{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T02:10:50Z","timestamp":1755828650901,"version":"3.44.0"},"publisher-location":"New York, NY, USA","reference-count":69,"publisher":"ACM","license":[{"start":{"date-parts":[[2025,3,30]],"date-time":"2025-03-30T00:00:00Z","timestamp":1743292800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,3,30]]},"DOI":"10.1145\/3689031.3717473","type":"proceedings-article","created":{"date-parts":[[2025,3,26]],"date-time":"2025-03-26T06:25:20Z","timestamp":1742970320000},"page":"1229-1245","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["A Hardware-Software Co-Design for Efficient Secure Containers"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-2725-8955","authenticated-orcid":false,"given":"Jiacheng","family":"Shi","sequence":"first","affiliation":[{"name":"Institute of Parallel and Distributed Systems, SEIEE, Shanghai Jiao Tong University, Engineering Research Center for Domain-specific Operating Systems, Ministry of Education, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-5904-5115","authenticated-orcid":false,"given":"Yang","family":"Yu","sequence":"additional","affiliation":[{"name":"Institute of Parallel and Distributed Systems, SEIEE, Shanghai Jiao Tong University, Engineering Research Center for Domain-specific Operating Systems, Ministry of Education, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8112-8481","authenticated-orcid":false,"given":"Jinyu","family":"Gu","sequence":"additional","affiliation":[{"name":"Institute of Parallel and Distributed Systems, SEIEE, Shanghai Jiao Tong University, Engineering Research Center for Domain-specific Operating Systems, Ministry of Education, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6558-5298","authenticated-orcid":false,"given":"Yubin","family":"Xia","sequence":"additional","affiliation":[{"name":"Institute of Parallel and Distributed Systems, SEIEE, Shanghai Jiao Tong University, Engineering Research Center for Domain-specific Operating Systems, Ministry of Education, China"}]}],"member":"320","published-online":{"date-parts":[[2025,3,30]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"Apparmor. https:\/\/apparmor.net."},{"key":"e_1_3_2_1_2_1","unstructured":"capabilities(7) --- linux manual page. https:\/\/man7.org\/linux\/man-pages\/man7\/capabilities.7.html."},{"key":"e_1_3_2_1_3_1","unstructured":"The container security platform | gvisor. https:\/\/gvisor.dev."},{"key":"e_1_3_2_1_4_1","unstructured":"CVE-2022-0185 in linux kernel can allow container escape in kubernetes. https:\/\/www.aquasec.com\/blog\/cve-2022-0185-linux-kernel-container-escape-in-kubernetes\/."},{"key":"e_1_3_2_1_5_1","unstructured":"db_bench_sqlite3.cc. https:\/\/github.com\/google\/leveldb\/blob\/main\/benchmarks\/db_bench_sqlite3.cc."},{"key":"e_1_3_2_1_6_1","unstructured":"Dirty COW (CVE-2016-5195). https:\/\/dirtycow.ninja."},{"key":"e_1_3_2_1_7_1","unstructured":"The dirty pipe vulnerability. https:\/\/dirtypipe.cm4all.com."},{"key":"e_1_3_2_1_8_1","unstructured":"gem5: The gem5 simulator system. https:\/\/www.gem5.org."},{"key":"e_1_3_2_1_9_1","unstructured":"gvisor - platform guide. https:\/\/gvisor.dev\/docs\/architecture_guide\/platforms\/."},{"key":"e_1_3_2_1_10_1","unstructured":"HPCCHALLENGE - RandomAccess. https:\/\/hpcchallenge.org\/projectsfiles\/hpcc\/RandomAccess.html."},{"key":"e_1_3_2_1_11_1","unstructured":"Hypervisor top level functional specification. https:\/\/learn.microsoft.com\/en-us\/virtualization\/hyper-v-on-windows\/tlfs\/tlfs."},{"key":"e_1_3_2_1_12_1","unstructured":"Indirect branch predictor barrier. https:\/\/www.intel.com\/content\/www\/us\/en\/developer\/articles\/technical\/software-security-guidance\/technical-documentation\/indirect-branch-predictor-barrier.html."},{"key":"e_1_3_2_1_13_1","unstructured":"Indirect branch restricted speculation. https:\/\/www.intel.com\/content\/www\/us\/en\/developer\/articles\/technical\/software-security-guidance\/technical-documentation\/indirect-branch-restricted-speculation.html."