Yiming Zhang,Chengfei Zhang,Yaozheng Wang,Kai Yu,Guangtao Xue,Jon Crowcroft

DOI: https://doi.org/10.1145/3436512

2021-01-01

ACM Transactions on Computer Systems

Abstract:Unikernel specializes a minimalistic LibOS and a target application into a standalone single-purpose virtual machine (VM) running on a hypervisor, which is referred to as (virtual) appliance. Compared to traditional VMs, Unikernel appliances have smaller memory footprint and lower overhead while guaranteeing the same level of isolation. On the downside, Unikernel strips off the process abstraction from its monolithic appliance and thus sacrifices flexibility, efficiency, and applicability. In this article, we examine whether there is a balance embracing the best of both Unikernel appliances (strong isolation) and processes (high flexibility/efficiency). We present KylinX, a dynamic library operating system for simplified and efficient cloud virtualization by providing the pVM (process-like VM) abstraction. A pVM takes the hypervisor as an OS and the Unikernel appliance as a process allowing both page-level and library-level dynamic mapping. At the page level, KylinX supports pVM fork plus a set of API for inter-pVM communication (IpC, which is compatible with conventional UNIX IPC). At the library level, KylinX supports shared libraries to be linked to a Unikernel appliance at runtime. KylinX enforces mapping restrictions against potential threats. We implement a prototype of KylinX by modifying MiniOS and Xen tools. Extensive experimental results show that KylinX achieves similar performance both in micro benchmarks (fork, IpC, library update, etc.) and in applications (Redis, web server, and DNS server) compared to conventional processes, while retaining the strong isolation benefit of VMs/Unikernels.

Guanyu Li,Dong Du,Yubin Xia

DOI: https://doi.org/10.1186/s42400-020-00051-9

2020-01-01

Abstract:Unikernel,specializing a minimalistic libOS with an application,is an attractive design for cloud computing.However,the Achilles' heel of unikernel is the lack of multi-process support,which makes it less flexible and applicable.Many applications rely on the process abstraction to isolate different components.For example,Apache with the multi-processing module isolates a request handler in a process to guarantee security.Prior art tackles the problem by simulating multi-process with multiple unikernels,which is incompatible with existing cloud providers and also introduces high overhead.This paper proposes Iso-UniK,a new unikernel design enabling multi-task applications with the support of both functionality and isolation.Iso-UniK leverages a recent hardware feature,named Intel Memory Protection Key (Intel MPK),to provide lightweight and efficient isolation for multi-process in unikernel.Our design has three benefits compared with previous approaches.First,Iso-UniK does not need hypervisor support and is thus compatible with existing cloud computing platforms;second,Iso-UniK promises fast system calls with only 45 cycles;last,a process can be isolated with a flexible configuration.We have implemented a prototype based on OSv,a unikernel system supporting unmodified applications.Iso-UniK can achieve fast fork operation with only 66μs for multi-process applications.Our evaluation shows that the isolation and multi-process support in Iso-UniK will not damage the applications' performance.

Xiaoguang Wang,Yong Qi,Zhi Wang,Yue Chen,Yajin Zhou

DOI: https://doi.org/10.1109/tdsc.2017.2675991

2019-01-01

Abstract:The OS kernel is critical to the security of a computer system. Many systems have been proposed to improve its security. A fundamental weakness of those systems is that page tables, the data structures that control the memory protection, are not isolated from the vulnerable kernel, and thus subject to tampering. To address that, researchers have relied on virtualization for reliable kernel memory protection. Unfortunately, such memory protection requires to monitor every update to the guest's page tables. This fundamentally conflicts with the recent advances in the hardware virtualization support. In this paper, we propose SecPod, an extensible framework for virtualization-based security systems that can provide both strong isolation and the compatibility with modern hardware. SecPod has two key techniques: paging delegation delegates and audits the kernel's paging operations to a secure space; execution trapping intercepts the (compromised) kernel's attempts to subvert SecPod by misusing privileged instructions. We have implemented a prototype of SecPod based on KVM. Our experiments show that SecPod is both effective and efficient.

