Paper Info
Title
Intra-unikernel isolation with Intel memory protection keys
Abstract
Unikernels are minimal, single-purpose virtual machines. This new operating system model promises numerous benefits within many application domains in terms of lightweightness, performance, and security. Although the isolation between unikernels is generally recognized as strong, there is no isolation within a unikernel itself. This is due to the use of a single, unprotected address space, a basic principle of unikernels that provide their lightweightness and performance benefits. In this paper, we propose a new design that brings memory isolation inside a unikernel instance while keeping a single address space. We leverage Intel's Memory Protection Key to do so without impacting the lightweightness and performance benefits of unikernels. We implement our isolation scheme within an existing unikernel written in Rust and use it to provide isolation between trusted and untrusted components: we isolate (1) safe kernel code from unsafe kernel code and (2) kernel code from user code. Evaluation shows that our system provides such isolation with very low performance overhead. Notably, the unikernel with our isolation exhibits only 0.6% slowdown on a set of macro-benchmarks.
Year
DOI
Venue
2020
10.1145/3381052.3381326
VEE '20: 16th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments Lausanne Switzerland March, 2020
DocType
ISBN
Citations 
Conference
978-1-4503-7554-2
0
PageRank 
References 
Authors
0.34
0
4
Name
Order
Citations
PageRank
Mincheol Sung100.68
Pierre Olivier211.72
Stefan Lankes315226.39
Binoy Ravindran41459139.24