},{"key":"e_1_3_2_1_14_1","unstructured":"Intel 64 and ia-32 architectures software developer manuals. https:\/\/www.intel.com\/content\/www\/us\/en\/developer\/articles\/technical\/intel-sdm.html."},{"key":"e_1_3_2_1_15_1","unstructured":"Kata containers - open source container runtime software. https:\/\/katacontainers.io."},{"key":"e_1_3_2_1_16_1","unstructured":"Linux kernel vulnerability: Escaping containers by abusing cgroups. https:\/\/www.aquasec.com\/blog\/new-linux-kernel-vulnerability-escaping-containers- by-abusing-cgroups\/."},{"key":"e_1_3_2_1_17_1","unstructured":"Lmbench - tools for performance analysis. https:\/\/lmbench.sourceforge.net."},{"key":"e_1_3_2_1_18_1","unstructured":"memcached - a distributed memory object caching system. https:\/\/memcached.org."},{"key":"e_1_3_2_1_19_1","unstructured":"memtier_benchmark. https:\/\/github.com\/RedisLabs\/memtier_benchmark."},{"key":"e_1_3_2_1_20_1","unstructured":"namespaces(7) --- linux manual page. https:\/\/man7.org\/linux\/man-pages\/man7\/namespaces.7.html."},{"key":"e_1_3_2_1_21_1","unstructured":"Page table isolation (pti). https:\/\/docs.kernel.org\/next\/x86\/pti.html."},{"key":"e_1_3_2_1_22_1","unstructured":"Quark: A secure container runtime with oci interface. https:\/\/github.com\/QuarkContainer\/Quark."},{"key":"e_1_3_2_1_23_1","unstructured":"Redis - the real-time data platform. https:\/\/redis.io."},{"key":"e_1_3_2_1_24_1","unstructured":"Releasing systrap - a high-performance gvisor platform. https:\/\/gvisor.dev\/blog\/2023\/04\/28\/systrap-release\/."},{"key":"e_1_3_2_1_25_1","unstructured":"Retpoline: A branch target injection mitigation. https:\/\/www.intel.com\/content\/www\/us\/en\/developer\/articles\/technical\/software-security-guidance\/technical-documentation\/retpoline-branch-target-injection-mitigation.html."},{"key":"e_1_3_2_1_26_1","unstructured":"runc. https:\/\/github.com\/opencontainers\/runc."},{"key":"e_1_3_2_1_27_1","unstructured":"seccomp(2) --- linux manual page. https:\/\/man7.org\/linux\/man-pages\/man2\/seccomp.2.html."},{"key":"e_1_3_2_1_28_1","unstructured":"Sqlite home page. https:\/\/www.sqlite.org."},{"key":"e_1_3_2_1_29_1","first-page":"419","volume-title":"17th USENIX Symposium on Networked Systems Design and Implementation (NSDI 20)","author":"Agache Alexandru","year":"2020","unstructured":"Alexandru Agache, Marc Brooker, Alexandra Iordache, Anthony Liguori, Rolf Neugebauer, Phil Piwonka, and Diana-Maria Popa. Firecracker: Lightweight virtualization for serverless applications. In 17th USENIX Symposium on Networked Systems Design and Implementation (NSDI 20), pages 419--434, Santa Clara, CA, February 2020. USENIX Association."},{"key":"e_1_3_2_1_30_1","first-page":"101","volume-title":"VEE '20: 16th ACM SIGPLAN\/SIGOPS International Conference on Virtual Execution Environments, virtual event [Lausanne, Switzerland]","author":"Caraza-Harter Tyler","year":"2020","unstructured":"Anjali, Tyler Caraza-Harter, and Michael M. Swift. Blending containers and virtual machines: a study of firecracker and gvisor. In Santosh Nagarakatte, Andrew Baumann, and Baris Kasikci, editors, VEE '20: 16th ACM SIGPLAN\/SIGOPS International Conference on Virtual Execution Environments, virtual event [Lausanne, Switzerland], March 17, 2020, pages 101--113. ACM, 2020."},{"key":"e_1_3_2_1_31_1","first-page":"689","volume-title":"Proceedings of the 12th USENIX Conference on Operating Systems Design and Implementation, OSDI'16","author":"Arnautov Sergei","year":"2016","unstructured":"Sergei Arnautov, Bohdan Trach, Franz Gregor, Thomas Knauth, Andre Martin, Christian Priebe, Joshua Lind, Divya Muthukumaran, Dan O'Keeffe, Mark L. Stillwell, David Goltzsche, David Eyers, R\u00fcdiger Kapitza, Peter Pietzuch, and Christof Fetzer. Scone: Secure linux containers with intel sgx. In Proceedings of the 12th USENIX Conference on Operating Systems Design and Implementation, OSDI'16, page 689--703, USA, 2016. USENIX Association."