From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-4.5 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=3.4.6 Received: by atuin.qyliss.net (Postfix, from userid 496) id CB21F21629; Mon, 3 Jan 2022 15:09:04 +0000 (UTC) Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 333202158C; Mon, 3 Jan 2022 15:08:38 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 496) id 1278921555; Mon, 3 Jan 2022 15:08:35 +0000 (UTC) Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19]) by atuin.qyliss.net (Postfix) with ESMTPS id 22A6621552 for ; Mon, 3 Jan 2022 15:08:31 +0000 (UTC) Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.west.internal (Postfix) with ESMTP id E92753200A2F for ; Mon, 3 Jan 2022 10:08:28 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Mon, 03 Jan 2022 10:08:29 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h= from:to:subject:date:message-id:mime-version:content-type; s= fm2; bh=pGIxktqvmpPC9FITdN1aHeeOCN7/ob/jjioBCrPNdcE=; b=5Pzq8fxL 4OYNa01FNKziYFOyvVS503Rwi1hvY//1Bdk2UrJIHgnfMQ5DwB9Yk6ahJPgggnsN 6Jfs0ubJApmgIYN2jSQL1SU3bPxkItePiJc8o3N7+TYS9MpOKCKrynXuNHdcv3+N O9nGX+7ZyNgfJd3sP+dqR25HEc4z7lOITO8EThzBzufg627iEilVHICVznT+tdGz Sk6SqavrRuNTqv4XX6Xv8ReRxVy7tjlmweEIt5Vtud6rjBsWgV3M2/G2zWk8+Kup nb7OI5GU9KLymJhUa3EN+et8DHWJqjOmX158L6s7AUD+VPb5gocuAxT+N6em0jIo 6mUmFklywVXj6w== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=pGIxktqvmpPC9FITdN1aHeeOCN7/o b/jjioBCrPNdcE=; b=LAMgYq2eB1OA5qw35BcXTSfZm6L8D8gO0Cy0h6sI36+6L 6Z6jBc240sbYUKlkomDH6HvWCUZeVBXRQPiJLM9gW1jbpey5dldT78S31Ug8wkkZ 5MisDHr3cqCvlAqvwsM9pIPWhxy1NbRikn0jdTrEUyBbah6vBYvXprs8r2ROWjFJ /o4urVUEOSD1opunznjrqlW7AVVHJt1Ft3sYM9YXnTeYiA4yyXy20joWNLJYTJnl /JHxAjX4PjCj0RmFekUzgf0SKECgDV1BI8lMCjJPtBjAKEk5H3nvRCm6b+asxca2 DvQ+A50XVcz2z0PtqDkfVOZMoN/aQ7YkHgEECH2MA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvuddrudefuddgjedvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefhvffufffkgggtsehgtderredttd dtnecuhfhrohhmpeetlhihshhsrgcutfhoshhsuceohhhisegrlhihshhsrgdrihhsqeen ucggtffrrghtthgvrhhnpedtueegveektdevleevkeekiedtffelvedthfduieeugfefle dukefghfeggedtudenucffohhmrghinheprghrgihivhdrohhrghdpughoihdrohhrghdp shhpvggtthhruhhmqdhoshdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrh grmhepmhgrihhlfhhrohhmpehhihesrghlhihsshgrrdhish X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA for ; Mon, 3 Jan 2022 10:08:27 -0500 (EST) Received: by x220.qyliss.net (Postfix, from userid 1000) id 2BC21222; Mon, 3 Jan 2022 15:08:26 +0000 (UTC) From: Alyssa Ross To: discuss@spectrum-os.org Subject: Paper review: FlexOS Date: Mon, 03 Jan 2022 15:08:23 +0000 Message-ID: <87h7ak6emw.fsf@alyssa.is> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Message-ID-Hash: LODG22KCWCUGVROHSJRK7ZPSZDDECWL3 X-Message-ID-Hash: LODG22KCWCUGVROHSJRK7ZPSZDDECWL3 X-MailFrom: hi@alyssa.is X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.4 Precedence: list List-Id: General high-level discussion about Spectrum Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --=-=-= Content-Type: text/plain Earlier I was sent a link to a paper called "FlexOS: Towards Flexible OS Isolation"[1]. I thought the paper was great and subscribers to this list might be interested in it and what I thought about it. Like Spectrum, FlexOS is an operating system focused on compartmentalization, but it takes a very different approach. It's a library operating system (LibOS, also known as a unikernel). These operating systems are linked with a single