LISA '07 – Abstract
Pp. 117–130 of the Proceedings
Secure Isolation of Untrusted Legacy Applications
Shaya Potter, Jason Nieh, and Matt Selsky, Columbia University
Abstract
Existing applications often contain security holes that are not
patched until after the system has already been compromised. Even when
software updates are available, applying them often results in system
services being unavailable for some time. This can force
administrators to leave system services in an insecure state for
extended periods. To address these system security issues, we have
developed the PeaPod virtualization layer. The PeaPod virtualization
layer provides a group of processes and associated users with two
virtualization abstractions, pods and peas. A pod provides an isolated
virtualized environment that is decoupled from the underlying
operating system instance. A pea provides an easy-to-use least
privilege model for fine grain isolation amongst application
components that need to interact with one another. As a result, the
system easily enables the creation of lightweight environments for
privileged program execution that can help with intrusion prevention
and containment. Our measurements on real world desktop and server
applications demonstrate that the PeaPod virtualization layer imposes
little overhead and enables secure isolation of untrusted
applications.
- View the full text of this paper in HTML and PDF.
Listen to the presentation in
MP3 format.
Until November 2008, you will need your USENIX membership identification in order to access the full papers.
The Proceedings are published as a collective work, © 2007 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.
|
