Abstract: Embodiments of the present systems and methods may provide additional security mechanisms inside an operating system kernel itself by executing system calls in a dedicated address space to reduce the amount of shared resources that are visible to and thus exploitable by a malicious application. For example, in an embodiment, a method implemented in a computer may comprise a processor, memory accessible by the processor, and computer program instructions stored in the memory and executable by the processor, the method may comprise: when a user process makes a system call, switching to kernel mode and using a system call page table for the user process to execute a system call handler, when the system call handler attempts to access unmapped kernel space memory, generating a page fault, and handling the page fault by determining whether the attempted access to unmapped kernel space memory is allowed.

Abstract: Embodiments of the present systems and methods may provide additional security mechanisms inside an operating system kernel itself by isolating parts of the kernel to protect them from attacks. For example, in an embodiment, a computer-implemented method implemented in a computer comprising a processor, memory accessible by the processor, and computer program instructions stored in the memory and executable by the processor, the method may comprise: creating a namespace in an operating system kernel-space in the memory of the computer, creating an address space for the namespace that maps only kernel objects owned by the namespace, and providing access to kernel objects owned by the namespace only to the least one user process using the combined page table.

Abstract: Embodiments of the present systems and methods may provide additional security mechanisms inside an operating system kernel itself by isolating parts of the kernel to protect them from attacks. For example, in an embodiment, a computer-implemented method implemented in a computer comprising a processor, memory accessible by the processor, and computer program instructions stored in the memory and executable by the processor, the method may comprise: creating a namespace in an operating system kernel-space in the memory of the computer, creating an address space for the namespace that maps only kernel objects owned by the namespace, and providing access to kernel objects owned by the namespace only to the least one user process using the combined page table.

Abstract: Embodiments of the present systems and methods may provide additional security mechanisms inside an operating system kernel itself by executing system calls in a dedicated address space to reduce the amount of shared resources that are visible to and thus exploitable by a malicious application. For example, in an embodiment, a method implemented in a computer may comprise a processor, memory accessible by the processor, and computer program instructions stored in the memory and executable by the processor, the method may comprise: when a user process makes a system call, switching to kernel mode and using a system call page table for the user process to execute a system call handler, when the system call handler attempts to access unmapped kernel space memory, generating a page fault, and handling the page fault by determining whether the attempted access to unmapped kernel space memory is allowed.

Abstract: In some examples, a system for container migration can include a processor to detect a remote direct memory access (RDMA) enabled network interface controller that supports an on-demand paging feature within the system and within the target device. The processor can also detect a container to be migrated to the target device, the container comprising one or more processes being executed by the system. Additionally, the processor can implement migration procedures on the system and detect, via a kernel component of an operating system, a process identifier of each of the one or more processes to be migrated, wherein the operating system is stored in memory of the system. Furthermore, the processor can modify the system to transmit page fault data for each of the one or more processes migrated to the target device.

Abstract: In some examples, a system for container migration can include a processor to detect a remote direct memory access (RDMA) enabled network interface controller that supports an on-demand paging feature within the system and within the target device. The processor can also detect a container to be migrated to the target device, the container comprising one or more processes being executed by the system. Additionally, the processor can implement migration procedures on the system and detect, via a kernel component of an operating system, a process identifier of each of the one or more processes to be migrated, wherein the operating system is stored in memory of the system. Furthermore, the processor can modify the system to transmit page fault data for each of the one or more processes migrated to the target device.

Abstract: A method and apparatus for efficiently executing guest programs in a virtualized computing environment are presented. The method includes executing a virtual machine on a computing hardware; executing a single hypervisor in a first security ring on the virtual machine; executing a single guest program on the virtual machine, wherein the single guest program includes a single kernel being executed in the first security ring and at least one application being executed in a second security ring; and executing at least an instruction issued by the at least one application without trapping the single hypervisor.

Abstract: A method and apparatus for efficiently executing guest programs in a virtualized computing environment are presented. The method includes executing a virtual machine on a computing hardware; executing a single hypervisor in a first security ring on the virtual machine; executing a single guest program on the virtual machine, wherein the single guest program includes a single kernel being executed in the first security ring and at least one application being executed in a second security ring; and executing at least an instruction issued by the at least one application without trapping the single hypervisor.

Abstract: A method for efficient execution of a guest in a virtualized computing environment is provided. The method comprises causing an execution of at least one virtual machine on a computing hardware, the virtual machine executes a hypervisor in a first security ring; and causing an execution of a single guest program on one of the at least one virtual machines, the single guest program comprises a kernel being executed in the first security ring and at least one application being executed in a second security ring.

Abstract: An apparatus and method of operation in a para-virtualized environment. The method includes executing a first hypervisor on a hardware platform of a computing device; and executing a second hypervisor over the first hypervisor, the second hypervisor is configured to capture at least a privileged instruction called by an unmodified guest program executed over the second hypervisor and cause the first hypervisor to execute an instruction corresponding to the captured privileged instruction, wherein the unmodified guest program and the second hypervisor operate in a user space protection domain, e.g., Ring 3, and the at least privileged instruction should be executed in a kernel space protection domain, e.g., Ring 0.