S Lab

[Sibin Mohan]

Systems Security Research Group at GWU and University of Illinois


MultiK

a novel framework for multiplexing multiple operating system (OS) kernels, especially for container-based systems.

Team Members:

Collaborators:


Motivation

In a production setting, the go-to method for a developer to deploy an application is to install a minimal configuration provided by a standard distribution out of the box like a minimal-ubuntu-server. This configuration produces a kernel which is 22MB large. Let us consider a popular application stack, e.g a LAMP stack, which consists of linux, apache2, mysql and a php application. From our observations we see that for any given application on an average only about 2MB(~10%) of the entire kernel is actually used. Effectively exposing the remaining 90% to attacks.

We could reduce this attack surface by specializing the kernel for all applications together on a single kernel.

We can specialize kernels for applications. We need a framework to run these kernels together with near zero overhead.

MultiK is such a system which is composed by a kernel0 and multiple specialized kernels. Kernel0 is a generic kernel which is responsible for managing specialized kernels.

Funding

This project is supported by a grant from the Office of Naval Reserach (ONR).

News