Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Hardening the OSv Unikernel with Efficient Address Randomization: Design and Performance Evaluation

Alex Wollman, John Hastings

TL;DR

This paper tackles the security gap in OSv unikernels caused by deterministic memory layouts by introducing ASLR-like randomization for the application base and thread stacks using a lightweight PRNG-based approach. The authors implement 93 lines of changes to core memory-management paths, preserving OSv’s minimal design while enabling page-aligned, address-randomized regions. Empirical evaluation shows no statistically significant degradation in boot time, runtime, or memory usage compared to the baseline, and the randomized addresses approximate a uniform distribution across main, heap, and stack regions. The work demonstrates that traditional exploit-mitigation techniques like ASLR can be effectively integrated into unikernel environments with minimal overhead, improving resistance to reliable exploitation and offering a path for extending such defenses to other unikernel platforms.

Abstract

Unikernels are single-purpose library operating systems that run the kernel and application in one address space, but often omit security mitigations such as address space layout randomization (ASLR). In OSv, boot, program loading, and thread creation select largely deterministic addresses, leading to near-identical layouts across instances and more repeatable exploitation. To reduce layout predictability, this research introduces ASLR-style diversity into OSv by randomizing the application base and thread stack regions through targeted changes to core memory-management and loading routines. The implementation adds minimal complexity while preserving OSv's lightweight design goals. Evaluation against an unmodified baseline finds comparable boot time, application runtime, and memory usage. Analysis indicates that the generated addresses exhibit a uniform distribution. These results show that layout-randomization defenses can be efficiently and effectively integrated into OSv unikernels, improving resistance to reliable exploitation.

Hardening the OSv Unikernel with Efficient Address Randomization: Design and Performance Evaluation

TL;DR

This paper tackles the security gap in OSv unikernels caused by deterministic memory layouts by introducing ASLR-like randomization for the application base and thread stacks using a lightweight PRNG-based approach. The authors implement 93 lines of changes to core memory-management paths, preserving OSv’s minimal design while enabling page-aligned, address-randomized regions. Empirical evaluation shows no statistically significant degradation in boot time, runtime, or memory usage compared to the baseline, and the randomized addresses approximate a uniform distribution across main, heap, and stack regions. The work demonstrates that traditional exploit-mitigation techniques like ASLR can be effectively integrated into unikernel environments with minimal overhead, improving resistance to reliable exploitation and offering a path for extending such defenses to other unikernel platforms.

Abstract

Unikernels are single-purpose library operating systems that run the kernel and application in one address space, but often omit security mitigations such as address space layout randomization (ASLR). In OSv, boot, program loading, and thread creation select largely deterministic addresses, leading to near-identical layouts across instances and more repeatable exploitation. To reduce layout predictability, this research introduces ASLR-style diversity into OSv by randomizing the application base and thread stack regions through targeted changes to core memory-management and loading routines. The implementation adds minimal complexity while preserving OSv's lightweight design goals. Evaluation against an unmodified baseline finds comparable boot time, application runtime, and memory usage. Analysis indicates that the generated addresses exhibit a uniform distribution. These results show that layout-randomization defenses can be efficiently and effectively integrated into OSv unikernels, improving resistance to reliable exploitation.
Paper Structure (14 sections, 3 tables)

This paper contains 14 sections, 3 tables.

Table of Contents

  1. Introduction
  2. Design Goals & Approach
  3. Methodology
  4. System and Experimental Setup
  5. Background: OSv Boot Path and Deterministic Address Selection
  6. Implementation Results
  7. Randomization Primitives and Constraints
  8. Program Base Randomization
  9. Heap Behavior
  10. Stack Randomization and pthread Attributes
  11. Evaluation
  12. Limitations & Future Work
  13. Related Work
  14. Conclusion