},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/945445.945462"},{"key":"e_1_3_2_1_33_1","first-page":"1139","volume-title":"14th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2020","author":"Behrens Jonathan","year":"2020","unstructured":"Jonathan Behrens, Anton Cao, Cel Skeggs, Adam Belay, M. Frans Kaashoek, and Nickolai Zeldovich. Efficiently mitigating transient execution attacks using the unmapped speculation contract. In 14th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2020, Virtual Event, November 4-6, 2020, pages 1139--1154. USENIX Association, 2020."},{"key":"e_1_3_2_1_34_1","first-page":"423","volume-title":"9th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2010, October 4-6, 2010, Vancouver, BC, Canada, Proceedings","author":"Ben-Yehuda Muli","year":"2010","unstructured":"Muli Ben-Yehuda, Michael D. Day, Zvi Dubitzky, Michael Factor, Nadav Har'El, Abel Gordon, Anthony Liguori, Orit Wasserman, and Ben-Ami Yassour. The turtles project: Design and implementation of nested virtualization. In Remzi H. Arpaci-Dusseau and Brad Chen, editors, 9th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2010, October 4-6, 2010, Vancouver, BC, Canada, Proceedings, pages 423--436. USENIX Association, 2010."},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.5555\/3691992.3692013"},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/2694344.2694386"},{"key":"e_1_3_2_1_37_1","first-page":"1","volume-title":"Proceedings of the 50th Annual International Symposium on Computer Architecture, ISCA 2023","author":"Fan Shulin","year":"2023","unstructured":"Shulin Fan, Zhichao Hua, Yubin Xia, Haibo Chen, and Binyu Zang. Isa-grid: Architecture of fine-grained privilege control for instructions and registers. In Yan Solihin and Mark A. Heinrich, editors, Proceedings of the 50th Annual International Symposium on Computer Architecture, ISCA 2023, Orlando, FL, USA, June 17-21, 2023, pages 15:1--15:15. ACM, 2023."},{"key":"e_1_3_2_1_38_1","first-page":"55","volume-title":"21st USENIX Symposium on Networked Systems Design and Implementation, NSDI 2024","author":"Fried Joshua","year":"2024","unstructured":"Joshua Fried, Gohar Irfan Chaudhry, Enrique Saurez, Esha Choukse, \u00cd\u00f1igo Goiri, Sameh Elnikety, Rodrigo Fonseca, and Adam Belay. Making kernel bypass practical for the cloud with junction. In Laurent Vanbever and Irene Zhang, editors, 21st USENIX Symposium on Networked Systems Design and Implementation, NSDI 2024, Santa Clara, CA, April 15-17, 2024, pages 55--73. USENIX Association, 2024."},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/ISCA.2016.67"},{"key":"e_1_3_2_1_40_1","first-page":"401","volume-title":"2020 USENIX Annual Technical Conference (USENIX ATC 20)","author":"Gu Jinyu","year":"2020","unstructured":"Jinyu Gu, Xinyue Wu, Wentai Li, Nian Liu, Zeyu Mi, Yubin Xia, and Haibo Chen. Harmonizing performance and isolation in microkernels with efficient intra-kernel isolation and communication. In 2020 USENIX Annual Technical Conference (USENIX ATC 20), pages 401--417, July 2020."},{"key":"e_1_3_2_1_41_1","volume-title":"BULKHEAD: secure, scalable, and efficient kernel compartmentalization with PKS. CoRR, abs\/2409.09606","author":"Guo Yinggang","year":"2024","unstructured":"Yinggang Guo, Zicheng Wang, Weiheng Bai, Qingkai Zeng, and Kangjie Lu. BULKHEAD: secure, scalable, and efficient kernel compartmentalization with PKS. CoRR, abs\/2409.09606, 2024."},{"key":"e_1_3_2_1_42_1","first-page":"489","volume-title":"Proceedings of the 2019 USENIX Annual Technical Conference, USENIX ATC 2019","author":"Hedayati Mohammad","year":"2019","unstructured":"Mohammad Hedayati, Spyridoula Gravani, Ethan Johnson, John Criswell, Michael L. Scott, Kai Shen, and Mike Marty. Hodor: Intraprocess isolation for high-throughput data plane libraries. In Dahlia Malkhi and Dan Tsafrir, editors, Proceedings of the 2019 USENIX Annual Technical Conference, USENIX ATC 2019, Renton, WA, USA, July 10-12, 2019, pages 489--504. USENIX Association, 2019."