Research Article
VCCBox: Practical Confinement of Untrusted Software in Virtual Cloud Computing
@INPROCEEDINGS{10.1007/978-3-319-04283-1_8, author={Jun Jiang and Meining Nie and Purui Su and Dengguo Feng}, title={VCCBox: Practical Confinement of Untrusted Software in Virtual Cloud Computing}, proceedings={Security and Privacy in Communication Networks. 9th International ICST Conference, SecureComm 2013, Sydney, NSW, Australia, September 25-28, 2013, Revised Selected Papers}, proceedings_a={SECURECOMM}, year={2014}, month={6}, keywords={Sandbox Hypervisor based security Hardware assisted virtualization Cloud computing}, doi={10.1007/978-3-319-04283-1_8} }
- Jun Jiang
Meining Nie
Purui Su
Dengguo Feng
Year: 2014
VCCBox: Practical Confinement of Untrusted Software in Virtual Cloud Computing
SECURECOMM
Springer
DOI: 10.1007/978-3-319-04283-1_8
Abstract
Recent maturity of virtualization has enabled its wide adoption in cloud environment. However, legacy security issues still exist in the cloud and are further enlarged. For instance, the execution of untrusted software may cause more harm to system security. Though conventional can be used to constrain the destructive program behaviors, they suffer from various deficiencies. In this paper, we propose , a practical sandbox that confines untrusted applications in cloud environment. Leveraging the state-of-the-art hardware assisted virtualization technology and novel design, it is able to work effectively and efficiently. VCCBox implements its system call interception and access control policy enforcement inside the hypervisor and create an interface to dynamically load policies. The in-VMM design renders our system hard to bypass and easy to deploy in cloud environment, and dynamic policy loading provides high efficiency. We have implemented a proof-of-concept system based on Xen and the evaluation exhibits that our system achieves the design goal of effectiveness and efficiency.