Premium
Sandboxing of biomedical applications in Linux containers based on system call evaluation
Author(s) -
Witt Michael,
Jansen Christoph,
Krefting Dagmar,
Streit Achim
Publication year - 2018
Publication title -
concurrency and computation: practice and experience
Language(s) - English
Resource type - Journals
SCImago Journal Rank - 0.309
H-Index - 67
eISSN - 1532-0634
pISSN - 1532-0626
DOI - 10.1002/cpe.4484
Subject(s) - computer science , container (type theory) , virtualization , operating system , code (set theory) , set (abstract data type) , system call , distributed computing , embedded system , cloud computing , programming language , mechanical engineering , engineering
Summary Applications for biomedical data processing often integrate external libraries and frameworks for common algorithmic tasks. It typically reduces development time and increases overall code quality. With the introduction of lightweight container‐based virtualization, the bundling of applications and their required dependencies has become feasible, and containers can be transferred and executed in distributed environments. However, the incorporation of unreviewed code poses a security threat as it might contain malicious components. In this paper, measures to minimize risks of untrusted application execution are presented. Based on the system calls issued during sample execution of the application, both the container itself and the container runtime configuration are restricted to the set of actions the application requires. It is shown that the employed security measures are suited to counteract different attacks while application runtime is not affected.