{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,25]],"date-time":"2026-04-25T08:34:06Z","timestamp":1777106046937,"version":"3.51.4"},"publisher-location":"New York, NY, USA","reference-count":70,"publisher":"ACM","license":[{"start":{"date-parts":[[2021,11,12]],"date-time":"2021-11-12T00:00:00Z","timestamp":1636675200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2021,11,12]]},"DOI":"10.1145\/3460120.3484744","type":"proceedings-article","created":{"date-parts":[[2021,11,13]],"date-time":"2021-11-13T12:05:34Z","timestamp":1636805134000},"page":"764-778","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":32,"title":["Demons in the Shared Kernel"],"prefix":"10.1145","author":[{"given":"Nanzi","family":"Yang","sequence":"first","affiliation":[{"name":"Xidian University, Xi'an, China"}]},{"given":"Wenbo","family":"Shen","sequence":"additional","affiliation":[{"name":"Zhejiang University, Hangzhou, China"}]},{"given":"Jinku","family":"Li","sequence":"additional","affiliation":[{"name":"Xidian University, Xi'an, China"}]},{"given":"Yutian","family":"Yang","sequence":"additional","affiliation":[{"name":"Zhejiang University, Hangzhou, China"}]},{"given":"Kangjie","family":"Lu","sequence":"additional","affiliation":[{"name":"University of Minnesota, Twin Cities, Minneapolis, MN, USA"}]},{"given":"Jietao","family":"Xiao","sequence":"additional","affiliation":[{"name":"Xidian University, Xi'an, China"}]},{"given":"Tianyu","family":"Zhou","sequence":"additional","affiliation":[{"name":"Zhejiang University, Hangzhou, China"}]},{"given":"Chenggang","family":"Qin","sequence":"additional","affiliation":[{"name":"Ant Group, Hangzhou, China"}]},{"given":"Wang","family":"Yu","sequence":"additional","affiliation":[{"name":"Ant Group, Hangzhou, China"}]},{"given":"Jianfeng","family":"Ma","sequence":"additional","affiliation":[{"name":"Xidian University, Xi'an, China"}]},{"given":"Kui","family":"Ren","sequence":"additional","affiliation":[{"name":"Zhejiang University, Hangzhou, China"}]}],"member":"320","published-online":{"date-parts":[[2021,11,13]]},"reference":[{"key":"e_1_3_2_2_1_1","unstructured":"Alibaba. 2020. Alibaba Cloud. https:\/\/us.alibabacloud.com\/."},{"key":"e_1_3_2_2_2_1","unstructured":"Amazon. 2020a. Containers on AWS. https:\/\/aws.amazon.com\/containers."},{"key":"e_1_3_2_2_3_1","unstructured":"Amazon. 2020b. Pod security policy. https:\/\/docs.aws.amazon.com\/eks\/latest\/userguide\/pod-security-policy.html."},{"key":"e_1_3_2_2_4_1","volume-title":"12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16)","author":"Arnautov Sergei","year":"2016","unstructured":"Sergei Arnautov, Bohdan Trach, Franz Gregor, Thomas Knauth, Andre Martin, Christian Priebe, Joshua Lind, Divya Muthukumaran, Dan O'keeffe, Mark L Stillwell, et al. 2016. SCONE: Secure linux containers with intel SGX. In 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16). USENIX Association, 689--703."},{"key":"e_1_3_2_2_5_1","doi-asserted-by":"publisher","DOI":"10.5555\/3358807.3358830"},{"key":"e_1_3_2_2_6_1","volume-title":"Proceedings of the Third USENIX Symposium on Operating Systems Design and Implementation (OSDI)","author":"Banga Gaurav","year":"1999","unstructured":"Gaurav Banga, Peter Druschel, and Jeffrey C Mogul. 1999. Resource containers: A new facility for resource management in server systems. In Proceedings of the Third USENIX Symposium on Operating Systems Design and Implementation (OSDI), New Orleans, Louisiana, USA, February 22--25, 1999. USENIX Association, 45--58."},{"key":"e_1_3_2_2_7_1","volume-title":"5th USENIX Symposium on Networked Systems Design & Implementation,NSDI 2008, April 16--18, 2008, San Francisco, CA, USA, Proceedings. USENIX Association, 309--322","author":"Bittau Andrea","year":"2008","unstructured":"Andrea Bittau, Petr Marchenko, Mark Handley, and Brad Karp. 2008. Wedge: Splitting applications into reduced-privilege compartments. In 5th USENIX Symposium on Networked Systems Design & Implementation,NSDI 2008, April 16--18, 2008, San Francisco, CA, USA, Proceedings. USENIX Association, 309--322."