PROTECT: container process isolation using system call interception

Thu Yein Win, Fung Po Tso, Quentin Mair, Huaglory Tianfield

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    6 Citations (Scopus)
    286 Downloads (Pure)

    Abstract

    Virtualization is the underpinning technology enabling cloud computing service provisioning, and container-based virtualization provides an efficient sharing of the underlying host kernel libraries amongst multiple guests. While there has been research on protecting the host against compromise by malicious guests, research on protecting the guests against a compromised host is limited. In this paper, we present an access control solution which prevents the host from gaining access into the guest containers and their data. Using system call interception together with the built-in AppArmor mandatory access control (MAC) approach the solution protects guest containers from a malicious host attempting to compromise the integrity of data stored therein. Evaluation of results have shown that it can effectively prevent hostile access from host to guest containers while ensuring minimal performance overhead.
    Original languageEnglish
    Title of host publicationProceedings - 14th International Symposium on Pervasive Systems, Algorithms and Networks, I-SPAN 2017, 11th International Conference on Frontier of Computer Science and Technology, FCST 2017 and 3rd International Symposium of Creative Computing, ISCC 2017
    PublisherIEEE
    Pages191-196
    Number of pages6
    ISBN (Electronic)9781538608401
    ISBN (Print)9781538608401
    DOIs
    Publication statusPublished - 30 Nov 2017
    EventThe 14th International Symposium on Pervasive Systems, Algorithms, and Networks - Exeter, United Kingdom
    Duration: 21 Jun 201723 Jun 2017
    http://cse.stfx.ca/~ISPAN2017/

    Conference

    ConferenceThe 14th International Symposium on Pervasive Systems, Algorithms, and Networks
    Abbreviated titleI-SPAN 2017
    Country/TerritoryUnited Kingdom
    CityExeter
    Period21/06/1723/06/17
    Internet address

    Keywords

    • Access control
    • Virtualization security
    • Cloud security
    • System call interception
    • Container virtualization

    ASJC Scopus subject areas

    • General Computer Science
    • Electrical and Electronic Engineering
    • Control and Systems Engineering
    • Industrial and Manufacturing Engineering

    Fingerprint

    Dive into the research topics of 'PROTECT: container process isolation using system call interception'. Together they form a unique fingerprint.

    Cite this