Process-level Isolation using Virtualization

Show simple item record

dc.contributor.advisor Peng Ning, Committee Member en_US
dc.contributor.advisor Xuxian Jiang, Committee Member en_US
dc.contributor.advisor Vincent W. Freeh, Committee Chair en_US Thakwani, Ashish en_US 2010-04-02T18:09:43Z 2010-04-02T18:09:43Z 2010-01-07 en_US
dc.identifier.other etd-12182009-183523 en_US
dc.description.abstract We presents dfork, a new abstraction for performance and security isolation of processes. Whereas the normal fork system call provides a private address space for a child process, dfork leverages virtualization and other techniques to also provide a separate kernel and file system container. Further, unlike many existing virtualization-based approaches, dfork can be used recursively with no cumulative performance penalty, so an isolated process can itself spawn further isolated subprocesses. In contrast to existing software sandbox approaches, our system does not require an a priori policy in order to provide strong security guarantees. Finally, we show that the dfork approach is hypervisor agnostic--our implementation works under both the bare-metal Xen hypervisor and the OS-hosted VMware Workstation hypervisor. We have implemented the dfork model under Linux in a system we call Isolar. This implementation creates Xen or VMware domains that are NFS booted from a union file system. The end result is an environment that can isolate the effects of malicious activity up to and including a complete takeover of the guest kernel, including kernel-level rootkits. Further, the user may elect to selectively commit changes to the underlying file system, accepting some changes, keeping some isolated, and discarding others entirely. This is especially useful in understanding and reverting changes made by an isolated kernel-level rootkit. This thesis discusses the dfork architecture, provides an example implementation, presents a quantitative analysis of the security and performance isolation provided, and gauges the performance impact of the implementation as a whole. en_US
dc.rights I hereby certify that, if appropriate, I have obtained and attached hereto a written permission statement from the owner(s) of each third party copyrighted matter to be included in my thesis, dis sertation, or project report, allowing distribution as specified below. I certify that the version I submitted is the same as that approved by my advisory committee. I hereby grant to NC State University or its agents the non-exclusive license to archive and make accessible, under the conditions specified below, my thesis, dissertation, or project report in whole or in part in all forms of media, now or hereafter known. I retain all other ownership rights to the copyright of the thesis, dissertation or project report. I also retain the right to use in future works (such as articles or books) all or part of this thesis, dissertation, or project report. en_US
dc.subject Security en_US
dc.subject Rootkit en_US
dc.subject Sandbox en_US
dc.subject Virtualization en_US
dc.title Process-level Isolation using Virtualization en_US MS en_US thesis en_US Computer Science en_US

Files in this item

Files Size Format View
etd.pdf 2.738Mb PDF View/Open

This item appears in the following Collection(s)

Show simple item record