{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,18]],"date-time":"2026-01-18T07:20:20Z","timestamp":1768720820977,"version":"3.49.0"},"publisher-location":"New York, NY, USA","reference-count":37,"publisher":"ACM","license":[{"start":{"date-parts":[[2021,3,22]],"date-time":"2021-03-22T00:00:00Z","timestamp":1616371200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100003951","name":"Orange","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100003951","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2021,3,22]]},"DOI":"10.1145\/3412841.3442037","type":"proceedings-article","created":{"date-parts":[[2021,4,23]],"date-time":"2021-04-23T05:09:16Z","timestamp":1619154556000},"page":"1636-1645","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":10,"title":["SNAPPY"],"prefix":"10.1145","author":[{"given":"Maxime","family":"B\u00e9lair","sequence":"first","affiliation":[{"name":"IMT Atlantique, Caen, France"}]},{"given":"Sylvie","family":"Laniepce","sequence":"additional","affiliation":[{"name":"Orange Labs, Caen, France"}]},{"given":"Jean-Marc","family":"Menaud","sequence":"additional","affiliation":[{"name":"IMT Atlantique, Nantes, France"}]}],"member":"320","published-online":{"date-parts":[[2021,4,22]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"Pratyush Anand. 2017. A presentation of eBPF. https:\/\/opensource.com\/article\/17\/9\/intro-ebpf."},{"key":"e_1_3_2_1_2_1","volume-title":"Paranoid Penguin: An Introduction to Novell AppArmor. Linux J.","author":"Bauer Mick","year":"2006","unstructured":"Mick Bauer. 2006. Paranoid Penguin: An Introduction to Novell AppArmor. Linux J. (2006)."},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/3339252.3340502"},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-01753-7"},{"key":"e_1_3_2_1_5_1","unstructured":"Docker. 2019. Dockerfile reference. docs.docker.com\/engine\/reference\/builder."},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"crossref","unstructured":"W. Felter A. Ferreira R. Rajamony et al. 2014. An Updated Performance Comparison of Virtual Machines and Linux Containers. technology (2014).","DOI":"10.1109\/ISPASS.2015.7095802"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/3411495.3421358"},{"key":"e_1_3_2_1_8_1","unstructured":"Free Software Foundation. 2019. Chroot man page (2). http:\/\/man7.org\/linux\/man-pages\/man2\/chroot.2.html."},{"key":"e_1_3_2_1_9_1","volume-title":"Containers aka crazy user space fun. In linux.conf.au","author":"Frazelle Jess","year":"2018","unstructured":"Jess Frazelle. 2018. Containers aka crazy user space fun. In linux.conf.au 2018."},{"key":"e_1_3_2_1_10_1","unstructured":"freedesktop.org. 2017. Presentation of Seccomp BPF. https:\/\/dri.freedesktop.org\/docs\/drm\/userspace-api\/seccomp_filter.html."},{"key":"e_1_3_2_1_11_1","unstructured":"Nick Frichette. 2019. PoC for CVE-2019-5736-PoC. https:\/\/github.com\/Frichetten\/CVE-2019-5736-PoC."},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1109\/MCC.2017.4250939"},{"key":"e_1_3_2_1_13_1","unstructured":"Google. 2020. Kubernetes repository. https:\/\/github.com\/kubernetes\/kubernetes."},{"key":"e_1_3_2_1_14_1","volume-title":"QCon London","author":"Graf Thomas","year":"2020","unstructured":"Thomas Graf. 2020. eBPF - Rethinking the Linux Kernel. In QCon London 2020."},{"key":"e_1_3_2_1_15_1","unstructured":"Alexander Holbreich. 2018. Docker components explained. http:\/\/alexander.holbreich.org\/docker-components-explained\/."},{"key":"e_1_3_2_1_16_1","unstructured":"Isovalent Inc. 2020. Cilium GitHub repository. https:\/\/github.com\/cilium\/cilium."},{"key":"e_1_3_2_1_17_1","unstructured":"Open Containers Initiative. 2020. Open Container Initiative Runtime Specification. https:\/\/github.com\/opencontainers\/runtime-spec."},{"key":"e_1_3_2_1_18_1","unstructured":"Open Containers Initiative. 2020. runC GitHub repository. https:\/\/github.com\/opencontainers\/runc."},{"key":"e_1_3_2_1_20_1","unstructured":"Adam Iwaniuk and Borys Pop\u0142awski. 2019. CVE-2019-5736: Escape from Docker and Kubernetes containers to root on host. https:\/\/blog.dragonsector.pl\/2019\/02\/cve-2019-5736-escape-from-docker-and.html."},{"key":"e_1_3_2_1_21_1","volume-title":"Proceeding of the Free and Open Source software Developers' European Meeting (FOSDEM '18).","author":"Johansen Jhon","unstructured":"Jhon Johansen. 2018. Making Linux Security Modules available to Containers: Stacking and Namespacing the LSM. In Proceeding of the Free and Open Source software Developers' European Meeting (FOSDEM '18). Brussels."},{"key":"e_1_3_2_1_22_1","unstructured":"kernel.org. 2020. Linux Virtual Memory Mapping. https:\/\/www.kernel.org\/doc\/Documentation\/x86\/x86_64\/mm.txt."