9 research outputs found
How to run POSIX apps in a minimal picoprocess
Abstract We envision a future where Web, mobile, and desktop applications are delivered as isolated, complete software stacks to a minimal, secure client host. This shift imbues app vendors with full autonomy to maintain their apps' integrity. Achieving this goal requires shifting complex behavior out of the client platform and into the vendors' isolated apps. We ported rich, interactive POSIX apps, such as Gimp and Inkscape, to a spartan host platform. We describe this effort in sufficient detail to support reproducibility
How to run POSIX apps in a minimal picoprocess
Abstract We envision a future where Web, mobile, and desktop applications are delivered as isolated, complete software stacks to a minimal, secure client host. This shift imbues app vendors with full autonomy to maintain their apps' integrity. Achieving this goal requires shifting complexity out of the client platform and replacing the required behavior inside the vendors' isolated apps. We ported rich, interactive POSIX apps, such as Gimp and Inkscape, to a spartan host platform. We describe this effort in sufficient detail to support reproducibility
How to run POSIX apps in a minimal picoprocess
Abstract We envision a future where Web, mobile, and desktop applications are delivered as isolated, complete software stacks to a minimal, secure client host. This shift imbues app vendors with full autonomy to maintain their apps' integrity. Achieving this goal requires shifting complex behavior out of the client platform and into the vendors' isolated apps. We ported rich, interactive POSIX apps, such as Gimp and Inkscape, to a spartan host platform. We describe this effort in sufficient detail to support reproducibility
Loupe: Driving the Development of OS Compatibility Layers
Supporting mainstream applications is fundamental for a new OS to have
impact. It is generally achieved by developing a layer of compatibility
allowing applications developed for a mainstream OS like Linux to run
unmodified on the new OS. Building such a layer, as we show, results in large
engineering inefficiencies due to the lack of efficient methods to precisely
measure the OS features required by a set of applications.
We propose Loupe, a novel method based on dynamic analysis that determines
the OS features that need to be implemented in a prototype OS to bring support
for a target set of applications and workloads. Loupe guides and boosts OS
developers as they build compatibility layers, prioritizing which features to
implement in order to quickly support many applications as early as possible.
We apply our methodology to 100+ applications and several OSes currently under
development, demonstrating high engineering effort savings vs. existing
approaches: for example, for the 62 applications supported by the OSv kernel,
we show that using Loupe, would have required implementing only 37 system calls
vs. 92 for the non-systematic process followed by OSv developers.
We study our measurements and extract novel key insights. Overall, we show
that the burden of building compatibility layers is significantly less than
what previous works suggest: in some cases, only as few as 20% of system calls
reported by static analysis, and 50% of those reported by naive dynamic
analysis need an implementation for an application to successfully run standard
benchmarks.Comment: Accepted to appear at ASPLOS'24
(https://www.asplos-conference.org/asplos2024/
Jitsu: Just-in-time summoning of unikernel
Network latency is a problem for all cloud services. It can be mitigated by moving computation out of remote datacenters by rapidly instantiating local services near the user. This requires an embedded cloud platform on which to deploy multiple applications securely and quickly. We present Jitsu, a new Xen toolstack that satisfies the demands of secure multi-tenant isolation on resource-constrained embedded ARM devices. It does this by using unikernels: lightweight, compact, single address space, memory-safe virtual machines (VMs) written in a high-level language. Using fast shared memory channels, Jitsu provides a directory service that launches unikernels in response to network traffic and masks boot latency. Our evaluation shows Jitsu to be a power-efficient and responsive platform for hosting cloud services in the edge network while preserving the strong isolation guarantees of a type-1 hypervisor.The research leading to these results received funding from the European Union’s Seventh Framework Programme FP7/2007–2013 under the Trilogy 2 project (grant agreement no. 317756), and the User Centric Networking project, (grant agreement no. 611001), and the Defense Advanced Research Projects Agency (DARPA) and the Air Force Research Laboratory (AFRL), under contract FA8750-11-C-0249.This is the author accepted manuscript. The final version is available from USENIX via https://www.usenix.org/conference/nsdi15/technical-sessions/presentation/madhavapedd
LibrettOS: A Dynamically Adaptable Multiserver-Library OS
We present LibrettOS, an OS design that fuses two paradigms to simultaneously
address issues of isolation, performance, compatibility, failure
recoverability, and run-time upgrades. LibrettOS acts as a microkernel OS that
runs servers in an isolated manner. LibrettOS can also act as a library OS
when, for better performance, selected applications are granted exclusive
access to virtual hardware resources such as storage and networking.
Furthermore, applications can switch between the two OS modes with no
interruption at run-time. LibrettOS has a uniquely distinguishing advantage in
that, the two paradigms seamlessly coexist in the same OS, enabling users to
simultaneously exploit their respective strengths (i.e., greater isolation,
high performance). Systems code, such as device drivers, network stacks, and
file systems remain identical in the two modes, enabling dynamic mode switching
and reducing development and maintenance costs.
To illustrate these design principles, we implemented a prototype of
LibrettOS using rump kernels, allowing us to reuse existent, hardened NetBSD
device drivers and a large ecosystem of POSIX/BSD-compatible applications. We
use hardware (VM) virtualization to strongly isolate different rump kernel
instances from each other. Because the original rumprun unikernel targeted a
much simpler model for uniprocessor systems, we redesigned it to support
multicore systems. Unlike kernel-bypass libraries such as DPDK, applications
need not be modified to benefit from direct hardware access. LibrettOS also
supports indirect access through a network server that we have developed.
