Hardening the OSv Unikernel with Efficient Address Randomization: Design and Performance Evaluation

TL;DR

This paper introduces an efficient address space randomization technique for OSv unikernels, enhancing security by making memory layouts unpredictable while maintaining performance and lightweight design.

Contribution

It presents a novel, minimal-overhead method to incorporate address randomization into OSv, improving security without sacrificing efficiency.

Findings

Addresses exhibit a uniform distribution after randomization

Boot time, runtime, and memory usage are comparable to baseline

Enhanced resistance to exploitation due to layout unpredictability

Abstract

Unikernels are single-purpose library operating systems that run the kernel and application in one address space, but often omit security mitigations such as address space layout randomization (ASLR). In OSv, boot, program loading, and thread creation select largely deterministic addresses, leading to near-identical layouts across instances and more repeatable exploitation. To reduce layout predictability, this research introduces ASLR-style diversity into OSv by randomizing the application base and thread stack regions through targeted changes to core memory-management and loading routines. The implementation adds minimal complexity while preserving OSv's lightweight design goals. Evaluation against an unmodified baseline finds comparable boot time, application runtime, and memory usage. Analysis indicates that the generated addresses exhibit a uniform distribution. These results show that layout-randomization defenses can be efficiently and effectively integrated into OSv unikernels, improving resistance to reliable exploitation.