Analysis of Security in OS-Level Virtualization
- URL: http://arxiv.org/abs/2501.01334v1
- Date: Thu, 02 Jan 2025 16:36:41 GMT
- Title: Analysis of Security in OS-Level Virtualization
- Authors: Krishna Sai Ketha, Guanqun Song, Ting Zhu,
- Abstract summary: We will establish the basic concepts of virtualization.<n>We will discuss the container creation life-cycle which helps in forming a container threat model.<n>Finally, we will discuss a case study, which further looks at isolation provided by the containers.
- Score: 4.424739166856966
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Virtualization is a technique that allows multiple instances typically running different guest operating systems on top of single physical hardware. A hypervisor, a layer of software running on top of the host operating system, typically runs and manages these different guest operating systems. Rather than to run different services on different servers for reliability and security reasons, companies started to employ virtualization over their servers to run these services within a single server. This approach proves beneficial to the companies as it provides much better reliability, stronger isolation, improved security and resource utilization compared to running services on multiple servers. Although hypervisor based virtualization offers better resource utilization and stronger isolation, it also suffers from high overhead as the host operating system has to maintain different guest operating systems. To tackle this issue, another form of virtualization known as Operating System-level virtualization has emerged. This virtualization provides light-weight, minimal and efficient virtualization, as the different instances are run on top of the same host operating system, sharing the resources of the host operating system. But due to instances sharing the same host operating system affects the isolation of the instances. In this paper, we will first establish the basic concepts of virtualization and point out the differences between the hyper-visor based virtualization and operating system-level virtualization. Next, we will discuss the container creation life-cycle which helps in forming a container threat model for the container systems, which allows to map different potential attack vectors within these systems. Finally, we will discuss a case study, which further looks at isolation provided by the containers.
Related papers
- Side-Channel Attacks on Open vSwitch [1.1352077875520463]
The Open vSwitch (OVS) is one of the most popular software-based virtual switches.<n>We present three remote attacks via OVS, breaking the confidentiality in covert environments.
arXiv Detail & Related papers (2026-01-22T04:12:03Z) - OS-Symphony: A Holistic Framework for Robust and Generalist Computer-Using Agent [58.07447442040785]
We introduce OS-Symphony, a holistic framework that comprises an Orchestrator coordinating two key innovations for robust automation.<n>Results demonstrate that OS-Symphony delivers substantial performance gains across varying model scales.
arXiv Detail & Related papers (2026-01-12T17:55:51Z) - Goldilocks Isolation: High Performance VMs with Edera [0.0]
In containerization, multiple applications share the same kernel, reducing the runtime overhead.
This has led to a proliferation of container escape attacks in which a kernel exploit lets an attacker escape the isolation of operating system virtualization.
We present Edera, an optimized type 1 hypervisor that uses paravirtualization to improve the runtime of containerization.
arXiv Detail & Related papers (2025-01-08T15:51:02Z) - Using hypervisors to create a cyber polygon [0.0]
The article shows the ability of hypervisors to increase the efficiency of hardware resources, create complex virtual environments for detailed modelling of network structures and simulation of real situations in cyberspace.
arXiv Detail & Related papers (2025-01-03T14:51:06Z) - Ditto: Elastic Confidential VMs with Secure and Dynamic CPU Scaling [35.971391128345125]
"Elastic CVM" and the Worker vCPU design pave the way for more flexible and cost-effective confidential computing environments.
"Elastic CVM" and the Worker vCPU design not only optimize cloud resource utilization but also pave the way for more flexible and cost-effective confidential computing environments.
arXiv Detail & Related papers (2024-09-23T20:52:10Z) - OSWorld: Benchmarking Multimodal Agents for Open-Ended Tasks in Real Computer Environments [87.41051677852231]
We introduce OSWorld, the first-of-its-kind scalable, real computer environment for multimodal agents.
OSWorld can serve as a unified, integrated computer environment for assessing open-ended computer tasks.
We create a benchmark of 369 computer tasks involving real web and desktop apps in open domains, OS file I/O, and spanning multiple applications.
arXiv Detail & Related papers (2024-04-11T17:56:05Z) - MTS: Bringing Multi-Tenancy to Virtual Networking [13.601341555716232]
Multi-tenant cloud computing provides great benefits in terms of resource sharing, elastic pricing, and scalability.
It also changes the security landscape and introduces the need for strong isolation between the tenants, also inside the network.
We present, implement, and evaluate a virtual switch architecture, MTS, which brings secure design best-practice to the context of multi-tenant virtual networking.
arXiv Detail & Related papers (2024-03-04T09:18:38Z) - VMamba: Visual State Space Model [98.0517369083152]
We adapt Mamba, a state-space language model, into VMamba, a vision backbone with linear time complexity.
At the core of VMamba is a stack of Visual State-Space (VSS) blocks with the 2D Selective Scan (SS2D) module.
arXiv Detail & Related papers (2024-01-18T17:55:39Z) - A Multi-faceted Analysis of the Performance Variability of Virtual
Machines [0.3481985817302898]
Cloud platforms are known to be affected by performance variability, but a better understanding is still required.
This paper moves in that direction and presents an in-depth, multi-faceted study on the performance variability of cloud platforms.
To the best of our knowledge, this is the widest analysis ever conducted on the topic.
arXiv Detail & Related papers (2023-09-21T10:25:14Z) - Generative AI-empowered Effective Physical-Virtual Synchronization in
the Vehicular Metaverse [129.8037449161817]
We propose a generative AI-empowered physical-virtual synchronization framework for the vehicular Metaverse.
In virtual-to-physical synchronization, MARs customize diverse and personal AR recommendations via generative AI models based on user preferences.
arXiv Detail & Related papers (2023-01-18T16:25:42Z) - A smart resource management mechanism with trust access control for
cloud computing environment [3.3504365823045044]
This article suggests a conceptual framework for a workload management paradigm in cloud settings that is both safe and performance-efficient.
A resource management unit is used in this paradigm for energy and performing virtual machine allocation with efficiency.
A secure virtual machine management unit controls the resource management unit and is created to produce data on unlawful access or intercommunication.
arXiv Detail & Related papers (2022-12-10T15:00:58Z) - VMAgent: Scheduling Simulator for Reinforcement Learning [44.026076801936874]
A novel simulator called VMAgent is introduced to help RL researchers better explore new methods.
VMAgent is inspired by practical virtual machine (VM) scheduling tasks.
From the VM scheduling perspective, VMAgent also helps to explore better learning-based scheduling solutions.
arXiv Detail & Related papers (2021-12-09T09:18:38Z) - Realistic simulation of users for IT systems in cyber ranges [63.20765930558542]
We instrument each machine by means of an external agent to generate user activity.
This agent combines both deterministic and deep learning based methods to adapt to different environment.
We also propose conditional text generation models to facilitate the creation of conversations and documents.
arXiv Detail & Related papers (2021-11-23T10:53:29Z) - The DigitalTwin from an Artificial Intelligence Perspective [61.83230983253055]
A common and unique virtual representation used by all services during the whole system life-cycle is needed, i.e. a DigitalTwin.
This reference model is verified by using a running example from process industry and by analyzing the work done in recent projects.
arXiv Detail & Related papers (2020-10-27T15:40:36Z) - Design And Develop Network Storage Virtualization By Using GNS3 [0.0]
We have proposed the pool storage method used the RAID-Z file system with the model which provides the duplication of site approach, compression blueprint, adequate backup methods, expansion in error-correcting techniques, and tested procedure on the real-time network location.
arXiv Detail & Related papers (2020-06-24T22:15:11Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.