This paper addresses the challenge of securely sharing kernel-bypass I/O services among mutually distrustful applications. We propose the first user-level library architecture that simultaneously ensures strong security guarantees and high performance. Our approach introduces three key mechanisms: (1) a buffer-mapping locking scheme to prevent malicious unmap attacks; (2) bounded execution constraints and a synchronous interaction protocol to enforce library function timing guarantees and avoid kernel resource leaks from failed processes; and (3) a trusted daemon for asynchronous event handling, enabling dynamic workload partitioning. Evaluated in DDS communication, our prototype reduces end-to-end latency by 50% and improves throughput by up to 7× compared to FastDDS, while consuming less CPU overhead. To the best of our knowledge, this is the first solution enabling secure, efficient, and formally verifiable sharing of high-speed NICs across mutually untrusted application domains.

Protected user-level libraries have been proposed as a way to allow mutually distrusting applications to safely share kernel-bypass services. In this paper, we identify and solve several previously unaddressed obstacles to realizing this design and identify several optimization opportunities. First, to preserve the kernel's ability to reclaim failed processes, protected library functions must complete in modest, bounded time. We show how to move unbounded waits outside the library itself, enabling synchronous interaction among processes without the need for polling. Second, we show how the bounded time requirement can be leveraged to achieve lower and more stable latency for inter-process interactions. Third, we observe that prior work on protected libraries is vulnerable to a buffer unmapping attack; we prevent this attack by preventing applications from removing pages that they share with the protected library. Fourth, we show how a trusted daemon can respond to asynchronous events and dynamically divide work with application threads in a protected library. By extending and improving the protected library model, our work provides a new way to structure OS services, combining the advantages of kernel bypass and microkernels. We present a set of safety and performance guidelines for developers of protected libraries, and a set of recommendations for developers of future protected library operating systems. We demonstrate the convenience and performance of our approach with a prototype version of the DDS communication service. To the best of our knowledge, this prototype represents the first successful sharing of a kernel-bypass NIC among mutually untrusting applications. Relative to the commercial FastDDS implementation, we achieve approximately 50% lower latency and up to 7x throughput, with lower CPU utilization.