liu.seSearch for publications in DiVA
Change search
ReferencesLink to record
Permanent link

Direct link
Comparative Study of Containment Strategies in Solaris and Security Enhanced Linux
Linköping University, Department of Computer and Information Science.
Linköping University, Department of Computer and Information Science.
2007 (English)Independent thesis Basic level (professional degree), 10 points / 15 hpStudent thesis
Abstract [en]

To minimize the damage in the event of a security breach it is desirable to limit the privileges of remotely available services to the bare minimum and to isolate the individual services from the rest of the operating system. To achieve this there is a number of different containment strategies and process privilege security models that may be used. Two of these mechanisms are Solaris Containers (a.k.a. Solaris Zones) and Type Enforcement, as implemented in the Fedora distribution of Security Enhanced Linux (SELinux). This thesis compares how these technologies can be used to isolate a single service in the operating system.

As these two technologies differ significantly we have examined how the isolation effect can be achieved in two separate experiments. In the Solaris experiments we show how the footprint of the installed zone can be reduced and how to minimize the runtime overhead associated with the zone. To demonstrate SELinux we create a deliberately flawed network daemon and show how this can be isolated by writing a SELinux policy.

We demonstrate how both technologies can be used to achieve isolation for a single service. Differences between the two technologies become apparent when trying to run multiple instances of the same service where the SELinux implementation suffers from lack of namespace isolation. When using zones the administration work is the same regardless of the services running in the zone whereas SELinux requires a separate policy for each service. If a policy is not available from the operating system vendor the administrator needs to be familiar with the SELinux policy framework and create the policy from scratch. The overhead of the technologies is small and is not a critical factor for the scalability of a system using them.

Place, publisher, year, edition, pages
Institutionen för datavetenskap , 2007. , 96 p.
Keyword [en]
Solaris Zones, Solaris Containers, SELinux, containment strategies, virtualization
National Category
Computer Science
URN: urn:nbn:se:liu:diva-9078ISRN: LITH-IDA-EX-ING--07/004--SEOAI: diva2:23744
Available from: 2007-08-29 Created: 2007-08-29

Open Access in DiVA

fulltext(509 kB)768 downloads
File information
File name FULLTEXT01.pdfFile size 509 kBChecksum SHA-1
Type fulltextMimetype application/pdf

By organisation
Department of Computer and Information Science
Computer Science

Search outside of DiVA

GoogleGoogle Scholar
Total: 768 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

Total: 603 hits
ReferencesLink to record
Permanent link

Direct link