Organizations run applications on cloud infrastructure shared between multiple users and organizations. Popular tooling for this shared infrastructure, including Docker and Kubernetes, supports such multi-tenancy through the use of operating system virtualization. With operating system virtualization (known as containerization), multiple applications share the same kernel, reducing the runtime overhead. However, this shared kernel presents a large attack surface and has led to a proliferation of container escape attacks in which a kernel exploit lets an attacker escape the isolation of operating system virtualization to access other applications or the operating system itself. To address this, some systems have proposed a return to hypervisor virtualization for stronger isolation between applications. However, no existing system has achieved both the isolation of hypervisor virtualization and the performance and usability of operating system virtualization. We present Edera, an optimized type 1 hypervisor that uses paravirtualization to improve the runtime of hypervisor virtualization. We illustrate Edera's usability and performance through two use cases. First, we create a container runtime compatible with Kubernetes that runs on the Edera hypervisor. This implementation can be used as a drop-in replacement for the Kubernetes runtime and is compatible with all the tooling in the Kubernetes ecosystem. Second, we use Edera to provide driver isolation for hardware drivers, including those for networking, storage, and GPUs. This use of isolation protects the hypervisor and other applications from driver vulnerabilities. We find that Edera has runtime comparable to Docker with .9% slower cpu speeds, an average of 3% faster system call performance, and memory performance 0-7% faster. It achieves this with a 648 millisecond increase in startup time from Docker's 177.4 milliseconds.

翻译：摘要：各类组织在共享云计算基础设施上运行应用程序，这些基础设施可能由多个用户或组织共同使用。Docker和Kubernetes等主流共享基础设施工具通过操作系统虚拟化实现多租户支持。采用操作系统虚拟化（即容器化）时，多个应用程序共享同一内核，从而降低运行时开销。然而，这种共享内核带来了巨大的攻击面，并导致容器逃逸攻击激增——攻击者利用内核漏洞突破操作系统虚拟化隔离，访问其他应用程序或操作系统本身。为此，部分系统提出回归虚拟机管理程序虚拟化，以实现更强的应用程序间隔离。但现有系统均无法同时兼顾虚拟机管理程序的隔离性、操作系统虚拟化的性能与易用性。我们提出Edera——一种优化的类型1虚拟机管理程序，通过半虚拟化技术提升运行时性能。通过两个使用案例展示其易用性与性能：第一，我们创建了兼容Kubernetes的容器运行时（运行于Edera虚拟机管理程序之上），该实现可作为Kubernetes运行时的直接替代品，并兼容Kubernetes生态系统的全部工具链；第二，我们利用Edera实现硬件驱动（包括网络、存储和GPU驱动）的隔离，这种隔离机制可保护虚拟机管理程序及其他应用程序免受驱动漏洞影响。实验表明，Edera的运行时性能与Docker相当：CPU速度慢0.9%，系统调用性能平均提升3%，内存性能提升0%-7%。尽管启动时间从Docker的177.4毫秒增至648毫秒，但整体性能优势显著。