FlexOS: Towards Flexible OS Isolation
Creators
- 1. The University of Manchester
- 2. University Politehnica of Bucharest
- 3. Lancaster University
- 4. Karlsruhe Institute of Technology
- 5. NEC Laboratories Europe GmbH
Description
This artifact contains the source code of FlexOS, the proof of-concept of our flexible isolation approach presented at ASPLOS'22 ("FlexOS: Towards Flexible OS Isolation"), along with all scripts necessary to reproduce the paper’s measurements and plots. The goal of this artifact is to allow readers to reproduce the paper’s results, and build new research on top of FlexOS.
Abstract of the paper:
At design time, modern operating systems are locked in a specific safety and isolation strategy that mixes one or more hardware/software protection mechanisms (e.g. user/kernel separation); revisiting these choices after deployment requires a major refactoring effort. This rigid approach shows its limits given the wide variety of modern applications' safety/performance requirements, when new hardware isolation mechanisms are rolled out, or when existing ones break.
We present FlexOS, a novel OS allowing users to easily specialize the safety and isolation strategy of an OS at compilation/deployment time instead of design time. This modular LibOS is composed of fine-grained components that can be isolated via a range of hardware protection mechanisms with various data sharing strategies and additional software hardening. The OS ships with an exploration technique helping the user navigate the vast safety/performance design space it unlocks. We implement a prototype of the system and demonstrate, for several applications (Redis/Nginx/SQLite), FlexOS’ vast configuration space as well as the efficiency of the exploration technique: we evaluate 80 FlexOS configurations for Redis and show how that space can be probabilistically subset to the 5 safest ones under a given performance budget. We also show that, under equivalent configurations, FlexOS performs similarly or better than several baselines/competitors.
Notes
Files
Files
(38.1 MB)
Name | Size | Download all |
---|---|---|
md5:4ce0a98ba723bb1660004950171e5527
|
38.1 MB | Download |
Additional details
Related works
- Is described by
- Conference paper: arXiv:2112.06566 (arXiv)
Funding
- ACCORDION – Adaptive edge/cloud compute and network continuum over a heterogeneous sparse edge infrastructure to support nextgen applications 871793
- European Commission
- SCorCH : Secure Code for Capability Hardware EP/V000225/1
- UK Research and Innovation
- UniFaaS: A Unikernel-Based Serverless Operating System EP/V012134/1
- UK Research and Innovation
- CORNET – Provably Correct Networks 758815
- European Commission
- UNICORE – A Common Code Base and Toolkit for Deployment of Applications to Secure and Reliable Virtual Execution Environments 825377
- European Commission