving memory safety for them. We extend recent work that identified a decidable subclass of uninterpreted programs to a class of alias-aware programs that can update maps. We 35 apply this theory to develop verification algorithms for memory safetyÐ determining if a heap-manipulating program that allocates and frees memory locations and manipulates heap pointers does not dereference an unallocated memory location. We show that this problem is decidable when the initial allocated heap forms a forest data-structure and when programs are streaming-coherent, which intuitively restricts programs to make a single pass over a data-structure. Our experimental evaluation on a set of library routines that manipulate forest data-structures shows that common single-pass algorithms on data-structures often fall in the decidable class, and that our decision procedure is efficient in verifying them. CCS Concepts: • Theory of computation → Logic and verification; Automated reasoning. Additional Key Words and Phrases: Memory Safety, Program Verification, Aliasing, Decidability, Uninterpreted Programs, Streaming-Coherence, Forest Data-Structures ACM Reference Format: Umang Mathur, Adithya Murali, Paul Krogmeier, P. Madhusudan, and Mahesh Viswanathan. 2020. Deciding Memory Safety for Single-Pass Heap-Manipulating Programs. Proc. ACM Program.
  • A Linux in Unikernel Clothing Lupine

    A Linux in Unikernel Clothing Lupine

    A Linux in Unikernel Clothing Hsuan-Chi Kuo+, Dan Williams*, Ricardo Koller* and Sibin Mohan+ +University of Illinois at Urbana-Champaign *IBM Research Lupine Unikernels are great BUT: Unikernels lack full Linux Support App ● Hermitux: supports only 97 system calls Kernel LibOS + App ● OSv: ○ Fork() , execve() are not supported Hypervisor Hypervisor ○ Special files are not supported such as /proc ○ Signal mechanism is not complete ● Small kernel size ● Rumprun: only 37 curated applications ● Heavy ● Fast boot time ● Community is too small to keep it rolling ● Inefficient ● Improved performance ● Better security 2 Can Linux behave like a unikernel? 3 Lupine Linux 4 Lupine Linux ● Kernel mode Linux (KML) ○ Enables normal user process to run in kernel mode ○ Processes can still use system services such as paging and scheduling ○ App calls kernel routines directly without privilege transition costs ● Minimal patch to libc ○ Replace syscall instruction to call ○ The address of the called function is exported by the patched KML kernel using the vsyscall ○ No application changes/recompilation required 5 Boot time Evaluation Metrics Image size Based on: Unikernel benefits Memory footprint Application performance Syscall overhead 6 Configuration diversity ● 20 top apps on Docker hub (83% of all downloads) ● Only 19 configuration options required to run all 20 applications: lupine-general 7 Evaluation - Comparison configurations Lupine Cloud Operating Systems [Lupine-base + app-specific options] OSv general Linux-based Unikernels Kernel for 20 apps
  • “Sok: Eternal War in Memory”

    “Sok: Eternal War in Memory”

    “SoK: Eternal War in Memory” Presented by Mengjia Yan MIT 6.888 Fall 2020 Overview • Discuss the paper “SoK: Eternal War in Memory” with concrete examples • Recent progress on memory safety • With a focus on hardware/architecture 2 Motivation • C/C++ is unsafe • EveryboDy runs C/C++ coDe • They surely have exploitable vulnerabilities 3 Low-level Language Basics (C/C++/Assembly) 0x00..0000 • Programmers have more control + Efficient OS memory - Bugs - Programming productivity TEXT (code) Global/Static • Pointers DATA • Address of variables (uint64): index of memory location where variable is stored Heap • Programmers need to do pointer check, e.g. NULL, out-of-bound, use-after-free Stack 0xFF..FFFF 4 Low-level Language Basics 0x00..0000 TEXT (code) Heap Stack 0xFF..FFFF 5 Low-level Language Basics TEXT (code) stack 6 Attacks Code Injection Attack Example TEXT (code) int func (char *str) { Shell code: char buffer[12]; strncpy(buffer, str, len(str)); PUSH “/bin/sh” CALL system stack return 1; } int main() { …. func (input); … } 8 Code Injection Attack TEXT (code) TEXT (code) stack stack buffer Shell code … … Return addr Return addr 9 Attacks 10 Return-Oriented Programming (ROP) int func (char *str) { TEXT (code) TEXT (code) char buffer[12]; strncpy(buffer, str, len(str)); stack stack return 1; } …. int main() { buffer …. … … func (input); Return addr Return addr … } 11 Attacks 12 HeartBleed Vulnerability • Publicly DiscloseD in April 2014 • Bug in the OpenSSL cryptographic software library heartbeat extension • Missing a bound check 13 Attacks
  • Unikernel Monitors: Extending Minimalism Outside of the Box

