Confining windows inter-process communications for OS-level virtual machine

As OS-level virtualization technology usually imposes little overhead on virtual machine start-up and running, it provides an excellent choice for building intrusion/fault tolerant applications that require redundancy and frequent invocation. When developing Windows OS-level virtual machine, however, people will inevitably face the challenge of confining Windows Inter-Process Communications (IPC). As IPC on Windows platform is more complex than UNIX style OS and most of the programs on Windows are not open-source, it is difficult to discover all of the performed IPCs and confine them. In this paper, we propose three general principles to confine IPC on Windows OS and a novel IPC confinement mechanism based on the principles. With the mechanism, for the first time from the literature, we successfully virtualized RPC System Service (RPCSS) and Internet Information Server (IIS) on Feather-weight Virtual Machine (FVM). Experimental results demonstrate that multiple IIS web server instances can simultaneously run on single Windows OS with much less performance overhead than other popular VM technology, offering a good basis for constructing dependable system.

[1]  Tzi-cker Chiueh,et al.  Tracer: enforcing mandatory access control in commodity OS with the support of light-weight intrusion detection and tracing , 2011, ASIACCS '11.

[2]  Yang Yu,et al.  A feather-weight virtual machine for windows applications , 2006, VEE '06.

[3]  Shan Zhi-yong Design of an Architecture for Process Runtime Integrity Measurement , 2009 .

[4]  Xiaofeng Meng,et al.  An OS Security Protection Model for Defeating Attacks from Network , 2007, ICISS.

[5]  Tzi-cker Chiueh,et al.  Virtualizing system and ordinary services in Windows-based OS-level virtual machines , 2011, SAC '11.

[6]  Shan Zhi A STUDY OF SECURITY ATTRIBUTES IMMEDIATE REVOCATION IN SECURE OS , 2002 .

[7]  Shi Wen DESIGN AND IMPLEMENTATION OF SECURE LINUX KERNEL SECURITY FUNCTIONS , 2001 .

[8]  Shan Zhiyong Research on Framework for Multi-policy , 2007 .

[9]  Xiao Li,et al.  Operating system mechanisms for TPM-based lifetime measurement of process integrity , 2009, 2009 IEEE 6th International Conference on Mobile Adhoc and Sensor Systems.

[10]  Shan Zhi A Study of Extending Generalized Framework for Access Control , 2003 .

[11]  Shan Zhi A Study of Generalized Environment-Adaptable Multi-Policies Supporting Framework , 2003 .

[12]  Meng Xiaofeng Access control model for enhancing survivability , 2008 .

[13]  Xiaofeng Meng,et al.  Safe side effects commitment for OS-level virtualization , 2011, ICAC '11.

[14]  Hui Liu,et al.  Automatic detection of integer sign vulnerabilities , 2008, 2008 International Conference on Information and Automation.

[15]  Shan Zhiyong and Shi Wenchang STBAC: A New Access Control Model for Operating System , 2008 .

[16]  Zhiyong Shan,et al.  Compatible and Usable Mandatory Access Control for Good-enough OS Security , 2009, 2009 Second International Symposium on Electronic Commerce and Security.

[17]  Shan Zhi An Operating System Oriented RBAC Model and Its Implementation , 2004 .

[18]  Yang Yu,et al.  Applications of a feather-weight virtual machine , 2008, VEE '08.