Cooperation and security isolation of library OSes for multi-process applications Conference Paper uri icon


  • Library OSes are a promising approach for applications to efficiently obtain the benefits of virtual machines, including security isolation, host platform compatibility, and migration. Library OSes refactor a traditional OS kernel into an application library, avoiding overheads incurred by duplicate functionality. When compared to running a single application on an OS kernel in a VM, recent library OSes reduce the memory footprint by an order-of-magnitude. Previous library OS (libOS) research has focused on single-process applications, yet many Unix applications, such as network servers and shell scripts, span multiple processes. Key design challenges for a multi-process libOS include management of shared state and minimal expansion of the security isolation boundary. This paper presents Graphene, a library OS that seamlessly and efficiently executes both single and multi-process applications, generally with low memory and performance overheads. Graphene broadens the libOS paradigm to support secure, multi-process APIs, such as copy-on-write fork, signals, and System V IPC. Multiple libOS instances coordinate over pipe-like byte streams to implement a consistent, distributed POSIX abstraction. These coordination streams provide a simple vantage point to enforce security isolation. Copyright 2007 by the Association for Computing Machinery, Inc.

name of conference

  • the Ninth European Conference

published proceedings

  • Proceedings of the Ninth European Conference on Computer Systems - EuroSys '14

author list (cited authors)

  • Tsai, C., Porter, D. E., Arora, K. S., Bandi, N., Jain, B., Jannen, W., ... Oliveira, D.

publication date

  • January 1, 2014 11:11 AM