Safe and Secure Subprocess Virtualization in Userspace.
| dc.contributor.advisor | Dautenhahn, Nathan | en_US |
| dc.creator | Im, Bumjin | en_US |
| dc.date.accessioned | 2021-08-16T19:30:46Z | en_US |
| dc.date.available | 2021-08-16T19:30:46Z | en_US |
| dc.date.created | 2021-08 | en_US |
| dc.date.issued | 2021-08-13 | en_US |
| dc.date.submitted | August 2021 | en_US |
| dc.date.updated | 2021-08-16T19:30:46Z | en_US |
| dc.description.abstract | Commodity operating systems isolate the application with process boundary, and all the developers develop the applications upon the principle. However, the applications cannot simply trust the process-based isolation. Virtually all the applications link at least one dynamic library on the runtime that the libraries share all the resources in the same process boundary. Unfortunately, the application developers do not fully understand the libraries they are using, and it could even be infeasible for some complex applications. If a single malicious or buggy library is linked to the application, it can breach the entire application due to its process boundary principle. Since the process-based isolation could continue for some time, it could be harder to achieve the least privilege. We propose a new process model, Endokernel, to resolve this issue. Endokernel contains a monitor inside the standard process in the commodity operating system and provides safe isolation between subprocess, maintenance, and the secure interactions between subprocesses. Endokernel also proposes a endoprocess virtualization technique. Utilizing endoprocess virtualization could realize a more fine-grained least privilege principle in the commodity computing environment. We develop Intravirt as the prototype of Endokernel. Intravirt realizes the Endokernelmodel on Intel CPU and Linux by actively utilizing Intel Memory Protection Key(MPK) and Control flow Enforcement Technology(CET) as the core security mechanisms. Since MPK and CET are hardware mechanisms, Intravirt aims to secure and high-performance endoprocess virtualization. We then evaluate the security and the performance of Intravirt by measuring microbenchmarks and the actual applications with several use cases for the secure computing environment. Throughout the research, we verify Endokernel is a feasible, lightweight, applicable, and effective security model. | en_US |
| dc.format.mimetype | application/pdf | en_US |
| dc.identifier.citation | Im, Bumjin. "Safe and Secure Subprocess Virtualization in Userspace.." (2021) Diss., Rice University. <a href="https://hdl.handle.net/1911/111201">https://hdl.handle.net/1911/111201</a>. | en_US |
| dc.identifier.uri | https://hdl.handle.net/1911/111201 | en_US |
| dc.language.iso | eng | en_US |
| dc.rights | Copyright is held by the author, unless otherwise indicated. Permission to reuse, publish, or reproduce the work beyond the bounds of fair use or other exemptions to copyright law must be obtained from the copyright holder. | en_US |
| dc.subject | Computer Security | en_US |
| dc.subject | Virtualization | en_US |
| dc.subject | Operating System | en_US |
| dc.subject | Memory Isolation | en_US |
| dc.subject | Computer System | en_US |
| dc.title | Safe and Secure Subprocess Virtualization in Userspace. | en_US |
| dc.type | Thesis | en_US |
| dc.type.material | Text | en_US |
| thesis.degree.department | Computer Science | en_US |
| thesis.degree.discipline | Engineering | en_US |
| thesis.degree.grantor | Rice University | en_US |
| thesis.degree.level | Doctoral | en_US |
| thesis.degree.name | Doctor of Philosophy | en_US |
Files
Original bundle
1 - 1 of 1