MultiK: A Framework for Orchestrating Multiple Specialized Kernels
We present, MultiK, a Linux-based framework 1 that reduces the attack surface for operating system kernels by reducing code bloat. MultiK "orchestrates" multiple kernels that are specialized for individual applications in a transparent manner. This framework is flexible to accommodate different kernel code reduction techniques and, most importantly, run the specialized kernels with near-zero additional runtime overheads. MultiK avoids the overheads of virtualization and runs natively on the system. For instance, an Apache instance is shown to run on a kernel that has (a) 93.68 (b) 19 of 23 known kernel vulnerabilities eliminated and (c) with negligible performance overheads (0.19 existing code reduction and OS security techniques. We demonstrate this by using D-KUT and S-KUT – two methods to profile and eliminate unwanted kernel code. The whole process is transparent to the user applications because MultiK does not require a recompilation of the application.
READ FULL TEXT