One kernel to rule them all : An experimental study inspecting the Meltdown patch effects on the costs of system calls in systemd-nspawn containers

Sammanfattning: Context. The paradigm of virtualization is rapidly changing due to hardware optimization and capabilities, while also due to rapid development and deployment strategies used in the modern day IT industry. Just like the positive changes, negative effects are necessary to occur in order to improve modern day technologies.This final year project takes a look at both the positive and negatives by exploring how containers are relevant to modern day computing and how they are affected by the patch that mitigates the Meltdown CPU vulnerabilities discovered in mid-2017 in terms of performance. Looking at the trade-off between information security and performance by taking an in-depth approach with a take on the core functionalities of the Linux Kernel. This paper succeeded to identify system call costs that between a secure and non-secure Linux kernel in the context of a containerized environment. Objectives. This study examines the effects of the KAISER security patch aimed to mitigate microprocessor vulnerabilities related to Meltdown. The investigated effect is the performance as the cost of system calls under the condition of a non-KAISER and a KAISER enabled Linux kernel. The intent is to increase the transparency of how a major security patch such as KAISER affects the system. Methods. A quantitative experimental study is conducted. One single Debian Stretch node is used with two different treatments. First micro-benchmarks are run without a KAISER enabled kernel which later is compared with a KAISER enabled kernel. The measuring point is the time one single system call takes in a sequence of 1 000 000 system calls. Results. First macro-benchmarks were conducted to see what a performance loss would look like on an application level. This proved to introduce many superfluous factors which made it difficult to use system calls as a measuring point. In the end a comparison between the two kernels was done. This indicated that the cost per system differed roughly 29% in time. Conclusions. The results indicate that a large performance loss is identified. However, this does not indicate that all activities on a computer will suffer from this loss. The performance loss the end-user will experience all depends on the amount of system calls generated from one single set of instructions. The performance loss can be neglected if these instructions generating a low amount of system calls. These results should notbe used as evidence to favor performance over information security in real life applications and implementations but rather as a motivation to meet the two aspects.