program, and produce an operating system that only runs that single program. This can make for very efficient VMs. As a result, FlexOS isn't about isolation between programs, like Spectrum is, but instead tries to introduce isolation within a single program, generally at library boundaries. Therefore, Spectrum and FlexOS are highly complementary. FlexOS can use several different isolation strategies, including running different libraries in different VMs. Naturally there's a big performance overhead to this but amazingly, it seems like it can be on par with running the program normally on Linux, because the baseline performance is so much faster running on a unikernel than on Linux (not even in a VM AFAICT). Of a SQLite benchmark, the paper says: "Somewhat surprisingly, FlexOS with EPT2 [libraries in different VMs] performs almost identically to Linux. This is because the syscall latency is almost identical to the EPT2 gate latency on this system". Another inspired part of this paper is "Exploration with Partial Safety Ordering". I don't want to go into too much detail about this because the paper does such a good job of explaining it, but essentially you can give FlexOS a performance budget and a benchmark, and it will identify for you five or so of the best security configurations that meet your performance needs, across different combinations of isolation primitive, software hardening, etc. The biggest limitation I can see to FlexOS is that it is based on C source code transformations. Programs need to be specifically ported to it (although it seems like porting an individual program isn't too hard as long as it has good test coverage), and I don't know how easy it would be to integrate with another language. But it's definitely something to keep an eye on that could be useful if we ever find ourselves with a big C program doing important work in Spectrum. The use cases presented in the paper are quite compelling, especially the one about isolating exploitable libraries. And unikernels more generally are definitely worth keeping in mind if the performance results in this paper are anything to go by, although A Linux in Unikernel Clothing[2] is an interesting counterpoint. Finally, reminder that I collect interesting papers, blog posts, talks etc. in the Spectrum bibliography[3], where I've just added a link to this paper. If you come across interesting stuff like this that might be relevant to my work, please send it my way! [1]: https://arxiv.org/abs/2112.06566 [2]: https://doi.org/10.1145/3342195.3387526 [3]: https://spectrum-os.org/bibliography.html --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEH9wgcxqlHM/ARR3h+dvtSFmyccAFAmHTEWgACgkQ+dvtSFmy ccC6vg/+N9MZhgm5UuRQmWFxpQigsg7ridmhz3Zbn5mVq8Q1SOqBlWzSqCzA/2xa GldR56mIQtzKt/3EGY8f+syIvyfh5TRZGPiQRluLA6679C3Xfu44jlJPAICijhHB lqkdC5k2eJx2DqaD4YGL2jV4az3Hl3EGvnOHCaFKt2L3qa7qNCwbfv6lqgyIwvhj e/EEGtq8qutMWDdPC3owAxmgWgyHrvHjnXxmMWmONjQm3E4Uh/vL1Ds1RkIHkxld s5lluCRQ9uhxq2ypVJVbtlyBmky2Karv1vteljwRxssxELhgh7mBIMFGhUvpq+ZS Yo4JiJitmLJxBW9QOhcn1iRWITmzJrbOcUJcXGxJeNLAy9gdJ547YRWYAK1rv78L jIrQqLZDWA9dWtTZI2V1jONJan3E4JwjIh1456ifPCce+LWRXR4Z4JFgXdJWXTbS q8fuL8i3hrdXGYNc4KU6R5J6wa9DxfxFJk2zBhFMlJIo4gQmGx/GBeYfqYQCfICm WrMWNzLI/MX4TEdU1tMVry19iU78iXQ5AiUwOJ0QDn9bDLDH5XsWESrid8fnouUf lTxa5tH6sLrTzBQT6dlbC5Ymu4x71QKQ7yTEpjnolrlI1J1uO/wscmNLMzIJG0xs qdbXP/eCLkWysTHmT/1txxryGMzdCmwt8hT+b9JL4Jm2jArLhmI= =yXUP -----END PGP SIGNATURE----- --=-=-=--