skip to main content
research-article
Public Access

Set the configuration for the heart of the OS: on the practicality of operating system kernel debloating

Published: 25 April 2022 Publication History

Abstract

This paper presents a study on the practicality of operating system (OS) kernel debloating, that is, reducing kernel code that is not needed by the target applications. Despite their significant benefits regarding security (attack surface reduction) and performance (fast boot time and reduced memory footprints), the state-of-the-art OS kernel debloating techniques are not widely adopted in practice, especially in production environments. We identify the limitations of existing kernel debloating techniques that hinder their practical adoption, such as both accidental and essential ones. To understand these limitations, we build an advanced debloating framework named Cozart that enables us to conduct a number of experiments on different types of OS kernels (such as Linux and the L4 microkernel) with a wide variety of applications (such as HTTPD, Memcached, MySQL, NGINX, PHP, and Redis). Our experimental results reveal the challenges and opportunities in making OS kernel debloating practical. We share these insights and our experience to shed light on addressing the limitations of kernel debloating techniques in future research and development efforts.

References

[1]
FIASCO: The L4Re microkernel. http://os.inf.tu-dresden.de/fiasco. Retrieved on October 2019.
[2]
Firecracker: Secure and fast microVMs for serverless computing. https://firecracker-microvm.github.io/. Retrieved on October 2019.
[3]
Agache, A., Brooker, M., Iordache, A., Liguori, A., Neugebauer, R., Piwonka, P., Popa, D.-M. Firecracker: lightweight virtualization for serverless applications. In Proceedings of the 17th USENIX Symposium on Networked Systems Design and Implementation (NSDI'20) (Santa Clara, CA, February 2020).
[4]
Alharthi, M., Hu, H., Moon, H., Kim, T. On the effectiveness of kernel debloating via compile-time configuration. In Proceedings of the 1st Workshop on SoftwAre debLoating And Delayering (Amsterdam, Netherlands, July 2018).
[5]
Biere, A. Picosat essentials. J. Satisfiability, Boolean Modeling Comput. 4, 2-4 (2008), 75--97.
[6]
Corbet, J. A different approach to kernel configuration, 2016. https://lwn.net/Articles/733405/.
[7]
Dietrich, C., Tartler, R., Schröder-Preikschat, W., Lohmann, D. A robust approach for variability extraction from the linux build system. In Proceedings of the 16th International Software Product Line Conference (SPLC'12) (Salvador, Brazil, September 2012).
[8]
Elphinstone, K., Heiser, G. From L3 to seL4 what have we learnt in 20 years of L4 microkernels? In Proceedings of the 24th Symposium on Operating System Principles (SOSP'13) (Farmington, PA, November 2013).
[9]
Hubaux, A., Xiong, Y., Czarnecki, K. A user survey of configuration challenges in Linux and eCos. In Proceedings of 6th International Workshop on Variability Modeling of Software-intensive Systems (VaMoS'12) (Leipzig, Germany, January 2012).
[10]
Ivanković, M., Petrović, G., Just, R., Fraser, G. Code coverage at Google. In Proceedings of the 2019 12th Joint Meeting on Foundations of Software Engineering (ESEC/FSE 2019) (Tallinn, Estonia, 2019).
[11]
Jonas, E., Schleier-Smith, J., Sreekanti, V., Tsai, C.-C., Khandelwal, A., Pu, Q., Shankar, V., Menezes Carreira, J., Krauth, K., Yadwadkar, N., Gonzalez, J., Popa, R.A., Stoica, I., Patterson, D.A. Cloud programming simplified: A Berkeley view on serverless computing. Technical Report UCB/EECS-2019-3. EECS Department, University of California, Berkeley, 2019.
[12]
Kang, J. A practical approach of tailoring Linux kernel. In The Linux Foundation Open Source Summit North America (Los Angeles, CA, September 2017).
[13]
Kang, J. An empirical study of an advanced kernel tailoring framework. In The Linux Foundation Open Source Summit (Vancouver, BC, Canada, August 2018).
