2134/36917
Thu Yein Win
Thu Yein
Win
Fung Po Tso
Fung Po
Tso
Quentin Mair
Quentin
Mair
Huaglory Tianfield
Huaglory
Tianfield
PROTECT: Container process isolation using system call interception
Loughborough University
2019
Virtualization security
Cloud security
Container virtualization
Access control
System call interception
Information and Computing Sciences not elsewhere classified
2019-02-18 13:16:37
Conference contribution
https://repository.lboro.ac.uk/articles/conference_contribution/PROTECT_Container_process_isolation_using_system_call_interception/9405215
Virtualization is the underpinning technology enabling cloud computing service provisioning, and container-based virtualization provides an efficient sharing of the underlying host kernel libraries amongst multiple guests. While there has been research on protecting the host against compromise by malicious guests, research on protecting the guests against a compromised host is limited. In this paper, we present an access control solution which prevents the host from gaining access into the guest containers and their data. Using system call interception together with the built-in AppArmor mandatory access control (MAC) approach the solution protects guest containers from a malicious host attempting to compromise the integrity of data stored therein. Evaluation of results have shown that it can effectively prevent hostile access from host to guest containers while ensuring minimal performance overhead.