Confine: Automated system call policy generation for container attack surface reduction
S Ghavamnia, T Palit, A Benameur… - … on Research in Attacks …, 2020 - usenix.org
Reducing the attack surface of the OS kernel is a promising defense-in-depth approach for
mitigating the fragile isolation guarantees of container environments. In contrast to …
mitigating the fragile isolation guarantees of container environments. In contrast to …
TRIMMER: application specialization for code debloating
With the proliferation of new hardware architectures and ever-evolving user requirements,
the software stack is becoming increasingly bloated. In practice, only a limited subset of the …
the software stack is becoming increasingly bloated. In practice, only a limited subset of the …
A linux in unikernel clothing
Unikernels leverage library OS architectures to run isolated workloads on the cloud. They
have garnered attention in part due to their promised performance characteristics such as …
have garnered attention in part due to their promised performance characteristics such as …
[PDF][PDF] Attack Surface Metrics and Automated Compile-Time OS Kernel Tailoring.
Kurmus et al., Attack Surface Metrics and Automated Kernel Tailoring Page 1 © 2013 IBM
Corporation 1 Anil Kurmus February 25th, 2013 – NDSS'13 Anil Kurmus, Reinhard Tartler …
Corporation 1 Anil Kurmus February 25th, 2013 – NDSS'13 Anil Kurmus, Reinhard Tartler …
Set the configuration for the heart of the os: On the practicality of operating system kernel debloating
This paper presents a study on the practicality of operating system (OS) kernel debloating---
reducing kernel code that is not needed by the target applications---in real-world systems …
reducing kernel code that is not needed by the target applications---in real-world systems …
One profile fits all: Profile-guided linux kernel optimizations for data center applications
M Ugur, C Jiang, A Erf, T Ahmed Khan… - ACM SIGOPS Operating …, 2022 - dl.acm.org
Modern data center applications have multi-megabyte instruc-tion footprints that easily
exhaust on-chip cache structures, which typically have a size of only a couple hundred …
exhaust on-chip cache structures, which typically have a size of only a couple hundred …
Face-change: Application-driven dynamic kernel view switching in a virtual machine
Kernel minimization has already been established as a practical approach to reducing the
trusted computing base. Existing solutions have largely focused on whole-system profiling …
trusted computing base. Existing solutions have largely focused on whole-system profiling …
Quantifiable run-time kernel attack surface reduction
The sheer size of commodity operating system kernels makes them a prime target for local
attackers aiming to escalate privileges. At the same time, as much as 90% of kernel …
attackers aiming to escalate privileges. At the same time, as much as 90% of kernel …
Confine: Fine-grained system call filtering for container attack surface reduction
Reducing the attack surface of the OS kernel is a promising defense-in-depth approach for
mitigating the fragile isolation guarantees of container environments. In contrast to …
mitigating the fragile isolation guarantees of container environments. In contrast to …
Binrec: Attack surface reduction through dynamic binary recovery
Compile-time specialization and feature pruning through static binary rewriting have been
proposed repeatedly as techniques for reducing the attack surface of large programs, and …
proposed repeatedly as techniques for reducing the attack surface of large programs, and …