PROTECT: container process isolation using system call interception

Thu Yein Win; Fung Po Tso; Quentin Mair; Huaglory Tianfield

doi:10.1109/ISPAN-FCST-ISCC.2017.24

PROTECT: container process isolation using system call interception

Thu Yein Win, Fung Po Tso, Quentin Mair, Huaglory Tianfield

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

6 Citations (Scopus)

286 Downloads (Pure)

Abstract

Virtualization is the underpinning technology enabling cloud computing service provisioning, and container-based virtualization provides an efficient sharing of the underlying host kernel libraries amongst multiple guests. While there has been research on protecting the host against compromise by malicious guests, research on protecting the guests against a compromised host is limited. In this paper, we present an access control solution which prevents the host from gaining access into the guest containers and their data. Using system call interception together with the built-in AppArmor mandatory access control (MAC) approach the solution protects guest containers from a malicious host attempting to compromise the integrity of data stored therein. Evaluation of results have shown that it can effectively prevent hostile access from host to guest containers while ensuring minimal performance overhead.

Original language	English
Title of host publication	Proceedings - 14th International Symposium on Pervasive Systems, Algorithms and Networks, I-SPAN 2017, 11th International Conference on Frontier of Computer Science and Technology, FCST 2017 and 3rd International Symposium of Creative Computing, ISCC 2017
Publisher	IEEE
Pages	191-196
Number of pages	6
ISBN (Electronic)	9781538608401
ISBN (Print)	9781538608401
DOIs	https://doi.org/10.1109/ISPAN-FCST-ISCC.2017.24
Publication status	Published - 30 Nov 2017
Event	The 14th International Symposium on Pervasive Systems, Algorithms, and Networks - Exeter, United Kingdom Duration: 21 Jun 2017 → 23 Jun 2017 http://cse.stfx.ca/~ISPAN2017/

Conference

Conference	The 14th International Symposium on Pervasive Systems, Algorithms, and Networks
Abbreviated title	I-SPAN 2017
Country/Territory	United Kingdom
City	Exeter
Period	21/06/17 → 23/06/17
Internet address	http://cse.stfx.ca/~ISPAN2017/

Keywords

Access control
Virtualization security
Cloud security
System call interception
Container virtualization

ASJC Scopus subject areas

General Computer Science
Electrical and Electronic Engineering
Control and Systems Engineering
Industrial and Manufacturing Engineering

Documents and Links

10.1109/ISPAN-FCST-ISCC.2017.24

Win, T.Y. et al (2017) PROTECT: container process isolation using system call interception
© 2017 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other users, including reprinting/ republishing this material for advertising or promotional purposes, creating new collective works for resale or redistribution to servers or lists, or reuse of any copyrighted components of this work in other works.
Author accepted manuscript, 258 KB

Cite this

Win, T. Y., Tso, F. P., Mair, Q., & Tianfield, H. (2017). PROTECT: container process isolation using system call interception. In Proceedings - 14th International Symposium on Pervasive Systems, Algorithms and Networks, I-SPAN 2017, 11th International Conference on Frontier of Computer Science and Technology, FCST 2017 and 3rd International Symposium of Creative Computing, ISCC 2017 (pp. 191-196). IEEE. https://doi.org/10.1109/ISPAN-FCST-ISCC.2017.24

Win, Thu Yein ; Tso, Fung Po ; Mair, Quentin et al. / PROTECT: container process isolation using system call interception. Proceedings - 14th International Symposium on Pervasive Systems, Algorithms and Networks, I-SPAN 2017, 11th International Conference on Frontier of Computer Science and Technology, FCST 2017 and 3rd International Symposium of Creative Computing, ISCC 2017. IEEE, 2017. pp. 191-196

@inproceedings{5516f54bfd68423a97ed7ed427436bd5,

title = "PROTECT: container process isolation using system call interception",

abstract = "Virtualization is the underpinning technology enabling cloud computing service provisioning, and container-based virtualization provides an efficient sharing of the underlying host kernel libraries amongst multiple guests. While there has been research on protecting the host against compromise by malicious guests, research on protecting the guests against a compromised host is limited. In this paper, we present an access control solution which prevents the host from gaining access into the guest containers and their data. Using system call interception together with the built-in AppArmor mandatory access control (MAC) approach the solution protects guest containers from a malicious host attempting to compromise the integrity of data stored therein. Evaluation of results have shown that it can effectively prevent hostile access from host to guest containers while ensuring minimal performance overhead.",

keywords = "Access control, Virtualization security, Cloud security, System call interception, Container virtualization",

author = "Win, {Thu Yein} and Tso, {Fung Po} and Quentin Mair and Huaglory Tianfield",

