DeepAI AI Chat
Log In Sign Up

FlexOS: Towards Flexible OS Isolation

12/13/2021
by   Hugo Lefeuvre, et al.
0

At design time, modern operating systems are locked in a specific safety and isolation strategy that mixes one or more hardware/software protection mechanisms (e.g. user/kernel separation); revisiting these choices after deployment requires a major refactoring effort. This rigid approach shows its limits given the wide variety of modern applications' safety/performance requirements, when new hardware isolation mechanisms are rolled out, or when existing ones break. We present FlexOS, a novel OS allowing users to easily specialize the safety and isolation strategy of an OS at compilation/deployment time instead of design time. This modular LibOS is composed of fine-grained components that can be isolated via a range of hardware protection mechanisms with various data sharing strategies and additional software hardening. The OS ships with an exploration technique helping the user navigate the vast safety/performance design space it unlocks. We implement a prototype of the system and demonstrate, for several applications (Redis/Nginx/SQLite), FlexOS' vast configuration space as well as the efficiency of the exploration technique: we evaluate 80 FlexOS configurations for Redis and show how that space can be probabilistically subset to the 5 safest ones under a given performance budget. We also show that, under equivalent configurations, FlexOS performs similarly or better than several baselines/competitors.

READ FULL TEXT

page 3

page 5

page 9

12/04/2020

Efficient Sealable Protection Keys for RISC-V

With the continuous increase in the number of software-based attacks, th...
11/21/2021

Domain Page-Table Isolation

Modern applications often consist of different security domains that req...
01/03/2019

XOS: An Application-Defined Operating System for Data Center Servers

Rapid growth of datacenter (DC) scale, urgency of cost control, increasi...
09/06/2020

Secure Memory Management on Modern Hardware

Almost all modern hardware, from phone SoCs to high-end servers with acc...
01/31/2023

MOAT: Towards Safe BPF Kernel Extension

The Linux kernel makes considerable use of Berkeley Packet Filter (BPF) ...
09/01/2022

Towards Assessing Isolation Properties in Partitioning Hypervisors

Partitioning hypervisor solutions are becoming increasingly popular, to ...
11/16/2017

A Design-Time/Run-Time Application Mapping Methodology for Predictable Execution Time in MPSoCs

Executing multiple applications on a single MPSoC brings the major chall...