Recent advances in virtualization technologies have sparked a renewed interest in the use of kernel and process virtualization as a security mechanism to enforce resource isolation and management. Unfortunately, virtualization solutions incur performance overhead. The magnitude of this overhead is directly proportional to the extend of virtualization they offer: full virtualization incurs an additional indirection layer to interface with the ever increasing hardware devices. In this paper, we propose a hypervisor-assisted, microkernel architecture which aims to provide in-depth resource isolation without the performance penalty of full virtualization. To that end, we extend the hypervisor capabilities with a lightweight VMM which enforces “identity context” to all assigned devices for each of the hosted kernels. Furthermore, we separate the control from the data plane for all hardware devices using data memory mapping and modifications of the native device drivers to divert cont...