Organizations run applications on cloud infrastructure shared between multiple users and organizations. Popular tooling for this shared infrastructure, including Docker and Kubernetes, supports such multi-tenancy through the use of operating system virtualization. With operating system virtualization (known as containerization), multiple applications share the same kernel, reducing the runtime overhead. However, this shared kernel presents a large attack surface and has led to a proliferation of container escape attacks in which a kernel exploit lets an attacker escape the isolation of operating system virtualization to access other applications or the operating system itself. To address this, some systems have proposed a return to hypervisor virtualization for stronger isolation between applications. However, no existing system has achieved both the isolation of hypervisor virtualization and the performance and usability of operating system virtualization. We present Edera, an optimized type 1 hypervisor that uses paravirtualization to improve the runtime of hypervisor virtualization. We illustrate Edera's usability and performance through two use cases. First, we create a container runtime compatible with Kubernetes that runs on the Edera hypervisor. This implementation can be used as a drop-in replacement for the Kubernetes runtime and is compatible with all the tooling in the Kubernetes ecosystem. Second, we use Edera to provide driver isolation for hardware drivers, including those for networking, storage, and GPUs. This use of isolation protects the hypervisor and other applications from driver vulnerabilities. We find that Edera has runtime comparable to Docker with .9% slower cpu speeds, an average of 3% faster system call performance, and memory performance 0-7% faster. It achieves this with a 648 millisecond increase in startup time from Docker's 177.4 milliseconds.

翻译：组织通常在由多个用户和组织共享的云基础设施上运行应用程序。针对此类共享基础设施的流行工具（包括Docker和Kubernetes）通过操作系统虚拟化技术支持多租户环境。在操作系统虚拟化（即容器化）中，多个应用程序共享同一内核，从而降低了运行时开销。然而，这种共享内核带来了巨大的攻击面，并导致容器逃逸攻击激增——攻击者可通过内核漏洞突破操作系统虚拟化的隔离，访问其他应用程序或操作系统本身。为解决此问题，部分系统提出回归到管理程序虚拟化，以实现应用程序间更强的隔离性。然而，现有系统尚未能同时实现管理程序虚拟化的隔离强度与操作系统虚拟化的性能及易用性。本文提出Edera——一种经过优化的1类管理程序，它利用准虚拟化技术提升管理程序虚拟化的运行时性能。我们通过两个用例展示Edera的易用性与性能表现：首先，我们创建了兼容Kubernetes且运行于Edera管理程序之上的容器运行时。该实现可作为Kubernetes运行时的直接替代方案，并与Kubernetes生态系统中的所有工具兼容。其次，我们利用Edera为硬件驱动程序（包括网络、存储和GPU驱动）提供驱动隔离。这种隔离机制可保护管理程序及其他应用程序免受驱动程序漏洞的影响。实验表明，Edera的运行时性能与Docker相当：CPU速度仅降低0.9%，系统调用性能平均提升3%，内存性能提升0-7%。这些成果的代价是启动时间较Docker的177.4毫秒增加了648毫秒。