Loughborough University
Leicestershire, UK
LE11 3TU
+44 (0)1509 263171
Loughborough University

Loughborough University Institutional Repository

Please use this identifier to cite or link to this item: https://dspace.lboro.ac.uk/2134/36917

Title: PROTECT: Container process isolation using system call interception
Authors: Win, Thu Yein
Tso, Fung Po
Mair, Quentin
Tianfield, Huaglory
Keywords: Virtualization security
Cloud security
Container virtualization
Access control
System call interception
Issue Date: 2017
Publisher: © IEEE
Citation: WIN, T.Y. ... et al, 2017. PROTECT: Container process isolation using system call interception. Presented at the 2017 14th International Symposium on Pervasive Systems, Algorithms and Networks & 2017 11th International Conference on Frontier of Computer Science and Technology & 2017 Third International Symposium of Creative Computing (ISPAN-FCST-ISCC), Exeter, UK, 21-23 June 2017, pp.191-196.
Abstract: Virtualization is the underpinning technology enabling cloud computing service provisioning, and container-based virtualization provides an efficient sharing of the underlying host kernel libraries amongst multiple guests. While there has been research on protecting the host against compromise by malicious guests, research on protecting the guests against a compromised host is limited. In this paper, we present an access control solution which prevents the host from gaining access into the guest containers and their data. Using system call interception together with the built-in AppArmor mandatory access control (MAC) approach the solution protects guest containers from a malicious host attempting to compromise the integrity of data stored therein. Evaluation of results have shown that it can effectively prevent hostile access from host to guest containers while ensuring minimal performance overhead.
Description: © 2017 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
Sponsor: The second author would like to acknowledge the support provided to him by the UK Engineering and Physical Sciences Research Council (EPSRC) grants EP/P004407/1 and EP/P004024/1.
Version: Accepted for publication
DOI: 10.1109/ISPAN-FCST-ISCC.2017.24
URI: https://dspace.lboro.ac.uk/2134/36917
Publisher Link: https://doi.org/10.1109/ISPAN-FCST-ISCC.2017.24
ISBN: 9781538608401
Appears in Collections:Conference Papers and Presentations (Computer Science)

Files associated with this item:

File Description SizeFormat
protect.pdfAccepted version261.63 kBAdobe PDFView/Open


SFX Query

Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.