},{"key":"e_1_3_2_1_23_1","unstructured":"Linux Manual. 2020. namespaces - overview of Linux namespaces. https:\/\/www.man7.org\/linux\/man-pages\/man7\/namespaces.7.html."},{"key":"e_1_3_2_1_24_1","volume-title":"USENIX winter","author":"McCanne Steven","unstructured":"Steven McCanne and Van Jacobson. 1993. The BSD Packet Filter: A New Architecture for User-level Packet Capture.. In USENIX winter, Vol. 46."},{"key":"e_1_3_2_1_25_1","volume-title":"Docker: Lightweight Linux Containers for Consistent Development and Deployment. Linux J.","author":"Merkel Dirk","year":"2014","unstructured":"Dirk Merkel. 2014. Docker: Lightweight Linux Containers for Consistent Development and Deployment. Linux J. 2014, 239, Article 2 (March 2014)."},{"key":"e_1_3_2_1_26_1","unstructured":"NIST. 2017. CVE-2017-16995. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-16995."},{"key":"e_1_3_2_1_27_1","unstructured":"NIST. 2019. CVE-2019-5736. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2019-5736."},{"key":"e_1_3_2_1_28_1","unstructured":"NIST. 2020. CVE-2020-8835. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2020-8835."},{"key":"e_1_3_2_1_29_1","unstructured":"Claus Pahl Antonio Brogi Jacopo Soldani et al. 2017. Cloud Container Technologies: a State-of-the-Art Review. IEEE Transactions on Cloud Computing (2017)."},{"key":"e_1_3_2_1_30_1","unstructured":"Rusty Russell. 2020. iptables Repository. http:\/\/git.netfilter.org\/iptables\/."},{"key":"e_1_3_2_1_31_1","volume-title":"Proceedings of the 13th Conference on USENIX Security Symposium -","volume":"13","author":"Sailer Reiner","year":"2004","unstructured":"Reiner Sailer, Xiaolan Zhang, Trent Jaeger, et al. 2004. Design and Implementation of a TCG-based Integrity Measurement Architecture. In Proceedings of the 13th Conference on USENIX Security Symposium - Volume 13 (SSYM'04). 16--16."},{"key":"e_1_3_2_1_32_1","unstructured":"Jorge Salamero. 2019. Kubernetes Runtime Security with Falco and Sysdig. https:\/\/www.cncf.io\/wp-content\/uploads\/2019\/12\/Kubernetes-Runtime-Security-with-Falco-and-Sysdig.pdf."},{"key":"e_1_3_2_1_33_1","volume-title":"Free and Open Source Software Developer (FOSDEM '18)","author":"Salaun Micka\u00ebl","year":"2018","unstructured":"Micka\u00ebl Salaun. 2018. File access-control per container with Landlock. In Free and Open Source Software Developer (FOSDEM '18). Brussels."},{"key":"e_1_3_2_1_34_1","unstructured":"Ravi Sandhu. 2013. Access Control Models. profsandhu.com\/cs6393_s13\/L2.pdf."},{"key":"e_1_3_2_1_35_1","unstructured":"Casey Schaufler. 2019. LSM Stacking - What You Can Do Now and What's Next. In Linux Security Summit Europe (LSS'19)."},{"key":"e_1_3_2_1_36_1","volume-title":"Linux Security Summit North America","author":"Singh KP","year":"2019","unstructured":"KP Singh. 2019. Kernel Runtime Security Instrumentation. In Linux Security Summit North America 2019."},{"key":"e_1_3_2_1_38_1","volume-title":"Proceedings of the 27th USENIX Conference on Security Symposium (SEC'18)","author":"Sun Yuqiong","year":"2018","unstructured":"Yuqiong Sun, David Safford, Mimi Zohar, et al. 2018. Security Namespace: Making Linux Security Frameworks Available to Containers. In Proceedings of the 27th USENIX Conference on Security Symposium (SEC'18). 1423--1439."},{"key":"e_1_3_2_1_39_1","volume-title":"Proceedings of the 11th USENIX Security Symposium.","author":"Wright C.","year":"2002","unstructured":"C. Wright, C. Cowan, et al. 2002. Linux Security Modules: General Security Support for the Linux Kernel. In Proceedings of the 11th USENIX Security Symposium."}],"event":{"name":"SAC '21: The 36th ACM\/SIGAPP Symposium on Applied Computing","location":"Virtual Event Republic of Korea","acronym":"SAC '21","sponsor":["SIGAPP ACM Special Interest Group on Applied Computing"]},"container-title":["Proceedings of the 36th Annual ACM Symposium on Applied Computing"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3412841.3442037","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3412841.3442037","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T21:24:25Z","timestamp":1750195465000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3412841.3442037"}},"subtitle":["programmable kernel-level policies for containers"],"short-title":[],"issued":{"date-parts":[[2021,3,22]]},"references-count":37,"alternative-id":["10.1145\/3412841.3442037","10.1145\/3412841"],"URL":"https:\/\/doi.org\/10.1145\/3412841.3442037","relation":{},"subject":[],"published":{"date-parts":[[2021,3,22]]},"assertion":[{"value":"2021-04-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}