[14]
kernel.org. Kconfig, 2018. https://www.kernel.org/doc/Documentation/kbuild/kconfig-language.txt.
[15]
Kuo, H., Gunasekaran, A., Jang, Y., Mohan, S., Bobba, R.B., Lie, D., Walker, J. MultiK: A framework for orchestrating multiple specialized kernels. arXiv:1903.06889 (2019).
[16]
Kurmus, A., Tartler, R., Dorneanu, D., Heinloth, B., Rothberg, V., Ruprecht, A., Schröder-Preikschat, W., Lohmann, D., Kapitza, R. Attack surface metrics and automated compile-time os kernel tailoring. In Proceedings of the 20th Annual Network and Distributed System Security Symposium (NDSS'13) (San Diego, CA, USA, February 2013).
[17]
Lee, C.-T., Lin, J.-M., Hong, Z.-W., Lee, W.-T. An application-oriented Linux kernel customization for embedded systems. J. Inf. Sci. Eng. 20, 6 (2004), 1093--1107.
[18]
Manco, F., Lupu, C., Schmidt, F., Mendes, J., Kuenzer, S., Sati, S., Yasukata, K., Raiciu, C., Huici, F. My VM is lighter (and safer) than your container. In Proceedings of the 26th Symposium on Operating Systems Principles (SOSP'17) (Shanghai, China, October 2017).
[19]
Passos, L., Queiroz, R., Mukelabai, M., Berger, T., Apel, S., Czarnecki, K., Padilla, J. A study of feature scattering in the Linux kernel. IEEE Trans. Software Eng. (TSE) 47, 1 (2021), 146--164.
[20]
Pitre, N. Shrinking the kernel with an axe, 2018. https://lwn.net/Articles/746780/.
[21]
Stengel, K., Schmaus, F., Kapitza, R. EsseOS: Haskell-based tailored services for the cloud. In Proceedings of the 12th International Workshop on Adaptive and Reective Middleware (ARM'13) (Beijing, China, December 2013).
[22]
Tsai, C.-C., Jain, B., Abdul, N.A., Porter, D.E. A study of modern Linux API usage and compatibility: What to support when you're supporting. In Proceedings of the 11th European Conference on Computer Systems (EuroSys'16) (London, UK, April 2016).
[23]
Xu, T., Jin, L., Fan, X., Zhou, Y., Pasupathy, S., Talwadker, R. Hey, you have given me too many knobs! Understanding and dealing with over-designed configuration in system software. In Proceedings of the 10th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE'15) (Bergamo, Italy, August 2015).
[24]
Xu, T., Zhang, J., Huang, P., Zheng, J., Sheng, T., Yuan, D., Zhou, Y., Pasupathy, S. Do not blame users for misconfigurations. In Proceedings of the 24th Symposium on Operating System Principles (SOSP'13) (Farmington, PA, November 2013).
[25]
Youseff, L.M., Wolski, R., Krintz, C. Linux kernel specialization for scientific application performance. Technical Report 2005-29. University of California Santa Barbara, 2005. https://www.cs.ucsb.edu/research/tech-reports/2005-29.

Cited By

View all
  • (2024)Gramine-TDX: A Lightweight OS Kernel for Confidential VMsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690323(4598-4612)Online publication date: 2-Dec-2024

Recommendations

Comments

Information & Contributors

Information

Published In

cover image Communications of the ACM
Communications of the ACM  Volume 65, Issue 5
May 2022
108 pages
ISSN:0001-0782
EISSN:1557-7317
DOI:10.1145/3533590
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 April 2022
Published in CACM Volume 65, Issue 5

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article
  • Research
  • Refereed

Funding Sources

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)493
  • Downloads (Last 6 weeks)77
Reflects downloads up to 15 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Gramine-TDX: A Lightweight OS Kernel for Confidential VMsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690323(4598-4612)Online publication date: 2-Dec-2024

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Digital Edition

View this article in digital edition.

Digital Edition

Magazine Site

View this article on the magazine site (external)

Magazine Site

Login options

Full Access

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media