PROTECT: container process isolation using system call interception

Thu Yein Win; Fung Po Tso; Quentin Mair; Huaglory Tianfield

doi:10.1109/ISPAN-FCST-ISCC.2017.24

PROTECT: container process isolation using system call interception

Thu Yein Win, Fung Po Tso, Quentin Mair, Huaglory Tianfield

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

112 Downloads (Pure)

Abstract

Virtualization is the underpinning technology enabling cloud computing service provisioning, and container-based virtualization provides an efficient sharing of the underlying host kernel libraries amongst multiple guests. While there has been research on protecting the host against compromise by malicious guests, research on protecting the guests against a compromised host is limited. In this paper, we present an access control solution which prevents the host from gaining access into the guest containers and their data. Using system call interception together with the built-in AppArmor mandatory access control (MAC) approach the solution protects guest containers from a malicious host attempting to compromise the integrity of data stored therein. Evaluation of results have shown that it can effectively prevent hostile access from host to guest containers while ensuring minimal performance overhead.

Original language	English
Title of host publication	Proceedings of The 14th International Symposium on Pervasive Systems, Algorithms, and Networks (I-SPAN 2017)
Publisher	IEEE
Pages	191-196
Number of pages	6
ISBN (Electronic)	9781538608401
DOIs	https://doi.org/10.1109/ISPAN-FCST-ISCC.2017.24
Publication status	Published - 1 Dec 2017

Keywords

virtualization security
cloud security
container virtualization
access control
system call interception

Documents and Links

10.1109/ISPAN-FCST-ISCC.2017.24

Win, T.Y. et al (2017) PROTECT: container process isolation using system call interception
© 2017 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other users, including reprinting/ republishing this material for advertising or promotional purposes, creating new collective works for resale or redistribution to servers or lists, or reuse of any copyrighted components of this work in other works.
Accepted author manuscript, 258 KB

Fingerprint Dive into the research topics of 'PROTECT: container process isolation using system call interception'. Together they form a unique fingerprint.

Cite this

Win, T. Y., Tso, F. P., Mair, Q., & Tianfield, H. (2017). PROTECT: container process isolation using system call interception. In Proceedings of The 14th International Symposium on Pervasive Systems, Algorithms, and Networks (I-SPAN 2017) (pp. 191-196). IEEE. https://doi.org/10.1109/ISPAN-FCST-ISCC.2017.24

@inproceedings{5516f54bfd68423a97ed7ed427436bd5,

title = "PROTECT: container process isolation using system call interception",

abstract = "Virtualization is the underpinning technology enabling cloud computing service provisioning, and container-based virtualization provides an efficient sharing of the underlying host kernel libraries amongst multiple guests. While there has been research on protecting the host against compromise by malicious guests, research on protecting the guests against a compromised host is limited. In this paper, we present an access control solution which prevents the host from gaining access into the guest containers and their data. Using system call interception together with the built-in AppArmor mandatory access control (MAC) approach the solution protects guest containers from a malicious host attempting to compromise the integrity of data stored therein. Evaluation of results have shown that it can effectively prevent hostile access from host to guest containers while ensuring minimal performance overhead.",

keywords = "virtualization security, cloud security, container virtualization, access control, system call interception",

author = "Win, {Thu Yein} and Tso, {Fung Po} and Quentin Mair and Huaglory Tianfield",

note = "Acceptance email in SAN AAM: no embargo Not yet online 6-11-17",

year = "2017",

month = dec,

day = "1",

doi = "10.1109/ISPAN-FCST-ISCC.2017.24",

language = "English",

pages = "191--196",

booktitle = "Proceedings of The 14th International Symposium on Pervasive Systems, Algorithms, and Networks (I-SPAN 2017)",

publisher = "IEEE",

}

TY - GEN

T1 - PROTECT: container process isolation using system call interception

AU - Win, Thu Yein

AU - Tso, Fung Po

AU - Mair, Quentin

AU - Tianfield, Huaglory

N1 - Acceptance email in SAN AAM: no embargo Not yet online 6-11-17

PY - 2017/12/1

Y1 - 2017/12/1

N2 - Virtualization is the underpinning technology enabling cloud computing service provisioning, and container-based virtualization provides an efficient sharing of the underlying host kernel libraries amongst multiple guests. While there has been research on protecting the host against compromise by malicious guests, research on protecting the guests against a compromised host is limited. In this paper, we present an access control solution which prevents the host from gaining access into the guest containers and their data. Using system call interception together with the built-in AppArmor mandatory access control (MAC) approach the solution protects guest containers from a malicious host attempting to compromise the integrity of data stored therein. Evaluation of results have shown that it can effectively prevent hostile access from host to guest containers while ensuring minimal performance overhead.

AB - Virtualization is the underpinning technology enabling cloud computing service provisioning, and container-based virtualization provides an efficient sharing of the underlying host kernel libraries amongst multiple guests. While there has been research on protecting the host against compromise by malicious guests, research on protecting the guests against a compromised host is limited. In this paper, we present an access control solution which prevents the host from gaining access into the guest containers and their data. Using system call interception together with the built-in AppArmor mandatory access control (MAC) approach the solution protects guest containers from a malicious host attempting to compromise the integrity of data stored therein. Evaluation of results have shown that it can effectively prevent hostile access from host to guest containers while ensuring minimal performance overhead.

KW - virtualization security

KW - cloud security

KW - container virtualization

KW - access control

KW - system call interception

U2 - 10.1109/ISPAN-FCST-ISCC.2017.24

DO - 10.1109/ISPAN-FCST-ISCC.2017.24

M3 - Conference contribution

SP - 191

EP - 196

BT - Proceedings of The 14th International Symposium on Pervasive Systems, Algorithms, and Networks (I-SPAN 2017)

PB - IEEE

ER -