Commodity applications contain more and more combinations of interacting components (user, application, library, and system) and exhibit increasingly diverse tradeoffs between isolation, performance, and programmability. We argue that the challenge of future runtime isolation is best met by embracing the multi-principle nature of applications, rethinking process architecture for fast and extensible intra-process isolation. We present, the Endokernel, a new process model and security architecture that nests an extensible monitor into the standard process for building efficient least-authority abstractions. The Endokernel introduces a new virtual machine abstraction for representing subprocess authority, which is enforced by an efficient self-isolating monitor that maps the abstraction to system level objects (processes, threads, files, and signals). We show how the Endokernel can be used to develop specialized separation abstractions using an exokernel-like organization to provide virtual privilege rings, which we use to reorganize and secure NGINX. Our prototype, includes a new syscall monitor, the nexpoline, and explores the tradeoffs of implementing it with diverse mechanisms, including Intel Control Enhancement Technology. Overall, we believe sub-process isolation is a must and that the Endokernel exposes an essential set of abstractions for realizing this in a simple and feasible way.
翻译:商品应用越来越多地包含互动组件(用户、应用、图书馆和系统)的组合,并展示了日益多样化的孤立、性能和可编程性之间的平衡。我们争辩说,未来运行时孤立的挑战最好通过接受应用的多原则性质、重新思考快速和可扩展的流程结构来应对。我们展示了“内氧”这个新的流程模型和安全结构,将一个可扩展的监视器嵌入高效最小授权抽象式的建设标准程序。Endokernel为代表子处理权威引入了新的虚拟机器抽象化,由高效的自我隔离监测仪来实施,该监测仪将绘制对系统级对象(处理、线索、文件和信号)的抽象化图。我们展示了如何利用内氧气型组织来开发专门的分离抽象,以提供虚拟特权环,我们用来重组和保障NGINX。我们的原型机包括一个新的系统呼叫监测器、Nexplainline,并探索其实施过程中的各种偏差,包括Intel控制系统,从而实现系统级孤立性地技术的简单升级,我们必须相信,从而实现这一安全。