    Unikernel Monitors: Extending Minimalism Outside of the Box

    Unikernel Monitors: Extending Minimalism Outside of the Box Dan Williams Ricardo Koller IBM T.J. Watson Research Center Abstract Recently, unikernels have emerged as an exploration of minimalist software stacks to improve the security of ap- plications in the cloud. In this paper, we propose ex- tending the notion of minimalism beyond an individual virtual machine to include the underlying monitor and the interface it exposes. We propose unikernel monitors. Each unikernel is bundled with a tiny, specialized mon- itor that only contains what the unikernel needs both in terms of interface and implementation. Unikernel mon- itors improve isolation through minimal interfaces, re- Figure 1: The unit of execution in the cloud as (a) a duce complexity, and boot unikernels quickly. Our ini- unikernel, built from only what it needs, running on a tial prototype, ukvm, is less than 5% the code size of a VM abstraction; or (b) a unikernel running on a spe- traditional monitor, and boots MirageOS unikernels in as cialized unikernel monitor implementing only what the little as 10ms (8× faster than a traditional monitor). unikernel needs. 1 Introduction the application (unikernel) and the rest of the system, as defined by the virtual hardware abstraction, minimal? Minimal software stacks are changing the way we think Can application dependencies be tracked through the in- about assembling applications for the cloud. A minimal terface and even define a minimal virtual machine mon- amount of software implies a reduced attack surface and itor (or in this case a unikernel monitor) for the applica- a better understanding of the system, leading to increased tion, thus producing a maximally isolated, minimal exe- security.
  • MPTEE: Bringing Flexible and Efficient Memory Protection to Intel

    MPTEE: Bringing Flexible and Efficient Memory Protection to Intel

    MPTEE: Bringing Flexible and Efficient Memory Protection to Intel SGX Wenjia Zhao Kangjie Lu* Yong Qi* Saiyu Qi Xi’an Jiaotong University University of Minnesota Xi’an Jiaotong University Xidian University University of Minnesota Abstract code, emerge in today’s market. In particular, Intel has pro- Intel Software Guard eXtensions (SGX), a hardware-based vided SGX in its commodity processors, which supports a se- Trusted Execution Environment (TEE), has become a promis- cure region, namely enclave, to protect the internally loaded ing solution to stopping critical threats such as insider attacks code and data. Given its important and practical protection, and remote exploits. SGX has recently drawn extensive re- SGX has been extensively studied and used in practice. For search in two directions—using it to protect the confidentiality example, SCONE [1] uses it to effectively enhance the secu- and integrity of sensitive data, and protecting itself from at- rity of containers with low overhead. JITGuard [17] leverages tacks. Both the applications and defense mechanisms of SGX it to protect the security-critical just-in-time compiler oper- have a fundamental need—flexible memory protection that ations. SGXCrypter[49] utilizes it to securely unpack and updates memory-page permissions dynamically and enforces execute Windows binaries. There are many other useful appli- the least-privilege principle. Unfortunately, SGX does not pro- cations [35], [34], [31],[6], which confirm the practical and vide such a memory-protection mechanism due to the lack of promising applications of SGX. hardware support and the untrustedness of operating systems. Another line of research is to protect SGX itself from at- This paper proposes MPTEE, a memory-protection mech- tacks.
  • Intel® Xeon® E3-1200 V5 Processor Family