Dong Du,Zhichao Hua,Yubin Xia,Binyu Zang,Haibo Chen

DOI: https://doi.org/10.1145/3307650.3322218

2019-01-01

Abstract:Microkernel has many intriguing features like security, fault-tolerance, modularity and customizability, which recently stimulate a resurgent interest in both academia and industry (including seL4, QNX and Google's Fuchsia OS). However, IPC (inter-process communication), which is known as the Achilles' Heel of microkernels, is still the major factor for the overall (poor) OS performance. Besides, IPC also plays a vital role in monolithic kernels like Android Linux, as mobile applications frequently communicate with plenty of user-level services through IPC. Previous software optimizations of IPC usually cannot bypass the kernel which is responsible for domain switching and message copying/remapping; hardware solutions like tagged memory or capability replace page tables for isolation, but usually require non-trivial modification to existing software stack to adapt the new hardware primitives. In this paper, we propose a hardware-assisted OS primitive, XPC (Cross Process Call), for fast and secure synchronous IPC. XPC enables direct switch between IPC caller and callee without trapping into the kernel, and supports message passing across multiple processes through the invocation chain without copying. The primitive is compatible with the traditional address space based isolation mechanism and can be easily integrated into existing microkernels and monolithic kernels. We have implemented a prototype of XPC based on a Rocket RISC-V core with FPGA boards and ported two microkernel implementations, seL4 and Zircon, and one monolithic kernel implementation, Android Binder, for evaluation. We also implement XPC on GEM5 simulator to validate the generality. The result shows that XPC can reduce IPC call latency from 664 to 21 cycles, up to 54.2x improvement on Android Binder, and improve the performance of real-world applications on microkernels by 1.6x on Sqlite3 and 10x on an HTTP server with minimal hardware resource cost.

Ali Raza,Thomas Unger,Matthew Boyd,Eric Munson,Parul Sohal,Ulrich Drepper,Richard Jones,Daniel Bristot de Oliveira,Larry Woodman,Renato Mancuso,Jonathan Appavoo,Orran Krieger

DOI: https://doi.org/10.1145/3552326.3587458

2023-06-23

Abstract:This paper presents Unikernel Linux (UKL), a path toward integrating unikernel optimization techniques in Linux, a general purpose operating system. UKL adds a configuration option to Linux allowing for a single, optimized process to link with the kernel directly, and run at supervisor privilege. This UKL process does not require application source code modification, only a re-link with our, slightly modified, Linux kernel and glibc. Unmodified applications show modest performance gains out of the box, and developers can further optimize applications for more significant gains (e.g. 26% throughput improvement for Redis). UKL retains support for co-running multiple user level processes capable of communicating with the UKL process using standard IPC. UKL preserves Linux's battle-tested codebase, community, and ecosystem of tools, applications, and hardware support. UKL runs both on bare-metal and virtual servers and supports multi-core execution. The changes to the Linux kernel are modest (1250 LOC).

Operating Systems

Zihan Yang,Zeyu Mi,Yubin Xia

DOI: https://doi.org/10.1109/sose.2019.00044

2019-01-01

Abstract:The prevalence of Cloud Computing has appealed many users to put their business into low-cost and flexible cloud servers instead of bare-metal machines. Most virtual machines in the cloud run commodity operating system(e.g., linux), and the complexity of such operating systems makes them more bug-prone and easier to be compromised. To mitigate the security threats, previous works attempt to mediate and filter system calls, transform all unpopular paths into popular paths, or implement a nested kernel along with the untrusted outter kernel to enforce certain security policies. However, such solutions only enforce read-only protection or assume that popular paths in the kernel to contain almost no bug, which is not always the case in the real world. To overcome their shortcomings and combine their advantages as much as possible, we propose a hardware-assisted isolation mechanism that isolates untrusted part of the kernel. To achieve isolation, we prepare multiple restricted Extended Page Table (EPT) during boot time, each of which has certain critical data unmapped from it so that the code executing in the isolated environment could not access sensitive data. We leverage the VMFUNC instruction already available in recent Intel processors to directly switch to another pre-defined EPT inside guest virtual machine without trapping into the underlying hypervisor, which is faster than the traditional trap-and-emulate procedure. The semantic gap is minimized and real-time check is achieved by allowing EPT violations to be converted to Virtualization Exception (VE), which could be handled inside guest kernel in non-root mode. Our preliminary evaluation shows that with hardware virtualization feature, we are able to run the untrusted code in an isolated environment with negligible overhead.

