TY - GEN
T1 - VirtuOS
T2 - 24th ACM Symposium on Operating Systems Principles, SOSP 2013
AU - Nikolaev, Ruslan
AU - Back, Godmar
PY - 2013
Y1 - 2013
N2 - Most operating systems provide protection and isolation to user processes, but not to critical system components such as device drivers or other system code. Consequently, failures in these components often lead to system failures. VirtuOS is an operating system that exploits a new method of decomposition to protect against such failures. VirtuOS exploits virtualization to isolate and protect vertical slices of existing OS kernels in separate service domains. Each service domain represents a partition of an existing kernel, which implements a subset of that kernel's functionality. Unlike competing solutions that merely isolate device drivers, or cannot protect from malicious and vulnerable code, VirtuOS provides full protection of isolated system components. VirtuOS's user library dispatches system calls directly to service domains using an exceptionless system call model, avoiding the cost of a system call trap in many cases. We have implemented a prototype based on the Linux kernel and Xen hypervisor. We demonstrate the viability of our approach by creating and evaluating a network and a storage service domain. Our prototype can survive the failure of individual service domains while outperforming alternative approaches such as isolated driver domains and even exceeding the performance of native Linux for some multithreaded workloads. Thus, VirtuOS may provide a suitable basis for kernel decomposition while retaining compatibility with existing applications and good performance.
AB - Most operating systems provide protection and isolation to user processes, but not to critical system components such as device drivers or other system code. Consequently, failures in these components often lead to system failures. VirtuOS is an operating system that exploits a new method of decomposition to protect against such failures. VirtuOS exploits virtualization to isolate and protect vertical slices of existing OS kernels in separate service domains. Each service domain represents a partition of an existing kernel, which implements a subset of that kernel's functionality. Unlike competing solutions that merely isolate device drivers, or cannot protect from malicious and vulnerable code, VirtuOS provides full protection of isolated system components. VirtuOS's user library dispatches system calls directly to service domains using an exceptionless system call model, avoiding the cost of a system call trap in many cases. We have implemented a prototype based on the Linux kernel and Xen hypervisor. We demonstrate the viability of our approach by creating and evaluating a network and a storage service domain. Our prototype can survive the failure of individual service domains while outperforming alternative approaches such as isolated driver domains and even exceeding the performance of native Linux for some multithreaded workloads. Thus, VirtuOS may provide a suitable basis for kernel decomposition while retaining compatibility with existing applications and good performance.
UR - http://www.scopus.com/inward/record.url?scp=84889664785&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84889664785&partnerID=8YFLogxK
U2 - 10.1145/2517349.2522719
DO - 10.1145/2517349.2522719
M3 - Conference contribution
AN - SCOPUS:84889664785
SN - 9781450323888
T3 - SOSP 2013 - Proceedings of the 24th ACM Symposium on Operating Systems Principles
SP - 116
EP - 132
BT - SOSP 2013 - Proceedings of the 24th ACM Symposium on Operating Systems Principles
Y2 - 3 November 2013 through 6 November 2013
ER -