    Intel® Xeon® E3-1200 V5 Processor Family

    Intel® Xeon® E3-1200 v5 Processor Family Specification Update May 2020 Revision 033 Reference Number: 333133-033US Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Learn more at Intel.com, or from the OEM or retailer. No computer system can be absolutely secure. Intel does not assume any liability for lost or stolen data or systems or any damages resulting from such losses. You may not use or facilitate the use of this document in connection with any infringement or other legal analysis concerning Intel products described herein. You agree to grant Intel a non-exclusive, royalty-free license to any patent claim thereafter drafted which includes subject matter disclosed herein. No license (express or implied, by estoppel or otherwise) to any intellectual property rights is granted by this document. The products described may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade. Intel® Turbo Boost Technology requires a PC with a processor with Intel Turbo Boost Technology capability. Intel Turbo Boost Technology performance varies depending on hardware, software and overall system configuration. Check with your PC manufacturer on whether your system delivers Intel Turbo Boost Technology. For more information, see http://www.intel.com/ content/www/us/en/architecture-and-technology/turbo-boost/turbo-boost-technology.html Copies of documents which have an order number and are referenced in this document may be obtained by calling 1-800-548- 4725 or by visiting www.intel.com/design/literature.htm.
  • Sok: Hardware Security Support for Trustworthy Execution

    Sok: Hardware Security Support for Trustworthy Execution

    SoK: Hardware Security Support for Trustworthy Execution Lianying Zhao1, He Shuang2, Shengjie Xu2, Wei Huang2, Rongzhen Cui2, Pushkar Bettadpur2, and David Lie2 1Carleton Universityz, Ottawa, ON, Canada 2University of Toronto, Toronto, ON, Canada Abstract—In recent years, there have emerged many new hard- contribute to lowering power consumption, which is critical ware mechanisms for improving the security of our computer for resource-constrained devices. systems. Hardware offers many advantages over pure software Furthermore, hardware is the Root of Trust (RoT) [48], as approaches: immutability of mechanisms to software attacks, better execution and power efficiency and a smaller interface it bridges the physical world (where human users reside) and allowing it to better maintain secrets. This has given birth to the digital world (where tasks run as software). To securely a plethora of hardware mechanisms providing trusted execution perform a task or store a secret, the user trusts at least part of environments (TEEs), support for integrity checking and memory the computer hardware. safety and widespread uses of hardware roots of trust. Dedicated hardware security support has seen its prolif- In this paper, we systematize these approaches through the lens eration since the early days of computers. It can take a of abstraction. Abstraction is key to computing systems, and the interface between hardware and software contains many abstrac- straightforward form as discrete components to assist the tions. We find that these abstractions, when poorly designed, can CPU, ranging from the industrial-grade tamper-responding both obscure information that is needed for security enforcement, IBM Cryptocards (e.g., 4758 [37]), Apple’s proprietary secure as well as reveal information that needs to be kept secret, leading enclave processor (SEP [84]) for consumer electronics, to the to vulnerabilities.
  • Operating System Support for Run-Time Security with a Trusted Execution Environment

    Operating System Support for Run-Time Security with a Trusted Execution Environment

