Security and Privacy in Communication Networks. 9th International ICST Conference, SecureComm 2013, Sydney, NSW, Australia, September 25-28, 2013, Revised Selected Papers

Research Article

VCCBox: Practical Confinement of Untrusted Software in Virtual Cloud Computing

Download81 downloads
  • @INPROCEEDINGS{10.1007/978-3-319-04283-1_8,
        author={Jun Jiang and Meining Nie and Purui Su and Dengguo Feng},
        title={VCCBox: Practical Confinement of Untrusted Software in Virtual Cloud Computing},
        proceedings={Security and Privacy in Communication Networks. 9th International ICST Conference, SecureComm 2013, Sydney, NSW, Australia, September 25-28, 2013, Revised Selected Papers},
        proceedings_a={SECURECOMM},
        year={2014},
        month={6},
        keywords={Sandbox Hypervisor based security Hardware assisted virtualization Cloud computing},
        doi={10.1007/978-3-319-04283-1_8}
    }
    
  • Jun Jiang
    Meining Nie
    Purui Su
    Dengguo Feng
    Year: 2014
    VCCBox: Practical Confinement of Untrusted Software in Virtual Cloud Computing
    SECURECOMM
    Springer
    DOI: 10.1007/978-3-319-04283-1_8
Jun Jiang1,*, Meining Nie1,*, Purui Su1,*, Dengguo Feng1,*
  • 1: Chinese Academy of Sciences
*Contact email: jiangjun@tca.iscas.ac.cn, niemeining@tca.iscas.ac.cn, supurui@tca.iscas.ac.cn, feng@tca.iscas.ac.cn

Abstract

Recent maturity of virtualization has enabled its wide adoption in cloud environment. However, legacy security issues still exist in the cloud and are further enlarged. For instance, the execution of untrusted software may cause more harm to system security. Though conventional can be used to constrain the destructive program behaviors, they suffer from various deficiencies. In this paper, we propose , a practical sandbox that confines untrusted applications in cloud environment. Leveraging the state-of-the-art hardware assisted virtualization technology and novel design, it is able to work effectively and efficiently. VCCBox implements its system call interception and access control policy enforcement inside the hypervisor and create an interface to dynamically load policies. The in-VMM design renders our system hard to bypass and easy to deploy in cloud environment, and dynamic policy loading provides high efficiency. We have implemented a proof-of-concept system based on Xen and the evaluation exhibits that our system achieves the design goal of effectiveness and efficiency.