PROTECT: container process isolation using system call interception

Thu Yein Win; Fung Po Tso; Quentin Mair; Huaglory Tianfield

doi:10.1109/ISPAN-FCST-ISCC.2017.24

PROTECT: container process isolation using system call interception

Thu Yein Win, Fung Po Tso, Quentin Mair, Huaglory Tianfield

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

3 Citations (Scopus)

194 Downloads (Pure)

Abstract

Virtualization is the underpinning technology enabling cloud computing service provisioning, and container-based virtualization provides an efficient sharing of the underlying host kernel libraries amongst multiple guests. While there has been research on protecting the host against compromise by malicious guests, research on protecting the guests against a compromised host is limited. In this paper, we present an access control solution which prevents the host from gaining access into the guest containers and their data. Using system call interception together with the built-in AppArmor mandatory access control (MAC) approach the solution protects guest containers from a malicious host attempting to compromise the integrity of data stored therein. Evaluation of results have shown that it can effectively prevent hostile access from host to guest containers while ensuring minimal performance overhead.

Original language	English
Title of host publication	Proceedings - 14th International Symposium on Pervasive Systems, Algorithms and Networks, I-SPAN 2017, 11th International Conference on Frontier of Computer Science and Technology, FCST 2017 and 3rd International Symposium of Creative Computing, ISCC 2017
Publisher	IEEE
Pages	191-196
Number of pages	6
ISBN (Electronic)	9781538608401
ISBN (Print)	9781538608401
DOIs	https://doi.org/10.1109/ISPAN-FCST-ISCC.2017.24
Publication status	Published - 1 Dec 2017

Keywords

virtualization security
cloud security
container virtualization
access control
system call interception

Documents and Links

10.1109/ISPAN-FCST-ISCC.2017.24

Win, T.Y. et al (2017) PROTECT: container process isolation using system call interception
© 2017 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other users, including reprinting/ republishing this material for advertising or promotional purposes, creating new collective works for resale or redistribution to servers or lists, or reuse of any copyrighted components of this work in other works.
Author accepted manuscript, 258 KB

Cite this

Win, T. Y., Tso, F. P., Mair, Q., & Tianfield, H. (2017). PROTECT: container process isolation using system call interception. In Proceedings - 14th International Symposium on Pervasive Systems, Algorithms and Networks, I-SPAN 2017, 11th International Conference on Frontier of Computer Science and Technology, FCST 2017 and 3rd International Symposium of Creative Computing, ISCC 2017 (pp. 191-196). IEEE. https://doi.org/10.1109/ISPAN-FCST-ISCC.2017.24

Win, Thu Yein ; Tso, Fung Po ; Mair, Quentin et al. / PROTECT: container process isolation using system call interception. Proceedings - 14th International Symposium on Pervasive Systems, Algorithms and Networks, I-SPAN 2017, 11th International Conference on Frontier of Computer Science and Technology, FCST 2017 and 3rd International Symposium of Creative Computing, ISCC 2017. IEEE, 2017. pp. 191-196

@inproceedings{5516f54bfd68423a97ed7ed427436bd5,

title = "PROTECT: container process isolation using system call interception",

abstract = "Virtualization is the underpinning technology enabling cloud computing service provisioning, and container-based virtualization provides an efficient sharing of the underlying host kernel libraries amongst multiple guests. While there has been research on protecting the host against compromise by malicious guests, research on protecting the guests against a compromised host is limited. In this paper, we present an access control solution which prevents the host from gaining access into the guest containers and their data. Using system call interception together with the built-in AppArmor mandatory access control (MAC) approach the solution protects guest containers from a malicious host attempting to compromise the integrity of data stored therein. Evaluation of results have shown that it can effectively prevent hostile access from host to guest containers while ensuring minimal performance overhead.",

keywords = "virtualization security, cloud security, container virtualization, access control, system call interception",

author = "Win, {Thu Yein} and Tso, {Fung Po} and Quentin Mair and Huaglory Tianfield",