    Operating System Support for Run-Time Security with a Trusted Execution Environment - Usage Control and Trusted Storage for Linux-based Systems - by Javier Gonz´alez Ph.D Thesis IT University of Copenhagen Advisor: Philippe Bonnet Submitted: January 31, 2015 Contents Preface2 1 Introduction4 1.1 Context.......................................4 1.2 Problem.......................................6 1.3 Approach......................................7 1.4 Contribution....................................9 1.5 Thesis Structure.................................. 10 I State of the Art 12 2 Trusted Execution Environments 14 2.1 Smart Cards.................................... 15 2.1.1 Secure Element............................... 17 2.2 Trusted Platform Module (TPM)......................... 17 2.3 Intel Security Extensions.............................. 20 2.3.1 Intel TXT.................................. 20 2.3.2 Intel SGX.................................. 21 2.4 ARM TrustZone.................................. 23 2.5 Other Techniques.................................. 26 2.5.1 Hardware Replication........................... 26 2.5.2 Hardware Virtualization.......................... 27 2.5.3 Only Software............................... 27 2.6 Discussion...................................... 27 3 Run-Time Security 30 3.1 Access and Usage Control............................. 30 3.2 Data Protection................................... 33 3.3 Reference Monitors................................. 36 3.3.1 Policy Enforcement............................. 36 3.3.2
  • Assessing Unikernel Security April 2, 2019 – Version 1.0

    Assessing Unikernel Security April 2, 2019 – Version 1.0

    NCC Group Whitepaper Assessing Unikernel Security April 2, 2019 – Version 1.0 Prepared by Spencer Michaels Jeff Dileo Abstract Unikernels are small, specialized, single-address-space machine images constructed by treating component applications and drivers like libraries and compiling them, along with a kernel and a thin OS layer, into a single binary blob. Proponents of unikernels claim that their smaller codebase and lack of excess services make them more efficient and secure than full-OS virtual machines and containers. We surveyed two major unikernels, Rumprun and IncludeOS, and found that this was decidedly not the case: unikernels, which in many ways resemble embedded systems, appear to have a similarly minimal level of security. Features like ASLR, W^X, stack canaries, heap integrity checks and more are either completely absent or seriously flawed. If an application running on such a system contains a memory corruption vulnerability, it is often possible for attackers to gain code execution, even in cases where the applica- tion’s source and binary are unknown. Furthermore, because the application and the kernel run together as a single process, an attacker who compromises a unikernel can immediately exploit functionality that would require privilege escalation on a regular OS, e.g. arbitrary packet I/O. We demonstrate such attacks on both Rumprun and IncludeOS unikernels, and recommend measures to mitigate them. Table of Contents 1 Introduction to Unikernels . 4 2 Threat Model Considerations . 5 2.1 Unikernel Capabilities ................................................................ 5 2.2 Unikernels Versus Containers .......................................................... 5 3 Hypothesis . 6 4 Testing Methodology . 7 4.1 ASLR ................................................................................ 7 4.2 Page Protections ....................................................................
  • “A Linux in Unikernel Clothing”

    “A Linux in Unikernel Clothing”

    Lupine Linux “A Linux in Unikernel Clothing” Dan Williams (IBM) With Hsuan-Chi (Austin) Kuo (UIUC + IBM), Ricardo Koller (IBM), Sibin Mohan (UIUC) Roadmap • Context • Containers and isolation • Unikernels • Nabla containers • Lupine Linux • A linux in unikernel clothing • Concluding thoughts 2 Containers are great! • Have changed how applications are packaged, deployed and developed • Normal processes, but “contained” • Namespaces, cgroups, chroot • Lightweight • Start quickly, “bare metal” • Easy image management (layered fs) • Tooling/orchestration ecosystem 3 But… High level of • Large attack surface to the host abstraction (e.g., system • Limits adoption of container-first architecture calls) app • Fortunately, we know how to reduce attack surface! Host Kernel with namespacing (e.g., Linux) Containers 4 Deprivileging and unsharing kernel functionality Low level of High level of • Virtual machines (VMs) abstraction abstraction • Guest kernel (e.g., virtual (e.g., system app hardware) calls) • Thin interface Guest Kernel app (e.g., Linux) Monitor Process (e.g., QEMU) Host Kernel with Host Kernel/Hypervisor namespacing (e.g., Linux/KVM) (e.g., Linux) VMs Containers 5 Deprivileging and unsharing kernel functionality Low level of High level of • Virtual machines (VMs) abstraction abstraction • Guest kernel (e.g., virtual (e.g., system app hardware) calls) • Thin interface • Userspace kernel Guest Kernel app • Performance issues (e.g., Linux) Monitor Process (e.g., QEMU) Host Kernel with Host Kernel/Hypervisor namespacing (e.g., Linux/KVM)
  • Jails and Unikernels