note = "Acceptance email in SAN AAM: no embargo Not yet online 6-11-17; The 14th International Symposium on Pervasive Systems, Algorithms, and Networks, I-SPAN 2017 ; Conference date: 21-06-2017 Through 23-06-2017",

year = "2017",

month = nov,

day = "30",

doi = "10.1109/ISPAN-FCST-ISCC.2017.24",

language = "English",

isbn = "9781538608401",

pages = "191--196",

booktitle = "Proceedings - 14th International Symposium on Pervasive Systems, Algorithms and Networks, I-SPAN 2017, 11th International Conference on Frontier of Computer Science and Technology, FCST 2017 and 3rd International Symposium of Creative Computing, ISCC 2017",

publisher = "IEEE",

address = "United States",

url = "http://cse.stfx.ca/~ISPAN2017/",

}

Win, TY, Tso, FP, Mair, Q & Tianfield, H 2017, PROTECT: container process isolation using system call interception. in Proceedings - 14th International Symposium on Pervasive Systems, Algorithms and Networks, I-SPAN 2017, 11th International Conference on Frontier of Computer Science and Technology, FCST 2017 and 3rd International Symposium of Creative Computing, ISCC 2017. IEEE, pp. 191-196, The 14th International Symposium on Pervasive Systems, Algorithms, and Networks, Exeter, United Kingdom, 21/06/17. https://doi.org/10.1109/ISPAN-FCST-ISCC.2017.24

PROTECT: container process isolation using system call interception. / Win, Thu Yein; Tso, Fung Po; Mair, Quentin et al.
Proceedings - 14th International Symposium on Pervasive Systems, Algorithms and Networks, I-SPAN 2017, 11th International Conference on Frontier of Computer Science and Technology, FCST 2017 and 3rd International Symposium of Creative Computing, ISCC 2017. IEEE, 2017. p. 191-196.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - PROTECT: container process isolation using system call interception

AU - Win, Thu Yein

AU - Tso, Fung Po

AU - Mair, Quentin

AU - Tianfield, Huaglory

N1 - Acceptance email in SAN AAM: no embargo Not yet online 6-11-17

PY - 2017/11/30

Y1 - 2017/11/30

N2 - Virtualization is the underpinning technology enabling cloud computing service provisioning, and container-based virtualization provides an efficient sharing of the underlying host kernel libraries amongst multiple guests. While there has been research on protecting the host against compromise by malicious guests, research on protecting the guests against a compromised host is limited. In this paper, we present an access control solution which prevents the host from gaining access into the guest containers and their data. Using system call interception together with the built-in AppArmor mandatory access control (MAC) approach the solution protects guest containers from a malicious host attempting to compromise the integrity of data stored therein. Evaluation of results have shown that it can effectively prevent hostile access from host to guest containers while ensuring minimal performance overhead.

AB - Virtualization is the underpinning technology enabling cloud computing service provisioning, and container-based virtualization provides an efficient sharing of the underlying host kernel libraries amongst multiple guests. While there has been research on protecting the host against compromise by malicious guests, research on protecting the guests against a compromised host is limited. In this paper, we present an access control solution which prevents the host from gaining access into the guest containers and their data. Using system call interception together with the built-in AppArmor mandatory access control (MAC) approach the solution protects guest containers from a malicious host attempting to compromise the integrity of data stored therein. Evaluation of results have shown that it can effectively prevent hostile access from host to guest containers while ensuring minimal performance overhead.

KW - Access control

KW - Virtualization security

KW - Cloud security

KW - System call interception

KW - Container virtualization

U2 - 10.1109/ISPAN-FCST-ISCC.2017.24

DO - 10.1109/ISPAN-FCST-ISCC.2017.24

M3 - Conference contribution

SN - 9781538608401

SP - 191

EP - 196

BT - Proceedings - 14th International Symposium on Pervasive Systems, Algorithms and Networks, I-SPAN 2017, 11th International Conference on Frontier of Computer Science and Technology, FCST 2017 and 3rd International Symposium of Creative Computing, ISCC 2017

PB - IEEE

T2 - The 14th International Symposium on Pervasive Systems, Algorithms, and Networks

Y2 - 21 June 2017 through 23 June 2017

ER -

Win TY, Tso FP, Mair Q, Tianfield H. PROTECT: container process isolation using system call interception. In Proceedings - 14th International Symposium on Pervasive Systems, Algorithms and Networks, I-SPAN 2017, 11th International Conference on Frontier of Computer Science and Technology, FCST 2017 and 3rd International Symposium of Creative Computing, ISCC 2017. IEEE. 2017. p. 191-196 doi: 10.1109/ISPAN-FCST-ISCC.2017.24

PROTECT: container process isolation using system call interception

Abstract

Conference

Keywords

ASJC Scopus subject areas

Documents and Links

Fingerprint

Cite this