Cherub: Fine-grained application protection with on-demand virtualization |
| |
| Authors: | Hai Jin Ge Cheng Deqing Zou Xinwen Zhang |
| |
| Affiliation: | 1. Services Computing Technology and System Lab, China;2. Cluster and Grid Computing Lab, China;3. School of Computer Science and Technology, China;4. Huazhong University of Science and Technology, Wuhan, 430074, Hubei, China;5. Xiangtan University, Xiangtan, Hunan, China;6. Huawei Research Center, Santa Clara, CA, USA |
| |
| Abstract: | Cherub is an on-demand virtualization mechanism aiming to provide fine-grained application protection in untrusted environments. By leveraging late launch technology, Cherub dynamically inserts a lightweight virtual machine monitor (VMM) under a commodity operating system (OS) when critical pieces of an application code or data are to be processed. The novel design of Cherub with a double-shadowed page table extends VMM level memory protection into application level, such that it can isolate selected memory pages of a target process from the rest and other processes in the same OS environment. With this, Cherub enables fine-grained memory access control and therefore flexible security objectives. Compared to existing approaches, Cherub has the benefits of small code size, low performance overhead, no change to existing applications and commodity OS, and selective protection capability within a single application space. We implement Cherub in Linux and our analysis and evaluation demonstrate its effectiveness and practicality. |
| |
| Keywords: | |
| 本文献已被 ScienceDirect 等数据库收录! |
|