    Jails and Unikernels

    Virtualisation: Jails and Unikernels Advanced Operating Systems Lecture 18 Colin Perkins | https://csperkins.org/ | Copyright © 2017 | This work is licensed under the Creative Commons Attribution-NoDerivatives 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nd/4.0/ or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA. Lecture Outline • Alternatives to full virtualisation • Sandboxing processes: • FreeBSD jails and Linux containers • Container management • Unikernels and library operating systems Colin Perkins | https://csperkins.org/ | Copyright © 2017 2 Alternatives to Full Virtualisation • Full operating system virtualisation is expensive • Need to run a hypervisor • Need to run a complete guest operating system instance for each VM • High memory and storage overhead, high CPU load from running multiple OS instances on a single machine – but excellent isolation between VMs • Running multiple services on a single OS instance can offer insufficient isolation • All must share the same OS • A bug in a privileged service can easily compromise entire system – all services running on the host, and any unrelated data • A sandbox is desirable – to isolate multiple services running on a single operating system Colin Perkins | https://csperkins.org/ | Copyright © 2017 3 Sandboxing: Jails and Containers • Concept – lightweight virtualisation • A single operating system kernel • Multiple services /bin • Each service runs within a jail a service specific container, running just what’s needed /bin /dev for that application /dev /etc /etc /mail /home /home /jail /www /lib • Jail restricted to see only a subset of the / /lib /local /usr filesystem and processes of the host /usr /lib /sbin • A sandbox within the operating system /sbin /sbin /tmp /tmp /share /var • Partially virtualised /var Colin Perkins | https://csperkins.org/ | Copyright © 2017 4 Example: FreeBSD Jail subsystem Jails: Confining the omnipotent root.
  • ERIM: Secure, Efficient In-Process Isolation with Protection Keys (MPK)

    ERIM: Secure, Efficient In-Process Isolation with Protection Keys (MPK)

    ERIM: Secure, Efficient In-process Isolation with Protection Keys (MPK) AnjoVahldiek-Oberwagner EslamElnikety NunoO.Duarte Michael Sammler Peter Druschel Deepak Garg Max Planck Institute for Software Systems (MPI-SWS), Saarland Informatics Campus Abstract prevent control-flow hijacks [30], which could circumvent Isolating sensitive state and data can increase the security the bounds checks. On x86-64, pointer masking-based SFI and robustness of many applications. Examples include pro- techniques like Native Client [42] incur overheads of up to tecting cryptographic keys against exploits like OpenSSL’s 42% on the execution of untrusted code [30]. Even with Heartbleed bug or protecting a language runtime from na- hardware-supported bounds checks, like those supported by tive libraries written in unsafe languages. When runtime the IntelMPX ISA extension[26], the overheadis up to 30%, references across isolation boundaries occur relatively in- as shown in by Koning et al. [30] and later in Section 6.5. frequently, then conventional page-based hardware isola- Another approach is to use hardware page protection for tion can be used, because the cost of kernel- or hypervisor- memory isolation [9, 10, 13, 32, 33, 34]. Here, access checks mediated domain switching is tolerable. However, some are performed in hardware as part of the address translation applications, such as the isolation of cryptographic session with no additional overhead on execution within a compo- keys in network-facing services, require very frequent do- nent. However, transferring control between components main switching. In such applications, the overheadof kernel- requires a switch to kernel or hypervisor mode in order to or hypervisor-mediated domain switching is prohibitive.