Goldilocks Isolation: High Performance VMs with Edera

• URL: http://arxiv.org/abs/2501.04580v1
• Date: Wed, 08 Jan 2025 15:51:02 GMT
• Title: Goldilocks Isolation: High Performance VMs with Edera
• Authors: Marina Moore, Alex Zenla,
• Abstract summary: In containerization, multiple applications share the same kernel, reducing the runtime overhead.<n>This has led to a proliferation of container escape attacks in which a kernel exploit lets an attacker escape the isolation of operating system virtualization.<n>We present Edera, an optimized type 1 hypervisor that uses paravirtualization to improve the runtime of containerization.
• Score: 0.0
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: Organizations run applications on cloud infrastructure shared between multiple users and organizations. Popular tooling for this shared infrastructure, including Docker and Kubernetes, supports such multi-tenancy through the use of operating system virtualization. With operating system virtualization (known as containerization), multiple applications share the same kernel, reducing the runtime overhead. However, this shared kernel presents a large attack surface and has led to a proliferation of container escape attacks in which a kernel exploit lets an attacker escape the isolation of operating system virtualization to access other applications or the operating system itself. To address this, some systems have proposed a return to hypervisor virtualization for stronger isolation between applications. However, no existing system has achieved both the isolation of hypervisor virtualization and the performance and usability of operating system virtualization. We present Edera, an optimized type 1 hypervisor that uses paravirtualization to improve the runtime of hypervisor virtualization. We illustrate Edera's usability and performance through two use cases. First, we create a container runtime compatible with Kubernetes that runs on the Edera hypervisor. This implementation can be used as a drop-in replacement for the Kubernetes runtime and is compatible with all the tooling in the Kubernetes ecosystem. Second, we use Edera to provide driver isolation for hardware drivers, including those for networking, storage, and GPUs. This use of isolation protects the hypervisor and other applications from driver vulnerabilities. We find that Edera has runtime comparable to Docker with .9% slower cpu speeds, an average of 3% faster system call performance, and memory performance 0-7% faster. It achieves this with a 648 millisecond increase in startup time from Docker's 177.4 milliseconds.