Guoxi Li,Wenhai Lin,Wenzhi Chen

DOI: https://doi.org/10.1007/978-3-030-38991-8_12

2020-01-01

Abstract:Many projects of virtualized processes are emerging for less overhead than traditional virtual machines and more isolation than containers. A virtualized process uses hardware virtualization to provide a process abstraction. The virtualized processes are deemed as inefficient compared against native processes using system calls since hypercalls they use cause high-overhead context switches. However, current performance of system calls is severely damaged by Kernel Page Table Isolation (KPTI) while hypercalls are unaffected. Unexpectedly, that gives hopes for virtualized processes to reach competitive performance against native processes. In this paper, we propose and implement Exit-Less Hypercall, a new style of execution framework in virtualized processes by introducing asynchronity, new thread models and adaptive migration. We evaluate the prototype and make a detailed analysis on the impacts of context switches from the native and virtualized processes with KPTI. Moreover, the experiments also show that Exit-Less Hypercall achieves a good performance improvement of up to 121% on virtualized processes using legacy hypercalls and even outperforms native processes using legacy system calls with KPTI by 81%.

Youhui Wang,Xiaoling Hong,Liang Wang

2006-01-01

Abstract:As computing is becoming increasingly ubiquitous today, it would be very attractive for common computer users to access same personalized desktop environment, including personal documents, applications and customizations, on any compatible PC anytime and anywhere. This paper presents such a solution for Windows systems based on user-level virtualization technologies. Namely, the user’s data, applications and their configurations are stored on a portable USB device. At run-time, the portable desktop-applications on the device will run in a usermode virtualization environment where some resource (registry, files/directories, environment variables, etc.) accessing APIs are intercepted and redirected to the portable device as necessary. In user’s view, she can access her personalized applications and data conveniently on any compatible computer, although they do not exist on local disks of the host computer. This paper describes the whole design, technical details and performance evaluation, and presents a demo application. Compared with some existing solutions based on virtual machine technologies, this solution is more efficient in performance and storage capacity.

Keyang Hu,Wang Huang,Lei Wang,Ce Mo,Runxiang Wang,Yu Chen,Ju Ren,Bo Jiang

DOI: https://doi.org/10.1016/j.sysarc.2024.103199

IF: 5.836

2024-01-01

Journal of Systems Architecture

Abstract:Unikernels are simple, customizable, efficient, and small in code size, which makes them highly applicable to embedded scenarios. However, most existing unikernels are developed and optimized for cloud computing, and they do not fully meet the requirements of high reliability and platform customization in embedded environments. We propose Unishyper, a reliable and high-performance embedded unikernel in Rust. To support memory isolation between user applications, user code, and kernel code, Unishyper designs the Zone mechanism on top of Intel MPK. Unishyper further proposes a thread-level unwind strategy for safe fault handling while avoiding memory leakage. Finally, Unishyper supports fine-grained customization, seamlessly integrates with the Rust ecosystem, and uses Unilib for function offloading to further reduce image size. Our evaluation results show that Unishyper achieves better performance than peer unikernels on major micro-benchmarks, can effectively stop illegal memory accesses across application boundaries, and has a minimal memory footprint of less than 100 KB.