},{"key":"e_1_3_2_2_8_1","doi-asserted-by":"publisher","DOI":"10.1109\/CCWC47524.2020.9031195"},{"key":"e_1_3_2_2_9_1","volume-title":"Analysis of docker security. arXiv preprint arXiv:1501.02967","author":"Bui Thanh","year":"2015","unstructured":"Thanh Bui. 2015. Analysis of docker security. arXiv preprint arXiv:1501.02967 (2015). http:\/\/arxiv.org\/abs\/1501.02967"},{"key":"e_1_3_2_2_10_1","volume-title":"27th USENIX Security Symposium (USENIX Security 18)","author":"Clements Abraham A","year":"2018","unstructured":"Abraham A Clements, Naif Saleh Almakhdhub, Saurabh Bagchi, and Mathias Payer. 2018. ACES: Automatic compartments for embedded systems. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, 65--82."},{"key":"e_1_3_2_2_11_1","unstructured":"Alibaba Cloud. 2020. Pod security policy. https:\/\/www.alibabacloud.com\/help\/doc-detail\/149547.html ."},{"key":"e_1_3_2_2_12_1","doi-asserted-by":"publisher","DOI":"10.1109\/MCC.2016.100"},{"key":"e_1_3_2_2_13_1","volume-title":"23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID","author":"DeMarinis Nicholas","year":"2020","unstructured":"Nicholas DeMarinis, Kent Williams-King, Di Jin, Rodrigo Fonseca, and Vasileios P Kemerlis. 2020. Sysfilter: Automated system call filtering for commodity software. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020). USENIX Association, 459--474."},{"key":"e_1_3_2_2_14_1","unstructured":"LTP Developers. 2021. Linux Test Project. https:\/\/linux-test-project.github.io\/."},{"key":"e_1_3_2_2_15_1","unstructured":"Docker. 2020. Seccomp security profiles for Docker. https:\/\/docs.docker.com\/engine\/security\/seccomp\/."},{"key":"e_1_3_2_2_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/LADC.2018.00013"},{"key":"e_1_3_2_2_17_1","doi-asserted-by":"publisher","DOI":"10.1109\/ISPASS.2015.7095802"},{"key":"e_1_3_2_2_18_1","unstructured":"FreeBSD. 2021. freeBSD handbook. https:\/\/docs.freebsd.org\/en\/books\/handbook\/jails\/."},{"key":"e_1_3_2_2_19_1","unstructured":"Fuchsia. 2020 a. Zircon handles. https:\/\/fuchsia.dev\/fuchsia-src\/concepts\/kernel\/handles."},{"key":"e_1_3_2_2_20_1","unstructured":"Fuchsia. 2020 b. ZX RIGHTS BASIC. https:\/\/fuchsia.dev\/fuchsia-src\/concepts\/kernel\/rights##zx_rights_basic ."},{"key":"e_1_3_2_2_21_1","unstructured":"Peter B Galvin Greg Gagne Abraham Silberschatz et al. 2003. Operating system concepts. John Wiley & Sons."},{"key":"e_1_3_2_2_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2017.49"},{"key":"e_1_3_2_2_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354227"},{"key":"e_1_3_2_2_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2018.2879605"},{"key":"e_1_3_2_2_25_1","volume-title":"23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID","author":"Ghavamnia Seyedhamed","year":"2020","unstructured":"Seyedhamed Ghavamnia, Tapti Palit, Azzedine Benameur, and Michalis Polychronakis. 2020 a. Confine: Automated system call policy generation for container attack surface reduction. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020). USENIX Association, 443--458."},{"key":"e_1_3_2_2_26_1","volume-title":"29th USENIX Security Symposium (USENIX Security 20)","author":"Ghavamnia Seyedhamed","year":"2020","unstructured":"Seyedhamed Ghavamnia, Tapti Palit, Shachee Mishra, and Michalis Polychronakis. 2020 b. Temporal system call specialization for attack surface reduction. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 1749--1766."},{"key":"e_1_3_2_2_27_1","unstructured":"Google. 2020 a. GKE quick start. https:\/\/cloud.google.com\/kubernetes-engine\/docs\/quickstart ."},{"key":"e_1_3_2_2_28_1","unstructured":"Google. 2020 b. google compute engine of Containers. https:\/\/cloud.google.com\/compute\/docs\/containers ."},{"key":"e_1_3_2_2_29_1","unstructured":"Google. 2021. Best practices for operating containers. https:\/\/cloud.google.com\/kubernetes-engine\/docs\/best-practices\/enterprise-multitenancy ."