Flexos-Hotos21

Flexos-Hotos21

The University of Manchester Research FlexOS: making OS isolation flexible DOI: 10.1145/3458336.3465292 Document Version Final published version Link to publication record in Manchester Research Explorer Citation for published version (APA): Lefeuvre, H., Bdoiu, V-A., Teodorescu, S. L., Mosnoi, T., Raiciu, C., Olivier, P., Deaconescu, R., & Huici, F. (2021). FlexOS: making OS isolation flexible. In HotOS '21: Proceedings of the Workshop on Hot Topics in Operating Systems (pp. 79–87). Association for Computing Machinery. https://doi.org/10.1145/3458336.3465292 Published in: HotOS '21: Proceedings of the Workshop on Hot Topics in Operating Systems Citing this paper Please note that where the full-text provided on Manchester Research Explorer is the Author Accepted Manuscript or Proof version this may differ from the final Published version. If citing, it is advised that you check and use the publisher's definitive version. General rights Copyright and moral rights for the publications made accessible in the Research Explorer are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. Takedown policy If you believe that this document breaches copyright please refer to the University of Manchester’s Takedown Procedures [http://man.ac.uk/04Y6Bo] or contact [email protected] providing relevant details, so we can investigate your claim. Download date:06. Oct. 2021 FlexOS: Making OS Isolation Flexible Hugo Lefeuvre Vlad-Andrei Bădoiu The University of Manchester University Politehnica of Bucharest S, tefan Teodorescu Pierre Olivier Tiberiu Mosnoi University Politehnica of Bucharest The University of Manchester University Politehnica of Bucharest Răzvan Deaconescu Felipe Huici Costin Raiciu University Politehnica of Bucharest NEC Laboratories Europe GmbH University Politehnica of Bucharest Abstract 2021. FlexOS: Making OS Isolation Flexible. In Workshop on Hot Top- OS design is traditionally heavily intertwined with protection ics in Operating Systems (HotOS ’21), May 31–June 2, 2021, Ann Arbor, MI, USA. ACM, New York, NY, USA, 9 pages. https://doi.org/10.1145/ mechanisms. OSes statically commit to one or a combina- 3458336.3465292 tion of (1) hardware isolation, (2) runtime checking, and (3) software verification early at design time. Changes after de- 1 Introduction ployment require major refactoring; as such, they are rare and costly. In this paper, we argue that this strategy is at odds To create secure and fast software, programmers can use three with recent hardware and software trends: protections break main approaches offering various trade-offs between human (Meltdown), hardware becomes heterogeneous (Memory Pro- effort, safety guarantees and runtime performance: software tection Keys, CHERI), and multiple mechanisms can now be verification, runtime checking and hardware isolation. To- used for the same task (software hardening, verification, HW day’s software statically commits to one or a combination of isolation, etc). In short, the choice of isolation strategy and these approaches. At design time, systems are built around the primitives should be postponed to deployment time. protection ensuing from these mechanisms; changing them We present FlexOS, a novel, modular OS design whose com- after deployment is rare and costly. partmentalization and protection profile can seamlessly be In operating systems, the current landscape (illustrated on tailored towards a specific application or use-case at build Figure 1) broadly consists of micro-kernels [24, 29], which time. FlexOS offers a language to describe components’ se- favor hardware protection and verification over performance, curity needs/behavior, and to automatically derive from it a monolithic kernels [8], which choose privilege separation compartmentalization strategy. We implement an early proto- and address spaces to isolate apps, but assume all kernel code type of FlexOS that can automatically generate a large array is trusted, and single-address-space OSes (SASOSes), which of different OSes implementing different security strategies. attempt to bring isolation within the address space [10, 23, 32], or dump all protection for maximum performance [30, 36, 43]. CCS Concepts OS implementations are heavily interlinked with the pro- • Software and its engineering ! Operating systems; • tection mechanisms they rely upon, making changes to them Security and privacy ! Operating systems security. difficult to implement. For instance, removing user/kernel separation [37] requires a lot of engineering effort, as does ACM Reference Format: breaking down a process into multiple address spaces for HugoLefeuvre,Vlad-AndreiBădoiu,S, tefanTeodorescu,PierreOlivier, isolation purposes [27]. This is the case despite the fact that Tiberiu Mosnoi, Răzvan Deaconescu, Felipe Huici, and Costin Raiciu. alternative approaches can be used to provide the same guar- antees. First, verification and software hardening (SH) such Permission to make digital or hard copies of all or part of this work for as SFI can help ensure memory isolation between separate personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear components even if they run in the same address space, thus this notice and the full citation on the first page. Copyrights for components avoiding the need for hardware isolation [19, 52]. Second, of this work owned by others than ACM must be honored. Abstracting with hardware isolation, SH and runtime property checking can credit is permitted. To copy otherwise, or republish, to post on servers or to be used to check that certain correctness properties hold (e.g. redistribute to lists, requires prior specific permission and/or a fee. Request when specified as pre and post conditions), thus relieving permissions from [email protected]. the user from needing to prove code correctness statically HotOS ’21, May 31–June 2, 2021, Ann Arbor, MI, USA © 2021 Association for Computing Machinery. against a specification [47]. Third, both software verification ACM ISBN 978-1-4503-8438-4/21/05...$15.00 and protection domains can be used to ensure (a form of) https://doi.org/10.1145/3458336.3465292 control-flow integrity between components, guaranteeing 79 HotOS ’21, May 31–June 2, 2021, Ann Arbor, MI, USA Lefeuvre et al. e r u Legend c for each compartment. FlexOS allows developers to easily y e FlexOS Good compatibility t s i r e with existing apps. r Micro/ Tradeoff explore the trade-offs than can be achieved with different u o Less compatible c M Separation Area e kernels Monolithic OS research trends isolation technologies and granularities, and to select the best S e r u kernels c SAS/ security/performance profile for their use case. Concretely, e s Dataplane s s OSes our research contributions are: e L Slower Faster • ThedesignandimplementationofFlexOS,anovelframe- Performance Figure 1: Design space of OS kernels. work for effortlessly investigating performance vs. se- curity trade-offs in operating systems. that code execution starts only at well-defined entry points, • The identification of fundamental primitives that are without needing software runtime checks [53]. needed in order to provide isolation and protection via The rigid use of safety primitives in modern OSes poses a wide range of software and hardware-based mecha- a number of problems. First, when the protection offered by nisms. hardware primitives breaks down (e.g. Meltdown), it is dif- • A preliminary evaluation showing how FlexOS can be ficult to decide how they should be replaced, and with what used to explore a wide array of security/performance costs. In cases where multiple mechanisms can be used for the profiles for two apps: iperf and Redis. same task (e.g. SH and verification), choosing the primitive that provides the best performance depends on many factors 2 Design Overview such as the hardware, the workload, etc., and should ideally The goal of FlexOS is to allow developers and OS researchers be postponed to deployment time, not design time. Locking to easily inspect and select different points in the security the design to a certain isolation primitive will result in poor vs. performance trade-off space. Exploring such a space isfar performance in many scenarios. from trivial, and our aim is also to automate such exploration. Second,computerhardwareisbecomingheterogeneous[54] Here, various strategies could be followed: and certain primitives are hardware-dependent (e.g. Intel • Given a performance target and a set of predefined com- Memory Protection Keys – MPK [12]). When running the partments (e.g. isolate the application and the network same software on different hardware, how can we minimize stack from everything else), find the combination of the porting effort while preserving safety? isolation primitives that maximizes security within a Software modularization should, in principle, provide bet- certain performance budget. ter robustness and security. Most software, including OSes, • Given a set of safety requirements (e.g. no buffer over- integrates modules from different sources, with various levels flows), find a compliant instantiation that yields the of trust. Unfortunately, the isolation primitives assumed by best performance or that can run on the largest number the module designers affect the way in which a module canbe of devices (based

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    10 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us