Hsuan-Chi Kuo,Akshith Gunasekaran,Yeongjin Jang,Sibin Mohan,Rakesh B. Bobba,David Lie,Jesse Walker

DOI: https://doi.org/10.48550/arXiv.1903.06889

2019-03-16

Abstract:We present, MultiK, a Linux-based framework 1 that reduces the attack surface for operating system kernels by reducing code bloat. MultiK "orchestrates" multiple kernels that are specialized for individual applications in a transparent manner. This framework is flexible to accommodate different kernel code reduction techniques and, most importantly, run the specialized kernels with near-zero additional runtime overheads. MultiK avoids the overheads of virtualization and runs natively on the system. For instance, an Apache instance is shown to run on a kernel that has (a) 93.68% of its code reduced, (b) 19 of 23 known kernel vulnerabilities eliminated and (c) with negligible performance overheads (0.19%). MultiK is a framework that can integrate with existing code reduction and OS security techniques. We demonstrate this by using D-KUT and S-KUT -- two methods to profile and eliminate unwanted kernel code. The whole process is transparent to the user applications because MultiK does not require a recompilation of the application.

Operating Systems

Disheng Su,Wenzhi Chen,Wei Huang,Haitao Shan,Yunhong Jiang

DOI: https://doi.org/10.1145/1519130.1519137

2009-01-01

Abstract:ABSTRACTEmbedded systems are making rapid changes and becoming increasingly sophisticated. To make full use of all the hardware resources on the system, multi OS environments and virtualization are both feasible ways but either needs lots of porting efforts or suffers performance degradation without hardware support for virtualization. We propose a virtualization platform for embedded system named the SmartVisor to provide a PC-compatible layer for guest OS, and it gains native-like performance while keeping zero-modification to guest OS by leveraging KVM and Intel's Atom embedded processor. SmartVisor realizes device pass-through by identity mapping of the guest memory and implements a Direct-Shadow mechanism to get rid of majority part of VMExit overhead. Measurement result shows the benefits of SmartVisor and deeper study of host-swapping reveals the potential advantages of SmartVisor on embedded systems.

Bumjin Im,Fangfei Yang,Chia-Che Tsai,Michael LeMay,Anjo Vahldiek-Oberwagner,Nathan Dautenhahn

DOI: https://doi.org/10.48550/arXiv.2108.03705

2021-08-11

Abstract:Commodity applications contain more and more combinations of interacting components (user, application, library, and system) and exhibit increasingly diverse tradeoffs between isolation, performance, and programmability. We argue that the challenge of future runtime isolation is best met by embracing the multi-principle nature of applications, rethinking process architecture for fast and extensible intra-process isolation. We present, the Endokernel, a new process model and security architecture that nests an extensible monitor into the standard process for building efficient least-authority abstractions. The Endokernel introduces a new virtual machine abstraction for representing subprocess authority, which is enforced by an efficient self-isolating monitor that maps the abstraction to system level objects (processes, threads, files, and signals). We show how the Endokernel can be used to develop specialized separation abstractions using an exokernel-like organization to provide virtual privilege rings, which we use to reorganize and secure NGINX. Our prototype, includes a new syscall monitor, the nexpoline, and explores the tradeoffs of implementing it with diverse mechanisms, including Intel Control Enhancement Technology. Overall, we believe sub-process isolation is a must and that the Endokernel exposes an essential set of abstractions for realizing this in a simple and feasible way.

Cryptography and Security

陈文智,姚远,杨建华,何钦铭

DOI: https://doi.org/10.3724/sp.j.1016.2009.01311

2009-01-01

Chinese Journal of Computers

Abstract:With the rapidly development of personal computer hardware,to construct multiple isolated computing domains through virtualization technology has already become a future direction of PC. To avoid the difficulties caused by implementing VMM on traditional IA-32 architecture through software virtualization technology,the authors designed and implemented a VMM based on Intel VT-x technology — Pcanel/V2. Pcanel/V2 utilizes the latest hardware virtualization technology to configure a controllable virtual execution environment and run multiple operating systems directly without any modification of source code. While the accesses to hardware resources by the guest operating system are monitored,various sensitive situations which occur in the guest operating system can also be handled correspondingly by Pcanel/V2. Concurrent execution of Linux and VxWorks on Pcanel/V2 has been realized and corresponding evaluation results show that Pcanel/V2 architecture simplifies the complexity of the design process while increasing the overall performance by approximately 10% compared to software virtual technology.

