Running OS Kernel in Separate Domains: A New Architecture for Applications and OS Services Quarantine

Weijuan Zhang, Xiaoqi Jia, Shengzhi Zhang, Rui Wang, Peng Liu

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Scopus citations

Abstract

Container-based PaaS cloud is ease of use and cost-efficient, but vulnerable to attacks due to the weak isolation provided by the built-in containers. In this paper, we present a lightweight virtualization based kernel decomposition approach to securely isolate cloud tenants as well as the operating system (OS) services against various threats. Our design decouples existing OS kernels based on their functionality and isolates different kernel partitions in separate domains. The kernel partition that enables application execution is quarantined in an application domain, while other partitions that offer various services are isolated in separate service domains. The application owned by one tenant can run transparently in a dedicated application domain, with strong isolation to those owned by other tenants. Furthermore, the kernel partition approach effectively defeats the malware that requires support from different kernel services. We have implemented a prototype based on Linux kernel and Xen hypervisor. Our evaluation demonstrates that the proposed kernel decomposition approach can defeat various OS kernel-targeted attacks with minimal performance overhead.

Original languageEnglish (US)
Title of host publicationProceedings - 25th Asia-Pacific Software Engineering Conference, APSEC 2018
PublisherIEEE Computer Society
Pages219-228
Number of pages10
ISBN (Electronic)9781728119700
DOIs
StatePublished - Jul 2 2018
Event25th Asia-Pacific Software Engineering Conference, APSEC 2018 - Nara, Japan
Duration: Dec 4 2018Dec 7 2018

Publication series

NameProceedings - Asia-Pacific Software Engineering Conference, APSEC
Volume2018-December
ISSN (Print)1530-1362

Conference

Conference25th Asia-Pacific Software Engineering Conference, APSEC 2018
Country/TerritoryJapan
CityNara
Period12/4/1812/7/18

All Science Journal Classification (ASJC) codes

  • Software

Fingerprint

Dive into the research topics of 'Running OS Kernel in Separate Domains: A New Architecture for Applications and OS Services Quarantine'. Together they form a unique fingerprint.

Cite this