Unikernels are single-purpose library operating systems that run the kernel and application in one address space, but often omit security mitigations such as address space layout randomization (ASLR). In OSv, boot, program loading, and thread creation select largely deterministic addresses, leading to near-identical layouts across instances and more repeatable exploitation. To reduce layout predictability, this research introduces ASLR-style diversity into OSv by randomizing the application base and thread stack regions through targeted changes to core memory-management and loading routines. The implementation adds minimal complexity while preserving OSv's lightweight design goals. Evaluation against an unmodified baseline finds comparable boot time, application runtime, and memory usage. Analysis indicates that the generated addresses exhibit a uniform distribution. These results show that layout-randomization defenses can be efficiently and effectively integrated into OSv unikernels, improving resistance to reliable exploitation.
翻译:Unikernel是一种将内核与应用程序运行于同一地址空间的单用途库操作系统,但通常缺乏地址空间布局随机化(ASLR)等安全防护机制。在OSv中,启动、程序加载和线程创建的地址选择具有高度确定性,导致不同实例的布局近乎一致,从而增加了攻击的可重复性。为降低布局可预测性,本研究通过对核心内存管理与加载例程进行针对性修改,将ASLR式随机化引入OSv,实现了应用程序基址与线程栈区域的随机化。该实施方案在保持OSv轻量级设计目标的同时,仅引入极少的复杂性。与未修改基准版本的对比评估显示,其在启动时间、应用程序运行时间和内存使用方面均表现相当。分析表明,生成的地址呈现均匀分布特征。这些结果表明,布局随机化防御机制能够高效且有效地集成至OSv unikernel中,从而提升系统抵御可靠攻击的能力。