Abstract: Embodiments of the present systems and methods may provide additional security mechanisms inside an operating system kernel itself by executing system calls in a dedicated address space to reduce the amount of shared resources that are visible to and thus exploitable by a malicious application. For example, in an embodiment, a method implemented in a computer may comprise a processor, memory accessible by the processor, and computer program instructions stored in the memory and executable by the processor, the method may comprise: when a user process makes a system call, switching to kernel mode and using a system call page table for the user process to execute a system call handler, when the system call handler attempts to access unmapped kernel space memory, generating a page fault, and handling the page fault by determining whether the attempted access to unmapped kernel space memory is allowed.

Abstract: Embodiments of the present systems and methods may provide additional security mechanisms inside an operating system kernel itself by isolating parts of the kernel to protect them from attacks. For example, in an embodiment, a computer-implemented method implemented in a computer comprising a processor, memory accessible by the processor, and computer program instructions stored in the memory and executable by the processor, the method may comprise: creating a namespace in an operating system kernel-space in the memory of the computer, creating an address space for the namespace that maps only kernel objects owned by the namespace, and providing access to kernel objects owned by the namespace only to the least one user process using the combined page table.

Abstract: Embodiments of the present systems and methods may provide additional security mechanisms inside an operating system kernel itself by isolating parts of the kernel to protect them from attacks. For example, in an embodiment, a computer-implemented method implemented in a computer comprising a processor, memory accessible by the processor, and computer program instructions stored in the memory and executable by the processor, the method may comprise: creating a namespace in an operating system kernel-space in the memory of the computer, creating an address space for the namespace that maps only kernel objects owned by the namespace, and providing access to kernel objects owned by the namespace only to the least one user process using the combined page table.

Abstract: Embodiments of the present systems and methods may provide additional security mechanisms inside an operating system kernel itself by executing system calls in a dedicated address space to reduce the amount of shared resources that are visible to and thus exploitable by a malicious application. For example, in an embodiment, a method implemented in a computer may comprise a processor, memory accessible by the processor, and computer program instructions stored in the memory and executable by the processor, the method may comprise: when a user process makes a system call, switching to kernel mode and using a system call page table for the user process to execute a system call handler, when the system call handler attempts to access unmapped kernel space memory, generating a page fault, and handling the page fault by determining whether the attempted access to unmapped kernel space memory is allowed.

Abstract: In some examples, a system for container migration can include a processor to detect a remote direct memory access (RDMA) enabled network interface controller that supports an on-demand paging feature within the system and within the target device. The processor can also detect a container to be migrated to the target device, the container comprising one or more processes being executed by the system. Additionally, the processor can implement migration procedures on the system and detect, via a kernel component of an operating system, a process identifier of each of the one or more processes to be migrated, wherein the operating system is stored in memory of the system. Furthermore, the processor can modify the system to transmit page fault data for each of the one or more processes migrated to the target device.

Abstract: In some examples, a system for container migration can include a processor to detect a remote direct memory access (RDMA) enabled network interface controller that supports an on-demand paging feature within the system and within the target device. The processor can also detect a container to be migrated to the target device, the container comprising one or more processes being executed by the system. Additionally, the processor can implement migration procedures on the system and detect, via a kernel component of an operating system, a process identifier of each of the one or more processes to be migrated, wherein the operating system is stored in memory of the system. Furthermore, the processor can modify the system to transmit page fault data for each of the one or more processes migrated to the target device.