},{"key":"e_1_3_2_2_30_1","volume-title":"Understanding and hardening linux containers. Whitepaper","author":"Grattafiori Aaron","year":"2016","unstructured":"Aaron Grattafiori. 2016. Understanding and hardening linux containers. Whitepaper, NCC Group (2016)."},{"key":"e_1_3_2_2_31_1","unstructured":"2020 The gVisor Authors. 2020. What is gVisor. https:\/\/gvisor.dev\/docs ."},{"key":"e_1_3_2_2_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICACEA.2015.7164727"},{"key":"e_1_3_2_2_33_1","volume-title":"Proceedings of the 2nd International SANE Conference","volume":"43","author":"Kamp Poul-Henning","year":"2000","unstructured":"Poul-Henning Kamp and Robert NM Watson. 2000. Jails: Confining the omnipotent root. In Proceedings of the 2nd International SANE Conference, Vol. 43. 116."},{"key":"e_1_3_2_2_34_1","unstructured":"Linux Kenrnel. 2020. Kernel source - nf-conntrack-core.c. https:\/\/elixir.bootlin.com\/linux\/v5.10\/source\/net\/netfilter\/nf_conntrack_core.c##L1480 ."},{"key":"e_1_3_2_2_35_1","unstructured":"Linux Kernel. 2020. Kernel source - nf-conntrack-standalone.c. https:\/\/elixir.bootlin.com\/linux\/v5.10\/source\/net\/netfilter\/nf_conntrack_standalone.c##L614 ."},{"key":"e_1_3_2_2_36_1","unstructured":"Kubernetes. 2020 a. Kubernetes. https:\/\/kubernetes.io\/."},{"key":"e_1_3_2_2_37_1","unstructured":"Kubernetes. 2020 b. Kubernetes Namespaces. https:\/\/kubernetes.io\/docs\/concepts\/overview\/working-with-objects\/namespaces\/."},{"key":"e_1_3_2_2_38_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-60876-1_11"},{"key":"e_1_3_2_2_39_1","unstructured":"GNU C Library. 2021. ulmit source code. https:\/\/sourceware.org\/git\/?p=glibc.git;a=blob_plain;f=sysdeps\/posix\/ulimit.c ."},{"key":"e_1_3_2_2_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/3274694.3274720"},{"key":"e_1_3_2_2_41_1","unstructured":"Linux. 2020. random read kernel function. https:\/\/elixir.bootlin.com\/linux\/v5.3.1\/source\/drivers\/char\/random.c##L1948 ."},{"key":"e_1_3_2_2_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354244"},{"key":"e_1_3_2_2_43_1","unstructured":"Linux man-pages project. 2020 a. capabilities(7) - Linux manual page. https:\/\/man7.org\/linux\/man-pages\/man7\/capabilities.7.html ."},{"key":"e_1_3_2_2_44_1","unstructured":"Linux man-pages project. 2020 b. cgroups - Linux control groups. http:\/\/man7.org\/linux\/man-pages\/man7\/cgroups.7.html ."},{"key":"e_1_3_2_2_45_1","unstructured":"Linux man-pages project. 2020 c. getrlimit man page. https:\/\/man7.org\/linux\/man-pages\/man2\/getrlimit.2.html ."},{"key":"e_1_3_2_2_46_1","unstructured":"Linux man-pages project. 2020 d. Linux pty. https:\/\/man7.org\/linux\/man-pages\/man7\/pty.7.html ."},{"key":"e_1_3_2_2_47_1","unstructured":"Linux man-pages project. 2020 e. namespace - Linux Namespace. https:\/\/man7.org\/linux\/man-pages\/man7\/namespaces.7.html ."},{"key":"e_1_3_2_2_48_1","unstructured":"Linux man-pages project. 2020 f. PAM limits conf man page. https:\/\/www.man7.org\/linux\/man-pages\/man5\/limits.conf.5.html ."},{"key":"e_1_3_2_2_49_1","unstructured":"Linux man pages project. 2020. sysctl man page. https:\/\/man7.org\/linux\/man-pages\/man8\/sysctl.8.html ."},{"key":"e_1_3_2_2_50_1","unstructured":"Linux man-pages project. 2020. ulimit man page. https:\/\/man7.org\/linux\/man-pages\/man3\/ulimit.3.html ."},{"key":"e_1_3_2_2_51_1","unstructured":"Microsoft. 2020 a. Containers on Azure. https:\/\/azure.microsoft.com\/en-us\/product-categories\/containers\/."},{"key":"e_1_3_2_2_52_1","unstructured":"Microsoft. 2020 b. Security policy on Azure. https:\/\/docs.microsoft.com\/azure\/aks\/developer-best-practices-pod-security ."},{"key":"e_1_3_2_2_53_1","unstructured":"FreeBSD Manual Pages. 2021 a. ezjail man page. https:\/\/www.freebsd.org\/cgi\/man.cgi?query=ezjail ."},{"key":"e_1_3_2_2_54_1","unstructured":"FreeBSD Manual Pages. 2021 b. rctl man page. https:\/\/www.freebsd.org\/cgi\/man.cgi?query=rctl&sektion=8 ."