Earlier I was sent a link to a paper called "FlexOS: Towards Flexible OS
Isolation". I thought the paper was great and subscribers to this
list might be interested in it and what I thought about it.
Like Spectrum, FlexOS is an operating system focused on
compartmentalization, but it takes a very different approach. It's a
library operating system (LibOS, also known as a unikernel). These
operating systems are linked with a single program, and produce an
operating system that only runs that single program. This can make for
very efficient VMs. As a result, FlexOS isn't about isolation between
programs, like Spectrum is, but instead tries to introduce isolation
within a single program, generally at library boundaries. Therefore,
Spectrum and FlexOS are highly complementary.
FlexOS can use several different isolation strategies, including running
different libraries in different VMs. Naturally there's a big
performance overhead to this but amazingly, it seems like it can be on
par with running the program normally on Linux, because the baseline
performance is so much faster running on a unikernel than on Linux (not
even in a VM AFAICT). Of a SQLite benchmark, the paper says: "Somewhat
surprisingly, FlexOS with EPT2 [libraries in different VMs] performs
almost identically to Linux. This is because the syscall latency is
almost identical to the EPT2 gate latency on this system".
Another inspired part of this paper is "Exploration with Partial Safety
Ordering". I don't want to go into too much detail about this because
the paper does such a good job of explaining it, but essentially you can
give FlexOS a performance budget and a benchmark, and it will identify
for you five or so of the best security configurations that meet your
performance needs, across different combinations of isolation primitive,
software hardening, etc.
The biggest limitation I can see to FlexOS is that it is based on C
source code transformations. Programs need to be specifically ported to
it (although it seems like porting an individual program isn't too hard
as long as it has good test coverage), and I don't know how easy it
would be to integrate with another language. But it's definitely
something to keep an eye on that could be useful if we ever find
ourselves with a big C program doing important work in Spectrum. The
use cases presented in the paper are quite compelling, especially the
one about isolating exploitable libraries. And unikernels more
generally are definitely worth keeping in mind if the performance
results in this paper are anything to go by, although A Linux in
Unikernel Clothing is an interesting counterpoint.
Finally, reminder that I collect interesting papers, blog posts, talks
etc. in the Spectrum bibliography, where I've just added a link to
this paper. If you come across interesting stuff like this that might
be relevant to my work, please send it my way!