Security of OS-Level Virtualization Technologies

  • Elena Reshetova
  • Janne Karhunen
  • Thomas Nyman
  • N. Asokan
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8788)


The need for flexible, low-overhead virtualization is evident on The need for flexible, low-overhead virtualization is evident on many fronts ranging from high-density cloud servers to mobile devices. During the past decade OS-level virtualization has emerged as a new, efficient approach for virtualization, with implementations in multiple different Unix-based systems. Despite its popularity, there has been no systematic study of OS-level virtualization from the point of view of security. In this paper, we conduct a comparative study of several OSlevel virtualization systems, discuss their security and identify some gaps in current solutions.


Virtualization Technology Virtual Device Root Directory Mandatory Access Control Server Consolidation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
    Cellrox project,
  3. 3.
  4. 4.
    iCore project page,
  5. 5.
  6. 6.
    Linux Network Namespaces,
  7. 7.
    Linux Programmer’s Manual page on chroot(2) from 20.9.2010 (release 3.35)Google Scholar
  8. 8.
    Linux Programmer’s Manual pages (release 3.35)Google Scholar
  9. 9.
    Linux-VServer project,
  10. 10.
  11. 11.
    Namespace support for Android binder,
  12. 12.
    OpenVZ project,
  13. 13.
  14. 14.
    Sandboxie project page,
  15. 15.
  16. 16.
  17. 17.
    Biederman: Multiple Instances of the Global Linux Namespaces. In: Linux Symposium, pp. 101–112 (2006)Google Scholar
  18. 18.
    Corbet: Seccomp and sandboxing,
  19. 19.
    Creasy: The origin of the VM/370 time-sharing system. IBM Journal of Research and Development, 483–490 (1981)Google Scholar
  20. 20.
    Edge: Another union filesystem approach,
  21. 21.
    Alpern, et al.: PDS: a virtual execution environment for software deployment. In: VEE, pp. 175–185 (2005)Google Scholar
  22. 22.
    Andrus, et al.: Cells: a virtual mobile smartphone architecture. In: ACM SOSP, pp. 173–187 (2011)Google Scholar
  23. 23.
    Asokan, et al.: Security of OS-level virtualization technologies: Technical report,
  24. 24.
    Banga, et al.: Resource containers: A new facility for resource management in server systems. In: OSDI, pp. 45–58 (1999)Google Scholar
  25. 25.
    Barham, et al.: Xen and the art of virtualization. In: ACM SIGOPS OSR, pp. 164–177 (2003)Google Scholar
  26. 26.
    Bhattiprolu, et al.: Virtual servers and checkpoint/restart in mainstream Linux. In: ACM SIGOPS OSR, pp. 104–113 (2008)Google Scholar
  27. 27.
    Chaudhary, et al.: A comparison of virtualization technologies for HPC. In: AINA, pp. 861–868 (2008)Google Scholar
  28. 28.
    Dodis, et al.: Security analysis of pseudo-random number generators with input:/dev/random is not robust. In: 2013 ACM SIGSAC, pp. 647–658 (2013)Google Scholar
  29. 29.
    Kamp, et al.: Jails: Confining the omnipotent root. In: SANE, p. 116 (2000)Google Scholar
  30. 30.
    Kivity, et al.: KVM: the Linux virtual machine monitor. In: Linux Symposium, vol. 1, pp. 225–230 (2007)Google Scholar
  31. 31.
    Mirkin, et al.: Containers checkpointing and live migration. In: Linux Symposium, pp. 85–92 (2008)Google Scholar
  32. 32.
    Osman, et al.: The design and implementation of Zap: A system for migrating computing environments. In: ACM SIGOPS OSR, pp. 361–376 (2002)Google Scholar
  33. 33.
    Padala, et al.: Performance evaluation of virtualization technologies for server consolidation. HP Labs Tec. Report (2007)Google Scholar
  34. 34.
    Pike, et al.: Plan 9 from Bell Labs. In: UKUUG, pp. 1–9 (1990)Google Scholar
  35. 35.
    Pike, et al.: The Use of Name Spaces in Plan 9. In: 5th Workshop on ACM SIGOPS European Workshop, pp. 1–5 (1992)Google Scholar
  36. 36.
    Price, et al.: Solaris Zones: Operating System Support for Consolidating Commercial Workloads. In: LISA, pp. 241–254 (2004)Google Scholar
  37. 37.
    Regola, et al.: Recommendations for virtualization technologies in high performance computing. In: IEEE CloudCom, pp. 409–416 (2010)Google Scholar
  38. 38.
    Shim, et al.: Bring Your Own Device (BYOD): Current Status, Issues, and Future Directions (2013)Google Scholar
  39. 39.
    Smalley, et al.: Implementing SELinux as a Linux security module. NAI Labs Report 1, 43 (2001)Google Scholar
  40. 40.
    Watson, et al.: Capsicum: Practical Capabilities for UNIX. In: USENIX, pp. 29–46 (2010)Google Scholar
  41. 41.
    Wessel, S., Stumpf, F., Herdt, I., Eckert, C.: Improving Mobile Device Security with Operating System-Level Virtualization. In: Janczewski, L.J., Wolfe, H.B., Shenoi, S. (eds.) SEC 2013. IFIP AICT, vol. 405, pp. 148–161. Springer, Heidelberg (2013)Google Scholar
  42. 42.
    Wright, et al.: Linux security module framework. In: Linux Symposium, pp. 604–617 (2002)Google Scholar
  43. 43.
    Xavier, et al.: Performance evaluation of container-based virtualization for high performance computing environments. In: PDP, pp. 233–240 (2013)Google Scholar
  44. 44.
    Yang, et al.: Impacts of Virtualization Technologies on Hadoop. In: ISDEA, pp. 846–849 (2013)Google Scholar
  45. 45.
    Yu, et al.: A feather-weight virtual machine for windows applications. In: VEE, pp. 24–34 (2006)Google Scholar
  46. 46.
    The Open Group. The Single UNIX® Specification: Authorized Guide to Version 4 (2010),
  47. 47.
    Kizza: Virtualization Infrastructure and Related Security Issues. In: Guide to Computer Network Security, pp. 447–464 (2013)Google Scholar
  48. 48.
    Kolyshkin: Virtualization in Linux. White paper, OpenVZ (2006)Google Scholar
  49. 49.
    Rosenblum: VMware’s Virtual Platform. In: Hot Chips, pp. 185–196 (1999)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Elena Reshetova
    • 1
  • Janne Karhunen
    • 2
  • Thomas Nyman
    • 3
  • N. Asokan
    • 4
    • 3
  1. 1.Intel OTCEspooFinland
  2. 2.EricssonTampereFinland
  3. 3.University of HelsinkiHelsinkiFinland
  4. 4.Aalto UniversityEsboFinland

Personalised recommendations