π€ AI Summary
This work addresses the heightened vulnerability of the OSv unikernel to code-reuse attacks due to its highly predictable memory layout, stemming from the absence of security mechanisms such as Address Space Layout Randomization (ASLR). To mitigate this weakness without compromising OSvβs lightweight nature, the authors propose an efficient approach that introduces address randomization for both application base addresses and thread stacks by redesigning core memory management and program loading procedures. The method generates uniformly distributed random addresses and significantly reduces memory layout predictability while preserving the systemβs fast startup time, runtime performance, and low memory footprint. Consequently, the enhanced unikernel exhibits substantially improved resilience against memory-oriented attacks, demonstrating that robust security features can be integrated into minimalistic kernel designs without incurring significant overhead.
π Abstract
Unikernels are single-purpose library operating systems that run the kernel and application in one address space, but often omit security mitigations such as address space layout randomization (ASLR). In OSv, boot, program loading, and thread creation select largely deterministic addresses, leading to near-identical layouts across instances and more repeatable exploitation. To reduce layout predictability, this research introduces ASLR-style diversity into OSv by randomizing the application base and thread stack regions through targeted changes to core memory-management and loading routines. The implementation adds minimal complexity while preserving OSv's lightweight design goals. Evaluation against an unmodified baseline finds comparable boot time, application runtime, and memory usage. Analysis indicates that the generated addresses exhibit a uniform distribution. These results show that layout-randomization defenses can be efficiently and effectively integrated into OSv unikernels, improving resistance to reliable exploitation.