ARMlock

Zhou, Yajin; Wang, Xiaoguang; Chen, Yue; Wang, Zhi

doi:10.1145/2660267.2660344

Cited by 48 publications

(6 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Hardware-based isolation. Recent work [29], [44], [45], [46], [47], [48], [49] explores new hardware to implement additional isolation for containers. SCONE [44] and ARMlock [47] place the container inside trusted execution domain based on the Intel SGX and ARM TrustZone.…”

Section: Related Workmentioning

confidence: 99%

“…Recent work [29], [44], [45], [46], [47], [48], [49] explores new hardware to implement additional isolation for containers. SCONE [44] and ARMlock [47] place the container inside trusted execution domain based on the Intel SGX and ARM TrustZone. FastPass [48] and Iron [46] further isolate memory management and network stack for containers.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

vKernel: Enhancing Container Isolation via Private Code and Data

Huang,

Wang,

Rao

et al. 2024

IEEE Trans. Comput.

View full text Add to dashboard Cite

Container technology is increasingly adopted in cloud environments. However, the lack of isolation in the shared kernel becomes a significant barrier to the wide adoption of containers. The challenges lie in how to simultaneously attain high performance and isolation. On the one hand, kernel-level isolation mechanisms, such as seccomp, capabilities, and apparmor, achieve good performance without much overhead, but lack the support for per-container customization. On the other hand, user-level and VM-based isolation offer superior security guarantees and allow for customization since a container is assigned a dedicated kernel, however, at the cost of high overhead. We present vKernel, a kernel isolation framework. It maintains a minimal set of code and data that are either sensitive or are prone to interference in a virtual kernel instance (vKI). vKernel relies on inline hooks to intercept and redirect requests sent to the host kernel to a vKI, where container-specific security rules, functions, and data are implemented. Through case studies, we demonstrate that under vKernel user-defined data isolation and kernel customization can be supported with a reasonable engineering effort. An evaluation of vKernel with micro-benchmarks, cloud services, real-world applications show that vKernel achieves good security guarantees, but with much less overhead.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

vKernel: Enhancing Container Isolation via Private Code and Data

Huang,

Wang,

Rao

et al. 2024

IEEE Trans. Comput.

View full text Add to dashboard Cite

show abstract

“…DynaCut also shares the ideas of the principle of least privilege and software fault isolation [8,10,17,56,67]. The principle of least privilege ensures that any entity of a computing system (e.g., a process or a user) has access to only the necessary information for the intended functions [8].…”

Section: Related Workmentioning

confidence: 99%

“…In practice, untrusted components are isolated into fault domains, preventing untrusted code from compromising the trusted computing base (TCB) [56]. Several efforts split complex software systems into multiple reduced-privilege compartments [10,17,67], and isolate different components of the application code [10,41,54,56], untrusted third-party libraries [61,67], or even different OS components [17,59]. DynaCut dynamically updates the visibility of different code features and maintains the minimal code required for running software in a given scenario.…”

Section: Related Workmentioning

confidence: 99%

DynaCut

Mahurkar,

Wang,

Zhang

et al. 2023

Proceedings of the 24th International Middleware Conference on ZZZ

Self Cite

View full text Add to dashboard Cite

Software is becoming increasingly complex and feature-rich, yet only part of any given codebase is frequently used. Existing software customization and debloating approaches target static binaries, focusing on feature discovery, control-flow analysis, and binary rewriting. As a result, the customized program binary has a smaller attack surface as well as less available functionality. This means that once a software's use scenario changes, the customized binary may not be usable.This paper presents DynaCut, for dynamic software code customization. DynaCut can disable "not being used" code features during software runtime and re-enable them when required again. DynaCut works at the binary level; no source code is needed. To achieve its goal, DynaCut includes a dynamic process rewriting technique that seamlessly and transparently updates the image of a running process, with specific code features blocked or re-enabled. To help identify potentially unused code, DynaCut employs an execution trace-based differential analysis to pinpoint the code related to specific software features, which can be dynamically turned on/off based on user configuration. We also develop automatic methods to locate code that is only temporally used (e.g., initialization code), which can be dropped in a timely manner (e.g., after the initialization phase).We prototype DynaCut and evaluate it using 3 widely used server applications and the SPECint2017_speed benchmark suite. The result shows that, compared to existing static binary customization approaches, DynaCut removes an additional 10% of code on average and up to 56% of temporally executed code due to the dynamic code customization. * A. Mahurkar and X. Wang made equal contributions to this work. Most of X. Wang's work was done while he was at Virginia Tech.† Most of H. Zhang's work was done while he was at Georgia Tech.

show abstract

“…Traditionally, hardware memory management units (MMUs) prevent applications from interfering with each other and with core system functions. Software fault-isolation techniques extend the MMU by isolat-ing malicious code and been implemented for x86 and ARM architectures [37,46,47] or require hardware (MMU) support. These approaches require hardware (MMU) support not available on low power processors, and incur significant runtime overhead.…”

Section: Related Workmentioning

confidence: 99%

Amulet

Hester

Peters

Yun

et al. 2016

Proceedings of the 14th ACM Conference on Embedded Network Sensor Systems CD-ROM

View full text Add to dashboard Cite

Wearable technology enables a range of exciting new applications in health, commerce, and beyond. For many important applications, wearables must have battery life measured in weeks or months, not hours and days as in most current devices. Our vision of wearable platforms aims for long battery life but with the flexibility and security to support multiple applications. To achieve long battery life with a workload comprising apps from multiple developers, these platforms must have robust mechanisms for app isolation and developer tools for optimizing resource usage.We introduce the Amulet Platform for constrained wearable devices, which includes an ultra-low-power hardware architecture and a companion software framework, including a highly efficient event-driven programming model, low-power operating system, and developer tools for profiling ultra-lowpower applications at compile time. We present the design and evaluation of our prototype Amulet hardware and software, and show how the framework enables developers to write energy-efficient applications. Our prototype has battery lifetime lasting weeks or even months, depending on the application, and our interactive resource-profiling tool predicts battery lifetime within 6-10% of the measured lifetime.

show abstract

ARMlock

Cited by 48 publications

References 21 publications

vKernel: Enhancing Container Isolation via Private Code and Data

vKernel: Enhancing Container Isolation via Private Code and Data

DynaCut

Amulet

Contact Info

Product

Resources

About