note = "Acceptance email in SAN AAM: no embargo Not yet online 6-11-17",

year = "2017",

month = dec,

day = "1",

doi = "10.1109/ISPAN-FCST-ISCC.2017.24",

language = "English",

isbn = "9781538608401",

pages = "191--196",

booktitle = "Proceedings - 14th International Symposium on Pervasive Systems, Algorithms and Networks, I-SPAN 2017, 11th International Conference on Frontier of Computer Science and Technology, FCST 2017 and 3rd International Symposium of Creative Computing, ISCC 2017",

publisher = "IEEE",

}

Win, TY, Tso, FP, Mair, Q & Tianfield, H 2017, PROTECT: container process isolation using system call interception. in Proceedings - 14th International Symposium on Pervasive Systems, Algorithms and Networks, I-SPAN 2017, 11th International Conference on Frontier of Computer Science and Technology, FCST 2017 and 3rd International Symposium of Creative Computing, ISCC 2017. IEEE, pp. 191-196. https://doi.org/10.1109/ISPAN-FCST-ISCC.2017.24

PROTECT: container process isolation using system call interception. / Win, Thu Yein; Tso, Fung Po; Mair, Quentin et al.

Proceedings - 14th International Symposium on Pervasive Systems, Algorithms and Networks, I-SPAN 2017, 11th International Conference on Frontier of Computer Science and Technology, FCST 2017 and 3rd International Symposium of Creative Computing, ISCC 2017. IEEE, 2017. p. 191-196.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - PROTECT: container process isolation using system call interception

AU - Win, Thu Yein

AU - Tso, Fung Po

AU - Mair, Quentin

AU - Tianfield, Huaglory

N1 - Acceptance email in SAN AAM: no embargo Not yet online 6-11-17

PY - 2017/12/1

Y1 - 2017/12/1

N2 - Virtualization is the underpinning technology enabling cloud computing service provisioning, and container-based virtualization provides an efficient sharing of the underlying host kernel libraries amongst multiple guests. While there has been research on protecting the host against compromise by malicious guests, research on protecting the guests against a compromised host is limited. In this paper, we present an access control solution which prevents the host from gaining access into the guest containers and their data. Using system call interception together with the built-in AppArmor mandatory access control (MAC) approach the solution protects guest containers from a malicious host attempting to compromise the integrity of data stored therein. Evaluation of results have shown that it can effectively prevent hostile access from host to guest containers while ensuring minimal performance overhead.

AB - Virtualization is the underpinning technology enabling cloud computing service provisioning, and container-based virtualization provides an efficient sharing of the underlying host kernel libraries amongst multiple guests. While there has been research on protecting the host against compromise by malicious guests, research on protecting the guests against a compromised host is limited. In this paper, we present an access control solution which prevents the host from gaining access into the guest containers and their data. Using system call interception together with the built-in AppArmor mandatory access control (MAC) approach the solution protects guest containers from a malicious host attempting to compromise the integrity of data stored therein. Evaluation of results have shown that it can effectively prevent hostile access from host to guest containers while ensuring minimal performance overhead.

KW - virtualization security

KW - cloud security

KW - container virtualization

KW - access control

KW - system call interception

U2 - 10.1109/ISPAN-FCST-ISCC.2017.24

DO - 10.1109/ISPAN-FCST-ISCC.2017.24

M3 - Conference contribution

SN - 9781538608401

SP - 191

EP - 196

BT - Proceedings - 14th International Symposium on Pervasive Systems, Algorithms and Networks, I-SPAN 2017, 11th International Conference on Frontier of Computer Science and Technology, FCST 2017 and 3rd International Symposium of Creative Computing, ISCC 2017

PB - IEEE

ER -

Win TY, Tso FP, Mair Q, Tianfield H. PROTECT: container process isolation using system call interception. In Proceedings - 14th International Symposium on Pervasive Systems, Algorithms and Networks, I-SPAN 2017, 11th International Conference on Frontier of Computer Science and Technology, FCST 2017 and 3rd International Symposium of Creative Computing, ISCC 2017. IEEE. 2017. p. 191-196 doi: 10.1109/ISPAN-FCST-ISCC.2017.24

PROTECT: container process isolation using system call interception

Abstract

Keywords

Documents and Links

Fingerprint

Cite this