Hardening the OSv Unikernel with Efficient Address Randomization: Design and Performance Evaluation

πŸ“… 2026-02-11
πŸ“ˆ Citations: 0
✨ Influential: 0
πŸ“„ PDF

career value

204K/year
πŸ€– AI Summary
This work addresses the heightened vulnerability of the OSv unikernel to code-reuse attacks due to its highly predictable memory layout, stemming from the absence of security mechanisms such as Address Space Layout Randomization (ASLR). To mitigate this weakness without compromising OSv’s lightweight nature, the authors propose an efficient approach that introduces address randomization for both application base addresses and thread stacks by redesigning core memory management and program loading procedures. The method generates uniformly distributed random addresses and significantly reduces memory layout predictability while preserving the system’s fast startup time, runtime performance, and low memory footprint. Consequently, the enhanced unikernel exhibits substantially improved resilience against memory-oriented attacks, demonstrating that robust security features can be integrated into minimalistic kernel designs without incurring significant overhead.

Technology Category

Application Category

πŸ“ Abstract
Unikernels are single-purpose library operating systems that run the kernel and application in one address space, but often omit security mitigations such as address space layout randomization (ASLR). In OSv, boot, program loading, and thread creation select largely deterministic addresses, leading to near-identical layouts across instances and more repeatable exploitation. To reduce layout predictability, this research introduces ASLR-style diversity into OSv by randomizing the application base and thread stack regions through targeted changes to core memory-management and loading routines. The implementation adds minimal complexity while preserving OSv's lightweight design goals. Evaluation against an unmodified baseline finds comparable boot time, application runtime, and memory usage. Analysis indicates that the generated addresses exhibit a uniform distribution. These results show that layout-randomization defenses can be efficiently and effectively integrated into OSv unikernels, improving resistance to reliable exploitation.
Problem

Research questions and friction points this paper is trying to address.

unikernel
address space layout randomization
OSv
memory layout predictability
security mitigation
Innovation

Methods, ideas, or system contributions that make the work stand out.

Address Space Layout Randomization
Unikernel
OSv
Memory Randomization
Security Hardening
πŸ”Ž Similar Papers