Applications remain uninterrupted even when network components fail or need to
be upgraded. Finally, to efficiently use hardware resources, applications can
dynamically switch between the indirect and direct modes based on their I/O
load at run-time.
[full abstract is in the paper]Comment: 16th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution
Environments (VEE '20), March 17, 2020, Lausanne, Switzerlan
Recommended from our members
Righting Web Development
The web browser is the most important application runtime today, encompassing all types of applications on practically every Internet-connected device. Browsers power complete office suites, media players, games, and augmented and virtual reality experiences, and they integrate with cameras, microphones, GPSes, and other sensors available on computing devices. Many apparently native mobile and desktop applications are secretly hybrid apps that contain a mix of native and browser code. History has shown that when new devices, sensors, and experiences appear on the market, the browser will evolve to support them.
Despite the browser\u27s importance, developing web applications is exceedingly difficult. Web browsers organically evolved from a document viewer into a ubiquitous program runtime. The browser\u27s scripting language for web designers, JavaScript, has grown into the only universally supported programming language in the browser. Unfortunately, JavaScript is notoriously difficult to write and debug. The browser\u27s high-level and event-driven I/O interfaces make it easy to add simple interactions to webpages, but these same interfaces lead to nondeterministic bugs and performance issues in larger applications. These bugs are challenging for developers to reason about and fix.
This dissertation revisits web development and provides developers with a complete set of development tools with full support for the browser environment. McFly is the first time-traveling debugger for the browser, and lets developers debug web applications and their visual state during time-travel; components of this work shipped in Microsoft\u27s ChakraCore JavaScript engine. BLeak is the first system for automatically debugging memory leaks in web applications, and provides developers with a ranked list of memory leaks along with the source code responsible for them. BCause constructs a causal graph of a web application\u27s events, which helps developers understand their code\u27s behavior. Doppio lets developers run code written in conventional languages in the browser, and Browsix brings Unix into the browser to enable unmodified programs expecting a Unix-like environment to run directly in the browser. Together, these five systems form a solid foundation for web development
Securing unikernels in cloud infrastructures
PhD ThesisCloud computing adoption has seen an increase during the last few years.
However, cloud tenants are still concerned about the security that the Cloud
Service Provider (CSP) offers. Recent security incidents in cloud infrastructures that exploit vulnerabilities in the software layer highlight
the need to develop new protection mechanisms. A recent direction in
cloud computing is toward massive consolidation of resources by using
lightweight Virtual Machines (VMs) called unikernels. Unikernels are
specialised VMs that eliminate the Operating System (OS) layer and include the advantages of small footprint, minimal attack surface, nearinstant boot times and multi-platform deployment. Even though using
unikernels has certain advantages, unikernels employ a number of shortcomings. First, unikernels do not employ context switching from user to
kernel mode. A malicious user could exploit this shortcoming to escape
the isolation boundaries that the hypervisor provides. Second, having a
large number of unikernels in a single virtualised host creates complex security policies that are difficult to manage and can introduce exploitable
misconfigurations. Third, malicious insiders, such as disgruntled system
administrators can use privileged software to exfiltrate data from unikernels. In this thesis, we divide our research into two parts, concerning the
development of software and hardware-based protection mechanisms for
cloud infrastructures that focus on unikernels. In each part, we propose
a new protection mechanism for cloud infrastructures, where tenants develop their workloads using unikernels.
In the first part, we propose a software-based protection mechanism that
controls access to resources, which results on creating least-privileged
unikernels. Current access-control mechanisms that reside in hypervisors
do not confine unikernels to accepted behaviour and are susceptible to
privilege escalation and Virtual Machine escapes attacks. Therefore, current hypervisors need to take into account the possibility of having one or
more malicious unikernels and rethink their access-control mechanisms.
We designed and implemented VirtusCap, a capability-based access control mechanism that acts as a lower layer of regulating access to resources
in cloud infrastructures. Consequently, unikernels are only assigned the
privileges required to perform their task. This ensures that the accesscontrol mechanism that resides in the hypervisor will only grant access to
resources specified with capabilities. In addition, capabilities are easier to
delegate to other unikernels when they need to and the security policies are
less complex. Our performance evaluation shows that up to request rate of
7000 (req/sec) our prototype’s response time is identical to XSM-Flask.
In the second part, we address the following problem: how to guarantee
the confidentiality and integrity of computations executing in a unikernel
even in the presence of privileged software used by malicious insiders?
A research prototype was designed and implemented called UniGuard,
which aims to protect unikernels from an untrusted cloud, by executing
the sensitive computations inside secure enclaves. This approach provides
confidentiality and integrity guarantees for unikernels against software and
certain physical attacks. We show how we integrated Intel SGX with
unikernels and added the ability to spawn enclaves that execute the sensitive computations. We conduct experiments to evaluate the performance
of UniGuard, which show that UniGuard exhibits acceptable performance
overhead in comparison to when the sensitive computations are not executed inside a enclave. To the best of our knowledge, UniGuard is the first
solution that protects the confidentiality and integrity of computations that
execute inside unikernels using Intel SGX.
Currently, unikernels drive the next generation of virtualisation software
and especially the cooperation with other virtualisation technologies, such
as containers to form hybrid virtualisation workloads. Thus, it is paramount
to scrutinise the security of unikernels in cloud infrastructures and propose
novel protection mechanisms that will drive the next cloud evolution