2016 OSDI Light-weight Contexts: An OS Abstraction for Safety and Performance

light-weight Context (lwC)

A first-class OS abstraction that extends the POSIX API, and present common coding patterns demonstrating its different uses.

A process may contain multiple lwCs, each with their own virtual memory mappings, file descriptor bindings, and credentials, and those can also be selectively shared.

lwCs are not schedulable entities: they are completely orthogonal to threads that may execute within a process.

A thread may start in lwC a, then invoke a system call to switch to lwC b.

The lwC switch atomically changes the VM mappings, file table entries, permissions, instructino and stack pointers of the thread.

Multiple threads may execute simultaneously within the same lwC.

lwCs maintain per-thread state to ensure a thread that enters a lwC resumes at the point where it was created or last switched out of the lwC. (?? in this case, is the thread scheduled out or ?)

A range of new in-process capabilities:

  • fast roll-back;
  • protection rings (by credential restriction);
  • session isolation;
  • protected compartments (using VM and resource mappings).
  • can be used to
    • implement efficient in-process reference monitors to check security invariants.
    • isolate components of an app that deal with encryption keys or other private information.
    • efficiently roll back the process state.

Evaluation

Session isolation in production web servers, both process-oriented (Apache, via roll-back) and event-driven (nginx, via memory isolation).

  • Efficient snapshotting to provide session isolation on web-based applications using a PHP-based MVC application on nginx.
  • Create isolated data compartments within a process to render sensitive data (such as private keys) immune to external attacks (such as private keys) in cryptographic libraries such as OpenSSL.
  • Implement in-process reference monitors, again for industrial-scale servers such as Apache and nginx, that can intropsect on system calls and memory.

Evaluate lwCs using a range of micro-benchmarks and application scenarios.

Related work

Wedge [^c5], sthreads.

Shreds [^c9], memory domains in ARM CPUs, compiler support, kernel support.

SpaceJMP[^c12], address spaces are first-class objects separate from processes. Use memory larger than the available virtual address bits; Maintain pointer-based data structure beyond process lifetime; Does not support isolation or privilege separation within a process.

Dune [^c4], provides a kernel module API,

Reference 1

  1. James Litton, Anjo Vahldiek-Oberwagner, Eslam Elnikety, Deepak Garg, Bobby Bhattacharjee, and Peter Druschel. Light-weight Contexts: An OS Abstractions for Safety and Performance. OSDI. 2016. ↩
Created Feb 27, 2020 // Last Updated Dec 19, 2020

If you could revise
the fundmental principles of
computer system design
to improve security...

... what would you change?