S Lab
[Sibin Mohan]
Systems Security Research Group at GWU and University of Illinois
MultiK
a novel framework for multiplexing multiple operating system (OS) kernels, especially for container-based systems.
Team Members:
Collaborators:
- Yeongjin Jang from Oregon State University
- Rakesh B. Bobba from Oregon State University
- David Lie from University of Toronto
- Akshith Gunasekaran from Oregon State University
Motivation
In a production setting, the go-to method for a developer to deploy an application is to install a minimal configuration provided by a standard distribution out of the box like a minimal-ubuntu-server. This configuration produces a kernel which is 22MB large. Let us consider a popular application stack, e.g a LAMP stack, which consists of linux, apache2, mysql and a php application. From our observations we see that for any given application on an average only about 2MB(~10%) of the entire kernel is actually used. Effectively exposing the remaining 90% to attacks.
We could reduce this attack surface by specializing the kernel for all applications together on a single kernel.
We can specialize kernels for applications. We need a framework to run these kernels together with near zero overhead.
MultiK is such a system which is composed by a kernel0 and multiple specialized kernels. Kernel0 is a generic kernel which is responsible for managing specialized kernels.
Funding
This project is supported by a grant from the Office of Naval Reserach (ONR).