Light-Weight Contexts: An OS Abstraction for Safety and Performance

When designing a system where performance is the main priority, it is often the case where security is over looked. Motivated by the Heartbleed incident in 2014, authors of this paper realized that there needs to be a light weight isolation mechanism that the applications such as high performance webservers can use so that each session have a different view of the memory. Therefore, they proposed a lwC that will do just that: a light weight container that can contain certain parts of the process execution.

Overview of lwC Mechanism

Their overall approach of keeping the lwC lightweight is amazingly clever: give each child containers the illusion of having a seperate memory space. This is accomplished by manipulating the vmspace, which is the FreeBSD counterpart to linux’s vma, memory mapping. Therefore, when switching the lwC occures, only the structure is copied not the actual content. If the parent container wants to prevent child container to prevent access certain regions of memory, the parent container removed the memory mapping to that part of the memory in vmspace of the child. Futhurmore, the parent monitor can monitor the system calls of the child container.

The semantics of lwC can be easily understood since the API is very similar to fork(). When a child lwC is created, or “forked”, the default behaviour is to copy the vmspace, file descriptor table, and the preivilege of the parent container. Therefore, the “forked” lwC can be used as a snapshot that the program can rollback on. The experiments in the paper shows that switching between containers have lower ovearhead than switching between processes and thet using the containers in webservers have small overhead.

What about reliability?

One of the criticisms that was discussed in the class, which I agree, was the issues with reliability. The lwC assumes that a child container can perform denial of service attack but the child container won’t because a process denying service to itself is self-defeating. Because child container is often used to execute untrusted part of the program, it is reasonable to assume that there can be a situation where an advarsary can crash the program executing in the container. In webservers like Nginx where multiple session can be served by a single process, causing the crash can cause catastropic performance. Therefore, a potential improvement would be allowing the container to also contain failures if it were to ever occure by switching back to the parent container with the stack trace (potential fault tolerant behaviour).

Take-away

The take-away is that lwC provides a light weight mechanisms to provide isolation to the child containers, the overhead is small, and the context can be saved and can be rolled back in the future. There is a reliability issue which I think is valid, but overall, I found this paper to be very interesting due it its simple but clever mechanism.

Reference

Litton, James, Anjo Vahldiek-Oberwagner, Eslam Elnikety, Deepak Garg, Bobby Bhattacharjee, and Peter Druschel. “Light-Weight Contexts: An OS Abstraction for Safety and Performance.” In OSDI, pp. 49-64. 2016.

Get the presentation slides here.

Written on September 19, 2018