liu.seSearch for publications in DiVA
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • oxford
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Comparative Study of Containment Strategies in Solaris and Security Enhanced Linux
Linköping University, Department of Computer and Information Science.
Linköping University, Department of Computer and Information Science.
2007 (English)Independent thesis Basic level (professional degree), 10 points / 15 hpStudent thesis
Abstract [en]

To minimize the damage in the event of a security breach it is desirable to limit the privileges of remotely available services to the bare minimum and to isolate the individual services from the rest of the operating system. To achieve this there is a number of different containment strategies and process privilege security models that may be used. Two of these mechanisms are Solaris Containers (a.k.a. Solaris Zones) and Type Enforcement, as implemented in the Fedora distribution of Security Enhanced Linux (SELinux). This thesis compares how these technologies can be used to isolate a single service in the operating system.

As these two technologies differ significantly we have examined how the isolation effect can be achieved in two separate experiments. In the Solaris experiments we show how the footprint of the installed zone can be reduced and how to minimize the runtime overhead associated with the zone. To demonstrate SELinux we create a deliberately flawed network daemon and show how this can be isolated by writing a SELinux policy.

We demonstrate how both technologies can be used to achieve isolation for a single service. Differences between the two technologies become apparent when trying to run multiple instances of the same service where the SELinux implementation suffers from lack of namespace isolation. When using zones the administration work is the same regardless of the services running in the zone whereas SELinux requires a separate policy for each service. If a policy is not available from the operating system vendor the administrator needs to be familiar with the SELinux policy framework and create the policy from scratch. The overhead of the technologies is small and is not a critical factor for the scalability of a system using them.

Place, publisher, year, edition, pages
Institutionen för datavetenskap , 2007. , 96 p.
Keyword [en]
Solaris Zones, Solaris Containers, SELinux, containment strategies, virtualization
National Category
Computer Science
Identifiers
URN: urn:nbn:se:liu:diva-9078ISRN: LITH-IDA-EX-ING--07/004--SEOAI: oai:DiVA.org:liu-9078DiVA: diva2:23744
Presentation
2007-05-22
Uppsok
teknik
Supervisors
Examiners
Available from: 2007-08-29 Created: 2007-08-29

Open Access in DiVA

fulltext(509 kB)803 downloads
File information
File name FULLTEXT01.pdfFile size 509 kBChecksum MD5
da4736d45fa4e907fee76356faef0ada95021606e766432f3a1aa4a974b69e9ca14a19ba
Type fulltextMimetype application/pdf

By organisation
Department of Computer and Information Science
Computer Science

Search outside of DiVA

GoogleGoogle Scholar
Total: 803 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

urn-nbn

Altmetric score

urn-nbn
Total: 634 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • oxford
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf