Transitioning Native Application into Virtual Machine by Using Hardware Virtualization Extensions
| Title | Transitioning Native Application into Virtual Machine by Using Hardware Virtualization Extensions |
| Publication Type | Conference Paper |
| Year of Publication | 2016 |
| Authors | Haq, M. S. Ul, Lejian, L., Lerong, M. |
| Conference Name | 2016 International Symposium on Computer, Consumer and Control (IS3C) |
| ISBN Number | 978-1-5090-3071-2 |
| Keywords | code vulnerabilities, composability, confined malicious application, execution overheads, file system access, governance, Government, Hardware, Hardware virtualization, hardware virtualization extensions, isolation, Kernel, kernel operating system, Libraries, Linux, Linux process, Memory management, operating system, operating system kernels, operating system service virtualization, policy, policy-based governance, process maliciousness, process virtual machine, program flow control, pubcrawl, sandbox, Sandboxing, security, system call virtualization, untrusted application behaviour control, untrusted application behaviour monitoring, virtual machine equivalent isolation, virtual machines, Virtual machining, virtualisation, virtualization |
| Abstract | In presence of known and unknown vulnerabilities in code and flow control of programs, virtual machine alike isolation and sandboxing to confine maliciousness of process, by monitoring and controlling the behaviour of untrusted application, is an effective strategy. A confined malicious application cannot effect system resources and other applications running on same operating system. But present techniques used for sandboxing have some drawbacks ranging from scope to methodology. Some of proposed techniques restrict specific aspect of execution e.g. system calls and file system access. In the same way techniques that truly isolate the application by providing separate execution environment either require modification in kernel or full blown operating system. Moreover these do not provide isolation from top to bottom but only virtualize operating system services. In this paper, we propose a design to confine native Linux process in virtual machine equivalent isolation by using hardware virtualization extensions with nominal initialization and acceptable execution overheads. We implemented our prototype called Process Virtual Machine that transition a native process into virtual machine, provides minimal possible execution environment, intercept and virtualize system calls to execute it on host kernel. Experimental results show effectiveness of our proposed technique. |
| URL | https://ieeexplore.ieee.org/document/7545218/ |
| DOI | 10.1109/IS3C.2016.108 |
| Citation Key | haq_transitioning_2016 |
- security
- operating system service virtualization
- Policy
- policy-based governance
- process maliciousness
- process virtual machine
- program flow control
- pubcrawl
- sandbox
- sandboxing
- operating system kernels
- system call virtualization
- untrusted application behaviour control
- untrusted application behaviour monitoring
- virtual machine equivalent isolation
- virtual machines
- Virtual machining
- virtualisation
- Virtualization
- hardware virtualization extensions
- composability
- confined malicious application
- execution overheads
- file system access
- Governance
- Government
- Hardware
- Hardware virtualization
- code vulnerabilities
- isolation
- Kernel
- kernel operating system
- Libraries
- Linux
- Linux process
- Memory management
- operating system