},{"key":"e_1_3_2_1_43_1","first-page":"683","volume-title":"16th USENIX Symposium on Operating Systems Design and Implementation (OSDI 22)","author":"Hof Alexander Van't","year":"2022","unstructured":"Alexander Van't Hof and Jason Nieh. BlackBox: A container security monitor for protecting containers on untrusted operating systems. In 16th USENIX Symposium on Operating Systems Design and Implementation (OSDI 22), pages 683--700, Carlsbad, CA, July 2022. USENIX Association."},{"key":"e_1_3_2_1_44_1","volume-title":"Tz-container: protecting container from untrusted OS with ARM trustzone. Sci. China Inf. Sci., 64(9)","author":"Hua Zhichao","year":"2021","unstructured":"Zhichao Hua, Yang Yu, Jinyu Gu, Yubin Xia, Haibo Chen, and Binyu Zang. Tz-container: protecting container from untrusted OS with ARM trustzone. Sci. China Inf. Sci., 64(9), 2021."},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/3600006.3613158"},{"key":"e_1_3_2_1_46_1","article-title":"Enhancing container isolation via private code and data","author":"Huang Hang","year":"2024","unstructured":"Hang Huang, Honglei Wang, Jia Rao, Song Wu, Hao Fan, Chen Yu, Hai Jin, Kun Suo, and Lisong Pan. vkernel: Enhancing container isolation via private code and data. IEEE Transactions on Computers, 2024.","journal-title":"IEEE Transactions on Computers"},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00002"},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/3447786.3456248"},{"key":"e_1_3_2_1_49_1","first-page":"1","volume-title":"2017 USENIX Annual Technical Conference, USENIX ATC 2017","author":"Li Yiwen","year":"2017","unstructured":"Yiwen Li, Brendan Dolan-Gavitt, Sam Weber, and Justin Cappos. Lock-in-pop: Securing privileged operating system kernels by keeping on the beaten path. In Dilma Da Silva and Bryan Ford, editors, 2017 USENIX Annual Technical Conference, USENIX ATC 2017, Santa Clara, CA, USA, July 12-14, 2017, pages 1--13. USENIX Association, 2017."},{"key":"e_1_3_2_1_50_1","first-page":"53","volume-title":"2022 USENIX Annual Technical Conference, USENIX ATC 2022","author":"Li Zijun","year":"2022","unstructured":"Zijun Li, Jiagan Cheng, Quan Chen, Eryu Guan, Zizheng Bian, Yi Tao, Bin Zha, Qiang Wang, Weidong Han, and Minyi Guo. Rund: A lightweight secure container runtime for high-density deployment and high-concurrency startup in serverless computing. In Jiri Schindler and Noa Zilberman, editors, 2022 USENIX Annual Technical Conference, USENIX ATC 2022, Carlsbad, CA, USA, July 11-13, 2022, pages 53--68. USENIX Association, 2022."},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1145\/3132747.3132754"},{"key":"e_1_3_2_1_52_1","first-page":"557","article-title":"Optimizing nested virtualization performance using direct virtual hardware. In James R. Larus, Luis Ceze, and Karin Strauss, editors, ASPLOS '20: Architectural Support for Programming Languages and Operating Systems, Lausanne","volume":"16","author":"Lim Jin Tack","year":"2020","unstructured":"Jin Tack Lim and Jason Nieh. Optimizing nested virtualization performance using direct virtual hardware. In James R. Larus, Luis Ceze, and Karin Strauss, editors, ASPLOS '20: Architectural Support for Programming Languages and Operating Systems, Lausanne, Switzerland, March 16-20, 2020, pages 557--574. ACM, 2020.","journal-title":"Switzerland, March"},{"key":"e_1_3_2_1_53_1","first-page":"1963","volume-title":"Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, CCS 2022","author":"Lin Zhenpeng","year":"2022","unstructured":"Zhenpeng Lin, Yuhang Wu, and Xinyu Xing. Dirtycred: Escalating privilege in linux kernel. In Heng Yin, Angelos Stavrou, Cas Cremers, and Elaine Shi, editors, Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, CCS 2022, Los Angeles, CA, USA, November 7-11, 2022, pages 1963--1976. ACM, 2022."