Kite: Lightweight Critical Service Domains

A. K.M. Fazla Mehrab, Ruslan Nikolaev, Binoy Ravindran

Research output: Chapter in Book/Report/Conference proceedingConference contribution

5 Scopus citations

Abstract

Converged multi-level secure (MLS) systems, such as Qubes OS or SecureView, heavily rely on virtualization and service virtual machines (VMs). Traditionally, driver domains-isolated VMs that run device drivers-and daemon VMs use full-blown general-purpose OSs. It seems that specialized lightweight OSs, known as unikernels, would be a better fit for those. Surprisingly, to this day, driver domains can only be built from Linux. We discuss how unikernels can be beneficial in this context-they improve security and isolation, reduce memory overheads, and simplify software configuration and deployment. We specifically propose to use unikernels that borrow device drivers from existing general-purpose OSs. We present Kite which implements network and storage unikernel-based VMs and serve two essential classes of devices. We compare our approach against Linux using a number of typical micro-and macrobenchmarks used for networking and storage. Our approach achieves performance similar to that of Linux. However, we demonstrate that the number of system calls and ROP gadgets can be greatly reduced with our approach compared to Linux. We also demonstrate that our approach has resilience to an array of CVEs (e.g., CVE-2021-35039, CVE-2016-4963, and CVE-2013-2072), smaller image size, and improved startup time. Finally, unikernelizing is doable for the remaining (non-driver) service VMs as evidenced by our unikernelized DHCP server.

Original languageEnglish (US)
Title of host publicationEuroSys 2022 - Proceedings of the 17th European Conference on Computer Systems
PublisherAssociation for Computing Machinery, Inc
Pages384-401
Number of pages18
ISBN (Electronic)9781450391627
DOIs
StatePublished - Mar 28 2022
Event17th European Conference on Computer Systems, EuroSys 2022 - Rennes, France
Duration: Apr 5 2022 → …

Publication series

NameEuroSys 2022 - Proceedings of the 17th European Conference on Computer Systems

Conference

Conference17th European Conference on Computer Systems, EuroSys 2022
Country/TerritoryFrance
CityRennes
Period4/5/22 → …

All Science Journal Classification (ASJC) codes

  • Hardware and Architecture
  • Control and Systems Engineering

Fingerprint

Dive into the research topics of 'Kite: Lightweight Critical Service Domains'. Together they form a unique fingerprint.

Cite this