Adam Lackorzynski, Technische Universität Dresden, Department of Computer Science, Operating Systems Group. Janis Danisevskis, Jan Nordholz, Michael Peter, Technische Universität Berlin, Deutsche Telekom Laboratories, Security in Telecommunications

Lately, general purpose operating systems piqued the interest of the automization industry as they are supported on an array of platforms and software and skilled developers are readily available.  The recent adoption of Linux mirrors that trend. However, the open nature of general purpose systems raise questions as to their resilience against attacks, particularly in installations that are connected to the internet.

Past Experiences have shown that relying exclusively on the security mechanisms of the general purpose OS is not advisable as vulnerabilities in them become regularly known. Rather, it is worthwhile to consider security architectures that make use of the stronger isolation properties of virtual machines.  However, virtualization introduces an additional layer in the system software stack which may impair the responsiveness of its guest operating systems.

In this paper, we show that L4Linux - an encapsulated Linux running on a microkernel - exhibits a real-time behavior that falls very close to that of the corresponding mainline Linux version. In fact, we only measured a small constant increase of the response times, which were small enough to be negligible for most applications.  Our results show that it is practically possible to run security critical tasks and control applications in dedicated virtual machines, thus greatly improving the systems resilience against attackers.