},{"key":"e_1_3_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1145\/3357033"},{"key":"e_1_3_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1145\/3627106.3627113"},{"key":"e_1_3_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1145\/3132747.3132763"},{"key":"e_1_3_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1145\/3381052.3381328"},{"key":"e_1_3_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSC.2011.6138541"},{"key":"e_1_3_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1145\/3445814.3446709"},{"key":"e_1_3_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.5555\/1433006.1433008"},{"key":"e_1_3_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1145\/3593856.3595894"},{"key":"e_1_3_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1145\/3297858.3304016"},{"key":"e_1_3_2_1_63_1","doi-asserted-by":"publisher","DOI":"10.1145\/1272996.1273025"},{"key":"e_1_3_2_1_64_1","first-page":"1221","volume-title":"28th USENIX Security Symposium, USENIX Security 2019","author":"Vahldiek-Oberwagner Anjo","year":"2019","unstructured":"Anjo Vahldiek-Oberwagner, Eslam Elnikety, Nuno O. Duarte, Michael Sammler, Peter Druschel, and Deepak Garg. ERIM: secure, efficient in-process isolation with protection keys (MPK). In Nadia Heninger and Patrick Traynor, editors, 28th USENIX Security Symposium, USENIX Security 2019, Santa Clara, CA, USA, August 14-16, 2019, pages 1221--1238. USENIX Association, 2019."},{"key":"e_1_3_2_1_65_1","first-page":"750","volume-title":"Proceedings of the 46th International Symposium on Computer Architecture, ISCA 2019","author":"Vilanova Llu\u00eds","year":"2019","unstructured":"Llu\u00eds Vilanova, Nadav Amit, and Yoav Etsion. Using SMT to accelerate nested virtualization. In Srilatha Bobbie Manne, Hillery C. Hunter, and Erik R. Altman, editors, Proceedings of the 46th International Symposium on Computer Architecture, ISCA 2019, Phoenix, AZ, USA, June 22-26, 2019, pages 750--761. ACM, 2019."},{"key":"e_1_3_2_1_66_1","doi-asserted-by":"publisher","DOI":"10.1145\/3267809.3267845"},{"key":"e_1_3_2_1_67_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-41284-4_6"},{"key":"e_1_3_2_1_68_1","doi-asserted-by":"publisher","DOI":"10.1145\/3053277.3053279"},{"key":"e_1_3_2_1_69_1","first-page":"287","volume-title":"Proceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems","volume":"2","author":"Zhang Jiyuan","year":"2024","unstructured":"Jiyuan Zhang, Weiwei Jia, Siyuan Chai, Peizhe Liu, Jongyul Kim, and Tianyin Xu. Direct memory translation for virtualized clouds. In Rajiv Gupta, Nael B. Abu-Ghazaleh, Madan Musuvathi, and Dan Tsafrir, editors, Proceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 2, ASPLOS 2024, La Jolla, CA, USA, 27 April 2024-1 May 2024, pages 287--304. ACM, 2024."}],"event":{"name":"EuroSys '25: Twentieth European Conference on Computer Systems","sponsor":["SIGOPS ACM Special Interest Group on Operating Systems"],"location":"Rotterdam Netherlands","acronym":"EuroSys '25"},"container-title":["Proceedings of the Twentieth European Conference on Computer Systems"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3689031.3717473","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3689031.3717473","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,21]],"date-time":"2025-08-21T11:22:35Z","timestamp":1755775355000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3689031.3717473"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,3,30]]},"references-count":69,"alternative-id":["10.1145\/3689031.3717473","10.1145\/3689031"],"URL":"https:\/\/doi.org\/10.1145\/3689031.3717473","relation":{},"subject":[],"published":{"date-parts":[[2025,3,30]]},"assertion":[{"value":"2025-03-30","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}