FlexOS: Towards Flexible OS Isolation

Hugo Lefeuvre, Vlad-Andrei Bădoiu, Alexander Jung, Ștefan Teodorescu, Sebastian Rauch, Felipe Huici, Costin Raiciu, Pierre Olivier

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

298 Downloads (Pure)

Abstract

At design time, modern operating systems are locked in a specific safety and isolation strategy that mixes one or more hardware/software protection mechanisms (e.g. user/kernel separation); revisiting these choices after deployment requires a major refactoring effort. This rigid approach shows its limits given the wide variety of modern applications’ safety/performance requirements, when new hardware isolation mechanisms are rolled out, or when
existing ones break.
We present FlexOS, a novel OS allowing users to easily specialize the safety and isolation strategy of an OS at compilation/deployment time instead of design time. This modular LibOS is composed of finegrained components that can be isolated via a range of hardware protection mechanisms with various data sharing strategies and additional software hardening. The OS ships with an exploration technique helping the user navigate the vast safety/performance
design space it unlocks. We implement a prototype of the system and demonstrate, for several applications (Redis/Nginx/SQLite), FlexOS’ vast configuration space as well as the efficiency of the exploration technique: we evaluate 80 FlexOS configurations for Redis and show how that space can be probabilistically subset to the 5 safest ones under a given performance budget. We also show that, under equivalent configurations, FlexOS performs similarly or better than existing solutions which use fixed safety configurations.

CCS CONCEPTS
• Software and its engineering → Operating systems; • Security and privacy → Operating systems security.

KEYWORDS
Operating Systems, Security, Isolation
Original languageEnglish
Title of host publicationASPLOS 2022 - Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems
EditorsBabak Falsafi, Michael Ferdman, Shan Lu, Thomas F. Wenisch
Pages467-482
Number of pages16
ISBN (Electronic)9781450392051
DOIs
Publication statusPublished - 28 Feb 2022

Publication series

NameInternational Conference on Architectural Support for Programming Languages and Operating Systems - ASPLOS

Keywords

  • Isolation
  • Operating Systems
  • Security

Fingerprint

Dive into the research topics of 'FlexOS: Towards Flexible OS Isolation'. Together they form a unique fingerprint.

Cite this