Jinyu Gu,Xinyue Wu,Wentai Li,Nian Liu,Zeyu Mi,Yubin Xia,Haibo Chen

2020-01-01

Abstract:This paper presents UnderBridge, a redesign of traditional microkernel OSes to harmonize the tension between messaging performance and isolation. UnderBridge moves the OS components of a microkernel between user space and kernel space at runtime while enforcing consistent isolation. It retrofits Intel Memory Protection Key for Userspace (PKU) in kernel space to achieve such isolation efficiently and design a fast IPC mechanism across those OS components. Thanks to PKU's extremely low overhead, the inter-process communication (IPC) roundtrip cost in UnderBridge can be as low as 109 cycles. We have designed and implemented a new microkernel called ChCore based on UnderBridge and have also ported UnderBridge to three mainstream microkernels, i.e., seL4, Google Zircon, and Fiasco.OC. Evaluations show that UnderBridge speeds up the IPC by 3.0× compared with the state-of-the-art (e.g., SkyBridge) and improves the performance of IPC-intensive applications by up to 13.1× for the above three microkernels.

Chao Wu,Yaoxue Zhang,Yuezhi Zhou,Qiushi Li

DOI: https://doi.org/10.1007/978-3-030-05051-1_38

2018-01-01

Abstract:This paper envisions a future in which high performance and energy-modest parallel computing on low-end edge devices were achieved through cross-device functionality abstraction to make them interactive to cloud machines. Rather, there has been little exploration of the overall optimization into kernel processing can deliver for increasingly popular but heavy burden on low-end edge devices. Our idea here is to extend the capability of functionality abstraction across edge clients and cloud servers to identify the computation-intensive code regions automatically and execute the instantiation on the server at runtime. This paper is an attempt to explore this vision, ponder on the principle, and take the first steps towards addressing some of the challenges with Open image in new window . As a kernel-level solution, Open image in new window enables edge devices to abstract not only application layer but also system layer functionalities, as if they were to instantiate the abstracted function inside the same Open image in new window kernel programming. Experimental results demonstrate that Open image in new window makes cross-kernel functionality abstraction efficient for low-end edge devices and benefits them significant performance optimization than the default scheme unless in a constraint of low transmission bandwidth.

Benshan Mei,Saisai Xia,Wenhao Wang,Dongdai Lin

2024-07-18

Abstract:Confidential computing safeguards sensitive computations from untrusted clouds, with Confidential Virtual Machines (CVMs) providing a secure environment for guest OS. However, CVMs often come with large and vulnerable operating system kernels, making them susceptible to attacks exploiting kernel weaknesses. The imprecise control over the read/write access in the page table has allowed attackers to exploit vulnerabilities. The lack of security hierarchy leads to insufficient separation between untrusted applications and guest OS, making the kernel susceptible to direct threats from untrusted programs. This study proposes Cabin, an isolated execution framework within guest VM utilizing the latest AMD SEV-SNP technology. Cabin shields untrusted processes to the user space of a lower virtual machine privilege level (VMPL) by introducing a proxy-kernel between the confined processes and the guest OS. Furthermore, we propose execution protection mechanisms based on fine-gained control of VMPL privilege for vulnerable programs and the proxy-kernel to minimize the attack surface. We introduce asynchronous forwarding mechanism and anonymous memory management to reduce the performance impact. The evaluation results show that the Cabin framework incurs a modest overhead (5% on average) on Nbench and WolfSSL benchmarks.

