VCCBox: Practical Confinement of Untrusted Software in Virtual Cloud Computing
作者: Jun Jiang , Meining Nie , Purui Su , Dengguo Feng
DOI: 10.1007/978-3-319-04283-1_8
关键词:
摘要: Recent maturity of virtualization has enabled its wide adoption in cloud environment. However, legacy security issues still exist the and are further enlarged. For instance, execution untrusted software may cause more harm to system security. Though conventional sandboxes can be used constrain destructive program behaviors, they suffer from various deficiencies. In this paper, we propose VCCBox, a practical sandbox that confines applications Leveraging state-of-the-art hardware assisted technology novel design, it is able work effectively efficiently. VCCBox implements call interception access control policy enforcement inside hypervisor create an interface dynamically load policies. The in-VMM design renders our hard bypass easy deploy environment, dynamic loading provides high efficiency. We have implemented proof-of-concept based on Xen evaluation exhibits achieves goal effectiveness
springer.com
core.ac.uk
sci-hub.st 参考文章(25)
Tal Garfinkel, Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools. network and distributed system security symposium. ,(2003)
Niels Provos, Improving host security with system call policies usenix security symposium. pp. 18- 18 ,(2003)
David Lie, Lionel Litty, H. Andrés Lagar-Cavilla, Hypervisor support for identifying covertly executing binaries usenix security symposium. pp. 243- 258 ,(2008)
Tal Garfinkel, Mendel Rosenblum, A Virtual Machine Introspection Based Architecture for Intrusion Detection. network and distributed system security symposium. ,(2003)
P.M. Chen, B.D. Noble, When virtual is better than real [operating system relocation to virtual machines] Proceedings Eighth Workshop on Hot Topics in Operating Systems. pp. 133- 138 ,(2001) , 10.1109/HOTOS.2001.990073
Zhongshu Gu, Zhui Deng, Dongyan Xu, Xuxian Jiang, Process Implanting: A New Active Introspection Framework for Virtualization symposium on reliable distributed systems. pp. 147- 156 ,(2011) , 10.1109/SRDS.2011.26
Arvind Seshadri, Mark Luk, Ning Qu, Adrian Perrig, SecVisor Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles - SOSP '07. ,vol. 41, pp. 335- 350 ,(2007) , 10.1145/1294261.1294294
Sina Bahram, Xuxian Jiang, Zhi Wang, Mike Grace, Jinku Li, Deepa Srinivasan, Junghwan Rhee, Dongyan Xu, DKSM: Subverting Virtual Machine Introspection for Fun and Profit symposium on reliable distributed systems. pp. 82- 91 ,(2010) , 10.1109/SRDS.2010.39
Anh M. Nguyen, Nabil Schear, HeeDong Jung, Apeksha Godiyal, Samuel T. King, Hai D. Nguyen, MAVMM: Lightweight and Purpose Built VMM for Malware Analysis annual computer security applications conference. pp. 441- 450 ,(2009) , 10.1109/ACSAC.2009.48
Lok-Kwong Yan, Manjukumar Jayachandra, Mu Zhang, Heng Yin, V2E Proceedings of the 8th ACM SIGPLAN/SIGOPS conference on Virtual Execution Environments - VEE '12. ,vol. 47, pp. 227- 238 ,(2012) , 10.1145/2151024.2151053