Microkernel and Component-based OS
Mitigating Processor Vulnerabilities by Restructuring the Kernel Address Space
<p>In this talk, I will present a new Spectre/Meltdown mitigation that I have prototyped for the Hedron microhypervisor. This prototype has also been used to quantify the runtime overhead of the proposed mitigation.</p>
Processor-level vulnerabilities, such as Meltdown and Spectre v1/v2, allow attackers in userspace to leak information from the kernel address space. This is particularly devastating for kernel designs where the kernel address space is identical for all processes and thus allows the attacker to break the system's confidentiality boundaries.
Previous mitigation attempts, such as kernel page-table isolation (formerly KAISER) for Meltdown and various branch predictor/speculation barriers for Spectre v1/v2, introduce costly instructions into performance critical parts of the operating system kernel. Especially mitigations related to the branch predictor are only possible if the CPU vendor has exposed special functionality.
During the last six months I investigated an alternative mitigation strategy on the kernel design level that shows good mitigation properties, but adds negligible runtime overhead. This alternative mitigation involves moving process-related information in the kernel into a process-local part of the kernel address space. A userspace attacker that can infer the content of its associated kernel page table can thus only read information about its own process. Switching between these kernel address spaces is done as part of the normal address space switch when a thread in a different process is scheduled and thus comes with no additional cost.
Additional information
| Type | devroom |
|---|
More sessions
| 2/5/22 |
<p>Welcome talk and introduction to the Microkernel and Component-based OS devroom at FOSDEM 2022.</p>
|
| 2/5/22 |
<p>Concurrent code is hard to get right, but at the same time also hard to test. It gets worse when hardware interaction is required. This leads to a comparatively poor culture of unit testing in kernel code, where both come together.</p> <p>In this talk, I’m going to highlight one particular method of unit testing the page table manipulation code in Hedron, a microkernel written in C++ specially geared towards virtualization workloads. This code safely modifies page tables that are ...
|
| 2/5/22 |
<p>GNU/Hurd is the original Free Software operating system started in the 1980s. Its microkernel design has been evolving over the years and the project has not quite hit mainstream use. I believe this is due to one main reason: the lack of drivers for peripherals and hardware. In this talk, I explain how NetBSD kernel drivers have been reused in a microkernel setting and demonstrate their use to boot up a GNU/Hurd system via a userspace rump disk driver, with a driverless Hurd kernel, gnumach. ...
|
| 2/5/22 |
<p>Driven by the vision of a truly trustworthy smartphone, I dedicated the past year to bringing the component-based Genode OS to the Pinephone. The talk presents my experience story, touching on the hardware, booting, the porting of the kernel, component-architecture concerns, and device drivers.</p>
|
| 2/5/22 |
<p>In this talk, we explore the design of Managarm's microkernel. Managarm is a pragmatic microkernel-based OS with a focus on asynchronous operations. The talk covers various aspects of the microkernel, such as its IPC model, resource management, and user space API. Managarm's microkernel employs a capability-based design to manage hardware resources. In contrast to current mainstream OSes, Managarm's system calls never block but report completion asynchronously whenever possible. This includes ...
|
| 2/5/22 |
<p>Unikernels are hard to debug? Unikernels cannot be easily administrated or monitored? While unikernels have the potential to revolutionize our infrastructures and take cloud computing into the next era, many worry that unikernels cannot be seamlessly integrated into today’s development and production workflows. At the Unikraft team, we are heavily working on addressing these concerns and changing the status quo. Although unikernels are monolithic bundles of only necessary kernel functions ...
|
| 2/5/22 |
<p>Serverless computing facilitates the use of resources without the burden of administering and maintaining infrastructure. The simplification of IaaS appears ideal (in theory) but providers and users are presented with several challenges: providers aim to reduce infrastructure maintenance overheads; users require isolation, flexibility and programming freedom.</p> <p>Serverless deployments are mostly backed by sandboxed containers. To enable programming freedom for users, providers allow the ...
|
