Abstract
The need for flexible, low-overhead virtualization is evident on The need for flexible, low-overhead virtualization is evident on many fronts ranging from high-density cloud servers to mobile devices. During the past decade OS-level virtualization has emerged as a new, efficient approach for virtualization, with implementations in multiple different Unix-based systems. Despite its popularity, there has been no systematic study of OS-level virtualization from the point of view of security. In this paper, we conduct a comparative study of several OSlevel virtualization systems, discuss their security and identify some gaps in current solutions.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
AppArmor project wiki, http://wiki.apparmor.net/index.php/Main_Page
Cellrox project, http://www.cellrox.com/
Cgroups, https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt
iCore project page, http://icoresoftware.com/
Linux Containers mailing list, http://lists.linuxfoundation.org/pipermail/containers/2013-September/033466.html
Linux Network Namespaces, http://www.opencloudblog.com/?p=42
Linux Programmer’s Manual page on chroot(2) from 20.9.2010 (release 3.35)
Linux Programmer’s Manual pages (release 3.35)
Linux-VServer project, http://linux-vserver.org
LxC project, http://linuxcontainers.org/
Namespace support for Android binder, http://lwn.net/Articles/577957/
OpenVZ project, http://openvz.org
Sandboxie project page, http://www.sandboxie.com/
Smack project, http://schaufler-ca.com/home
TIPC project, http://tipc.sourceforge.net/
Biederman: Multiple Instances of the Global Linux Namespaces. In: Linux Symposium, pp. 101–112 (2006)
Corbet: Seccomp and sandboxing, http://lwn.net/Articles/332974/
Creasy: The origin of the VM/370 time-sharing system. IBM Journal of Research and Development, 483–490 (1981)
Edge: Another union filesystem approach, https://lwn.net/Articles/403012/
Alpern, et al.: PDS: a virtual execution environment for software deployment. In: VEE, pp. 175–185 (2005)
Andrus, et al.: Cells: a virtual mobile smartphone architecture. In: ACM SOSP, pp. 173–187 (2011)
Asokan, et al.: Security of OS-level virtualization technologies: Technical report, http://arxiv.org/abs/1407.4245
Banga, et al.: Resource containers: A new facility for resource management in server systems. In: OSDI, pp. 45–58 (1999)
Barham, et al.: Xen and the art of virtualization. In: ACM SIGOPS OSR, pp. 164–177 (2003)
Bhattiprolu, et al.: Virtual servers and checkpoint/restart in mainstream Linux. In: ACM SIGOPS OSR, pp. 104–113 (2008)
Chaudhary, et al.: A comparison of virtualization technologies for HPC. In: AINA, pp. 861–868 (2008)
Dodis, et al.: Security analysis of pseudo-random number generators with input:/dev/random is not robust. In: 2013 ACM SIGSAC, pp. 647–658 (2013)
Kamp, et al.: Jails: Confining the omnipotent root. In: SANE, p. 116 (2000)
Kivity, et al.: KVM: the Linux virtual machine monitor. In: Linux Symposium, vol. 1, pp. 225–230 (2007)
Mirkin, et al.: Containers checkpointing and live migration. In: Linux Symposium, pp. 85–92 (2008)
Osman, et al.: The design and implementation of Zap: A system for migrating computing environments. In: ACM SIGOPS OSR, pp. 361–376 (2002)
Padala, et al.: Performance evaluation of virtualization technologies for server consolidation. HP Labs Tec. Report (2007)
Pike, et al.: Plan 9 from Bell Labs. In: UKUUG, pp. 1–9 (1990)
Pike, et al.: The Use of Name Spaces in Plan 9. In: 5th Workshop on ACM SIGOPS European Workshop, pp. 1–5 (1992)
Price, et al.: Solaris Zones: Operating System Support for Consolidating Commercial Workloads. In: LISA, pp. 241–254 (2004)
Regola, et al.: Recommendations for virtualization technologies in high performance computing. In: IEEE CloudCom, pp. 409–416 (2010)
Shim, et al.: Bring Your Own Device (BYOD): Current Status, Issues, and Future Directions (2013)
Smalley, et al.: Implementing SELinux as a Linux security module. NAI Labs Report 1, 43 (2001)
Watson, et al.: Capsicum: Practical Capabilities for UNIX. In: USENIX, pp. 29–46 (2010)
Wessel, S., Stumpf, F., Herdt, I., Eckert, C.: Improving Mobile Device Security with Operating System-Level Virtualization. In: Janczewski, L.J., Wolfe, H.B., Shenoi, S. (eds.) SEC 2013. IFIP AICT, vol. 405, pp. 148–161. Springer, Heidelberg (2013)
Wright, et al.: Linux security module framework. In: Linux Symposium, pp. 604–617 (2002)
Xavier, et al.: Performance evaluation of container-based virtualization for high performance computing environments. In: PDP, pp. 233–240 (2013)
Yang, et al.: Impacts of Virtualization Technologies on Hadoop. In: ISDEA, pp. 846–849 (2013)
Yu, et al.: A feather-weight virtual machine for windows applications. In: VEE, pp. 24–34 (2006)
The Open Group. The Single UNIX® Specification: Authorized Guide to Version 4 (2010), http://www.unix.org/version4/theguide.html
Kizza: Virtualization Infrastructure and Related Security Issues. In: Guide to Computer Network Security, pp. 447–464 (2013)
Kolyshkin: Virtualization in Linux. White paper, OpenVZ (2006)
Rosenblum: VMware’s Virtual Platform. In: Hot Chips, pp. 185–196 (1999)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Reshetova, E., Karhunen, J., Nyman, T., Asokan, N. (2014). Security of OS-Level Virtualization Technologies. In: Bernsmed, K., Fischer-Hübner, S. (eds) Secure IT Systems. NordSec 2014. Lecture Notes in Computer Science(), vol 8788. Springer, Cham. https://doi.org/10.1007/978-3-319-11599-3_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-11599-3_5
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-11598-6
Online ISBN: 978-3-319-11599-3
eBook Packages: Computer ScienceComputer Science (R0)