We presents dfork, a new abstraction for performance and security isolation of processes. Whereas the normal fork system call provides a private address space for a child process, dfork leverages virtualization and other techniques to also provide a separate kernel and file system container. Further, unlike many existing virtualization-based approaches, dfork can be used recursively with no cumulative performance penalty, so an isolated process can itself spawn further isolated subprocesses. In contrast to existing software sandbox approaches, our system does not require an a priori policy in order to provide strong security guarantees. Finally, we show that the dfork approach is hypervisor agnostic--our implementation works under both the bare-metal Xen hypervisor and the OS-hosted VMware Workstation hypervisor. We have implemented the dfork model under Linux in a system we call Isolar.This implementation creates Xen or VMware domains that are NFS booted from a union file system. The end result is an environment that can isolate the effects of malicious activity up to and including a complete takeover of the guest kernel, including kernel-level rootkits. Further, the user may elect to selectively commit changes to the underlying file system, accepting some changes, keeping some isolated, and discarding others entirely. This is especially useful in understanding and reverting changes made by an isolated kernel-level rootkit. This thesis discusses the dfork architecture, provides an example implementation, presents a quantitative analysis of the security and performance isolation provided, and gauges the performance impact of the implementation as a whole.
PDF
download
878987797
028-85220240