Related papers

• Side-Channel Attacks on Open vSwitch [1.1352077875520463]
  The Open vSwitch (OVS) is one of the most popular software-based virtual switches.<n>We present three remote attacks via OVS, breaking the confidentiality in covert environments.
  arXiv  Detail & Related papers  (2026-01-22T04:12:03Z)
• Revati: Transparent GPU-Free Time-Warp Emulation for LLM Serving [1.4573878379102423]
  Revati is a time-warp emulator that enables performance modeling by directly executing real serving system code at simulation-like speed.<n>Revati achieves less than 5% prediction error across multiple models and configurations, while running 5-17x faster than real GPU execution.
  arXiv  Detail & Related papers  (2026-01-01T17:19:58Z)
• pokiSEC: A Multi-Architecture, Containerized Ephemeral Malware Detonation Sandbox [41.99844472131922]
  pokiSEC is a lightweight, ephemeral malware detonation sandbox inside a Docker container.<n> pokiSEC integrates QEMU with hardware acceleration (KVM when available) and exposes a browser-based workflow.<n>We validate pokiSEC on Apple Silicon and Ubuntu (AMD64)
  arXiv  Detail & Related papers  (2025-12-24T00:38:40Z)
• Analysis of Security in OS-Level Virtualization [4.424739166856966]
  We will establish the basic concepts of virtualization.<n>We will discuss the container creation life-cycle which helps in forming a container threat model.<n>Finally, we will discuss a case study, which further looks at isolation provided by the containers.
  arXiv  Detail & Related papers  (2025-01-02T16:36:41Z)
• I Know What You Sync: Covert and Side Channel Attacks on File Systems via syncfs [5.556839719025154]
  We show new types of side channels through the file system that break logical isolation. The file system plays a critical role in the operating system, managing all I/O activities between the application layer and the physical storage device. We construct three side-channel attacks targeting both Linux and Android devices.
  arXiv  Detail & Related papers  (2024-11-16T20:40:08Z)
• Ditto: Elastic Confidential VMs with Secure and Dynamic CPU Scaling [35.971391128345125]
  "Elastic CVM" and the Worker vCPU design pave the way for more flexible and cost-effective confidential computing environments. "Elastic CVM" and the Worker vCPU design not only optimize cloud resource utilization but also pave the way for more flexible and cost-effective confidential computing environments.
  arXiv  Detail & Related papers  (2024-09-23T20:52:10Z)
• Devlore: Extending Arm CCA to Integrated Devices A Journey Beyond Memory to Interrupt Isolation [10.221747752230131]
  Arm Confidential Computing Architecture executes sensitive computation in an abstraction called realm. CCA does not allow integrated devices on the platform to access realm. We present Devlore which allows realm to directly access integrated peripherals.
  arXiv  Detail & Related papers  (2024-08-11T17:33:48Z)
• vTensor: Flexible Virtual Tensor Management for Efficient LLM Serving [53.972175896814505]
  Large Language Models (LLMs) are widely used across various domains, processing millions of daily requests. Large Language Models (LLMs) are widely used across various domains, processing millions of daily requests.
  arXiv  Detail & Related papers  (2024-07-22T14:37:58Z)
• Dynamic DNNs and Runtime Management for Efficient Inference on Mobile/Embedded Devices [2.8851756275902476]
  Deep neural network (DNN) inference is increasingly being executed on mobile and embedded platforms. We co-designed novel Dynamic Super-Networks to maximise system-level performance and energy efficiency. Compared with SOTA, our experimental results using ImageNet on the GPU of Jetson Xavier NX show our model is 2.4x faster for similar ImageNet Top-1 accuracy, or 5.1% higher accuracy at similar latency.
  arXiv  Detail & Related papers  (2024-01-17T04:40:30Z)
• Empowering WebAssembly with Thin Kernel Interfaces [1.4133405185767076]
  This paper proposes thin kernel interfaces for Wasm, which directly expose OS userspace syscalls without breaking intra-process sandboxing. Existing capability-based APIs for Wasm, such as WASI, can be implemented as a Wasm module over kernel interfaces. We present an implementation of this concept for two kernels -- Linux and Zephyr -- by extending a modern Wasm engine.
  arXiv  Detail & Related papers  (2023-12-06T19:11:15Z)
• Harnessing Deep Learning and HPC Kernels via High-Level Loop and Tensor Abstractions on CPU Architectures [67.47328776279204]
  This work introduces a framework to develop efficient, portable Deep Learning and High Performance Computing kernels. We decompose the kernel development in two steps: 1) Expressing the computational core using Processing Primitives (TPPs) and 2) Expressing the logical loops around TPPs in a high-level, declarative fashion. We demonstrate the efficacy of our approach using standalone kernels and end-to-end workloads that outperform state-of-the-art implementations on diverse CPU platforms.
  arXiv  Detail & Related papers  (2023-04-25T05:04:44Z)
• SwiftFormer: Efficient Additive Attention for Transformer-based Real-time Mobile Vision Applications [98.90623605283564]
  We introduce a novel efficient additive attention mechanism that effectively replaces the quadratic matrix multiplication operations with linear element-wise multiplications. We build a series of models called "SwiftFormer" which achieves state-of-the-art performance in terms of both accuracy and mobile inference speed. Our small variant achieves 78.5% top-1 ImageNet-1K accuracy with only 0.8 ms latency on iPhone 14, which is more accurate and 2x faster compared to MobileViT-v2.
  arXiv  Detail & Related papers  (2023-03-27T17:59:58Z)
• MAPLE-Edge: A Runtime Latency Predictor for Edge Devices [80.01591186546793]
  We propose MAPLE-Edge, an edge device-oriented extension of MAPLE, the state-of-the-art latency predictor for general purpose hardware. Compared to MAPLE, MAPLE-Edge can describe the runtime and target device platform using a much smaller set of CPU performance counters. We also demonstrate that unlike MAPLE which performs best when trained on a pool of devices sharing a common runtime, MAPLE-Edge can effectively generalize across runtimes.
  arXiv  Detail & Related papers  (2022-04-27T14:00:48Z)
• PLSSVM: A (multi-)GPGPU-accelerated Least Squares Support Vector Machine [68.8204255655161]
  Support Vector Machines (SVMs) are widely used in machine learning. However, even modern and optimized implementations do not scale well for large non-trivial dense data sets on cutting-edge hardware. PLSSVM can be used as a drop-in replacement for an LVM.
  arXiv  Detail & Related papers  (2022-02-25T13:24:23Z)
• Optimizing Deep Learning Recommender Systems' Training On CPU Cluster Architectures [56.69373580921888]
  We focus on Recommender Systems which account for most of the AI cycles in cloud computing centers. By enabling it to run on latest CPU hardware and software tailored for HPC, we are able to achieve more than two-orders of magnitude improvement in performance.
  arXiv  Detail & Related papers  (2020-05-10T14:40:16Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.