Cryptography and Security

Ruslan Nikolaev,Mincheol Sung,Binoy Ravindran

DOI: https://doi.org/10.1145/3381052.3381316

2020-02-21

Abstract:We present LibrettOS, an OS design that fuses two paradigms to simultaneously address issues of isolation, performance, compatibility, failure recoverability, and run-time upgrades. LibrettOS acts as a microkernel OS that runs servers in an isolated manner. LibrettOS can also act as a library OS when, for better performance, selected applications are granted exclusive access to virtual hardware resources such as storage and networking. Furthermore, applications can switch between the two OS modes with no interruption at run-time. LibrettOS has a uniquely distinguishing advantage in that, the two paradigms seamlessly coexist in the same OS, enabling users to simultaneously exploit their respective strengths (i.e., greater isolation, high performance). Systems code, such as device drivers, network stacks, and file systems remain identical in the two modes, enabling dynamic mode switching and reducing development and maintenance costs. To illustrate these design principles, we implemented a prototype of LibrettOS using rump kernels, allowing us to reuse existent, hardened NetBSD device drivers and a large ecosystem of POSIX/BSD-compatible applications. We use hardware (VM) virtualization to strongly isolate different rump kernel instances from each other. Because the original rumprun unikernel targeted a much simpler model for uniprocessor systems, we redesigned it to support multicore systems. Unlike kernel-bypass libraries such as DPDK, applications need not be modified to benefit from direct hardware access. LibrettOS also supports indirect access through a network server that we have developed. Applications remain uninterrupted even when network components fail or need to be upgraded. Finally, to efficiently use hardware resources, applications can dynamically switch between the indirect and direct modes based on their I/O load at run-time. [full abstract is in the paper]

Operating Systems

Yongxuan Xu,Xianglan Chen,Hua-Ping Chen,Huang Wang

DOI: https://doi.org/10.1007/978-3-642-41674-3_121

2014-01-01

Abstract:In this paper, we propose a way to implement the cross-platform system-level virtual layer in Linux kernel to achieve a higher performance, because, the virtual layer can be supported directly by the operating system and can directly interact with the real hardware without the performance cost of virtual device and user-space. As an example, QEMU1 is embedded into the Linux kernel. The tests show that the performance of kernelized-QEMU is better than QEMU.

Filipe Manco,Costin Lupu,Florian Schmidt,Jose Mendes,Simon Kuenzer,Sumit Sati,Kenichi Yasukata,Costin Raiciu,Felipe Huici

DOI: https://doi.org/10.1145/3132747.3132763

2017-10-14

Abstract:Containers are in great demand because they are lightweight when compared to virtual machines. On the downside, containers offer weaker isolation than VMs, to the point where people run containers in virtual machines to achieve proper isolation. In this paper, we examine whether there is indeed a strict tradeoff between isolation (VMs) and efficiency (containers). We find that VMs can be as nimble as containers, as long as they are small and the toolstack is fast enough. We achieve lightweight VMs by using unikernels for specialized applications and with Tinyx, a tool that enables creating tailor-made, trimmed-down Linux virtual machines. By themselves, lightweight virtual machines are not enough to ensure good performance since the virtualization control plane (the toolstack) becomes the performance bottleneck. We present LightVM, a new virtualization solution based on Xen that is optimized to offer fast boot-times regardless of the number of active VMs. LightVM features a complete redesign of Xen's control plane, transforming its centralized operation to a distributed one where interactions with the hypervisor are reduced to a minimum. LightVM can boot a VM in 2.3ms, comparable to fork/exec on Linux (1ms), and two orders of magnitude faster than Docker. LightVM can pack thousands of LightVM guests on modest hardware with memory and CPU usage comparable to that of processes.

Huang Wang,Xianglan Chen,Huaping Chen

DOI: https://doi.org/10.1007/s10766-015-0379-0

2015-01-01

International Journal of Parallel Programming

Abstract:Cross instruction-set-architecture (cross-ISA) virtual machine is the core technology to many important applications. However, traditional cross-ISA virtual machines have encountered several bottlenecks: (1) they cannot effectively utilize the host machine's peripheral hardware, (2) the utilization ratio of CPU for traditional virtual machines is low, (3) it is difficult to debug traditional cross-ISA virtual machines and (4) the traditional virtual machine emulates multicore processor sequentially. To solve these problems, a retargetable and high-performance system xKEMU is proposed in this paper. By reusing QEMU (Bellard in QEMU, a fast and portable dynamic translator. In: USENIX Annual Technical Conference, FREENIX Track, 2005) and Linux kernel (www.kernel.org, 2015) as components, xKEMU could improve QEMU performance by a factor of about 1.24x on integer and memory performance for x86-64 to x86 emulation. The performance of virtual devices is also enhanced due to pass-through in the emulation of peripheral devices.