},{"key":"e_1_3_2_2_55_1","doi-asserted-by":"publisher","DOI":"10.1145\/3428203"},{"key":"e_1_3_2_2_56_1","volume-title":"Operating system concepts","author":"Peterson James L","unstructured":"James L Peterson and Abraham Silberschatz. 1985. Operating system concepts .Addison-Wesley Longman Publishing Co., Inc."},{"key":"e_1_3_2_2_57_1","volume-title":"Multi-tenant Edge Clouds. In 2020 USENIX Annual Technical Conference (USENIX ATC 20)","author":"Ren Yuxin","year":"2020","unstructured":"Yuxin Ren, Guyue Liu, Vlad Nitu, Wenyuan Shao, Riley Kennedy, Gabriel Parmer, Timothy Wood, and Alain Tchana. 2020. Fine-Grained Isolation for Scalable, Dynamic, Multi-tenant Edge Clouds. In 2020 USENIX Annual Technical Conference (USENIX ATC 20). USENIX Association, 927--942."},{"key":"e_1_3_2_2_58_1","volume-title":"2020 USENIX Annual Technical Conference (USENIX ATC 20)","author":"Shillaker Simon","year":"2020","unstructured":"Simon Shillaker and Peter Pietzuch. 2020. Faasm: lightweight isolation for efficient stateful serverless computing. In 2020 USENIX Annual Technical Conference (USENIX ATC 20). USENIX Association, 419--433."},{"key":"e_1_3_2_2_59_1","unstructured":"Solaris. 2020. Solaris Zones. https:\/\/docs.oracle.com\/cd\/E26502_01\/html\/E29024\/toc.html ."},{"key":"e_1_3_2_2_60_1","volume-title":"27th USENIX Security Symposium (USENIX Security 18)","author":"Sun Yuqiong","year":"2018","unstructured":"Yuqiong Sun, David Safford, Mimi Zohar, Dimitrios Pendarakis, Zhongshu Gu, and Trent Jaeger. 2018. Security namespace: making linux security frameworks available to containers. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, 1423--1439."},{"key":"e_1_3_2_2_61_1","unstructured":"Sysdig. 2021. Sysdig Falco. https:\/\/sysdig.com\/opensource\/falco\/."},{"key":"e_1_3_2_2_62_1","doi-asserted-by":"publisher","DOI":"10.1109\/MASCOTS50786.2020.9285946"},{"key":"e_1_3_2_2_63_1","unstructured":"Dmitry V.Levin. 2020. pam model source code. https:\/\/github.com\/linux-pam\/linux-pam\/releases\/tag\/v1.5.1 ."},{"key":"e_1_3_2_2_64_1","unstructured":"Dmitry V.Levin. 2021. setup_limits source code. https:\/\/github.com\/linux-pam\/linux-pam\/blob\/v1.5.1\/modules\/pam_limits\/pam_limits.c##L984 ."},{"key":"e_1_3_2_2_65_1","doi-asserted-by":"publisher","DOI":"10.1109\/MASCOTS50786.2020.9285946"},{"key":"e_1_3_2_2_66_1","unstructured":"Wikipedia. 2020 a. Connection tracking. https:\/\/en.wikipedia.org\/wiki\/Netfilter##Connection_tracking ."},{"key":"e_1_3_2_2_67_1","unstructured":"Wikipedia. 2020 b. OS-level virtualization. https:\/\/en.wikipedia.org\/wiki\/OS-level_virtualization ."},{"key":"e_1_3_2_2_68_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00017"},{"key":"e_1_3_2_2_69_1","doi-asserted-by":"publisher","DOI":"10.1109\/CLOUD.2018.00030"},{"key":"e_1_3_2_2_70_1","volume-title":"28th USENIX Security Symposium (USENIX Security 19)","author":"Zhang Tong","year":"2019","unstructured":"Tong Zhang, Wenbo Shen, Dongyoon Lee, Changhee Jung, Ahmed M Azab, and Ruowen Wang. 2019. Pex: A permission check analysis framework for linux kernel. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, 1205--1220."}],"event":{"name":"CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security","location":"Virtual Event Republic of Korea","acronym":"CCS '21","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3460120.3484744","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3460120.3484744","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,18]],"date-time":"2025-11-18T20:49:46Z","timestamp":1763498986000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3460120.3484744"}},"subtitle":["Abstract Resource Attacks Against OS-level Virtualization"],"short-title":[],"issued":{"date-parts":[[2021,11,12]]},"references-count":70,"alternative-id":["10.1145\/3460120.3484744","10.1145\/3460120"],"URL":"https:\/\/doi.org\/10.1145\/3460120.3484744","relation":{},"subject":[],"published":{"date-parts":[[2021,11,12]]},"assertion":[{"value":"2021-11-13","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}