Harmonizing Security and Performance in Microkernel File Servers

Microkernel OSes separate OS functionalities, including file systems and device drivers, into different userlevel services, which mitigates the problem of lacking isolation in monolithic OSes. Nevertheless, from the perspective of applications, compromised services may still threaten their security. Specifically, attackers can utilize vulnerabilities in file systems and disk drivers to leak or manipulate applications’ file content. The key problem is that de-privileging OS services from kernel-level to user-level does not mean the reduction of applications’ trusted computing base (TCB), and applications still need to trust all the required system services. This paper shows a case for providing file service to applications with minimum TCB on microkernel OSes. Observing that the file service actually does not need to access the concrete file content, we propose a mechanism named Mirage, which deprives their privilege of accessing file content while preserving their management capability. Mirage efficiently protects the confidentiality and integrity of application files from untrusted services. The evaluation demonstrates that Mirage outperforms an encryption-based mechanism by up to 128% for IO-intensive workloads.