{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,25]],"date-time":"2026-03-25T14:30:26Z","timestamp":1774449026982,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":75,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,11,20]],"date-time":"2024-11-20T00:00:00Z","timestamp":1732060800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,11,20]]},"DOI":"10.1145\/3698038.3698520","type":"proceedings-article","created":{"date-parts":[[2024,11,14]],"date-time":"2024-11-14T06:32:43Z","timestamp":1731565963000},"page":"755-773","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":3,"title":["ConMonitor: Lightweight Container Protection with Virtualization and VM Functions"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0007-8141-8183","authenticated-orcid":false,"given":"Shaowen","family":"Xu","sequence":"first","affiliation":[{"name":"Institute of Information Engineering, CAS. School of Cyber Security, University of Chinese, Academy of Sciences"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8565-1923","authenticated-orcid":false,"given":"Qihang","family":"Zhou","sequence":"additional","affiliation":[{"name":"Institute of Information, Engineering, CAS"}]},{"ORCID":"https:\/\/orcid.org\/0009-0009-3635-7785","authenticated-orcid":false,"given":"Zhicong","family":"Zhang","sequence":"additional","affiliation":[{"name":"Institute of Information, Engineering, CAS. School of Cyber Security, University of Chinese, Academy of Sciences"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8376-3235","authenticated-orcid":false,"given":"Xiaoqi","family":"Jia","sequence":"additional","affiliation":[{"name":"Institute of Information, Engineering, CAS. School of Cyber Security, University of Chinese, Academy of Sciences"}]},{"ORCID":"https:\/\/orcid.org\/0009-0001-0356-1482","authenticated-orcid":false,"given":"Donglin","family":"Liu","sequence":"additional","affiliation":[{"name":"Sinochem Energy-Tech Co., Ltd."}]},{"ORCID":"https:\/\/orcid.org\/0009-0009-7493-6462","authenticated-orcid":false,"given":"Heqing","family":"Huang","sequence":"additional","affiliation":[{"name":"Institute of Information, Engineering, CAS"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2783-3232","authenticated-orcid":false,"given":"Haichao","family":"Du","sequence":"additional","affiliation":[{"name":"Institute of Information, Engineering, CAS"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3336-923X","authenticated-orcid":false,"given":"Zhenyu","family":"Song","sequence":"additional","affiliation":[{"name":"Institute of Information, Engineering, CAS"}]}],"member":"320","published-online":{"date-parts":[[2024,11,20]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"2024. ab - Apache HTTP server benchmarking tool - Apache HTTP Server Version 2.4. https:\/\/httpd.apache.org\/docs\/2.4\/programs\/ab.html. (Accessed on 10\/26\/2023)."},{"key":"e_1_3_2_1_2_1","unstructured":"2024. akopytov\/sysbench: Scriptable database and system performance benchmark. https:\/\/github.com\/akopytov\/sysbench. (Accessed on 11\/01\/2023)."},{"key":"e_1_3_2_1_3_1","unstructured":"2024. amazon web services - Multiple docker containers in one EC2 instance through AWS ECS - Stack Overflow. https:\/\/reurl.cc\/K32Dke. (Accessed on 10\/24\/2023)."},{"key":"e_1_3_2_1_4_1","unstructured":"2024. AMD Secure Encrypted Virtualization (SEV) | AMD. https:\/\/www.amd.com\/en\/developer\/sev.html. (Accessed on 10\/25\/2023)."},{"key":"e_1_3_2_1_5_1","unstructured":"2024. Bareflank\/hypervisor: lightweight hypervisor SDK written in C++ with support for Windows Linux and UEFI. https:\/\/github.com\/Bareflank\/hypervisor. (Accessed on 04\/15\/2024)."},{"key":"e_1_3_2_1_6_1","unstructured":"2024. CVE - Search Results. https:\/\/cve.mitre.org\/cgi-bin\/cvekey.cgi?keyword=linux+kernel. (Accessed on 10\/27\/2023)."},{"key":"e_1_3_2_1_7_1","unstructured":"2024. elasticsearch - Official Image | Docker Hub. https:\/\/hub.docker.com\/_\/elasticsearch. (Accessed on 06\/18\/2024)."},{"key":"e_1_3_2_1_8_1","unstructured":"2024. GitHub - AlDanial\/cloc: cloc counts blank lines comment lines and physical lines of source code in many programming languages. https:\/\/github.com\/AlDanial\/cloc. (Accessed on 04\/15\/2024)."},{"key":"e_1_3_2_1_9_1","unstructured":"2024. Haproxy - Official Image | Docker Hub. https:\/\/hub.docker.com\/_\/haproxy."},{"key":"e_1_3_2_1_10_1","unstructured":"2024. Heartbleed Bug. https:\/\/heartbleed.com\/. (Accessed on 10\/25\/2023)."},{"key":"e_1_3_2_1_11_1","unstructured":"2024. Httpd - Official Image | Docker Hub. https:\/\/hub.docker.com\/_\/httpd."},{"key":"e_1_3_2_1_12_1","unstructured":"2024. Intel VT-rp - Part 1. remapping attack and HLAT | Satoshi's notes. https:\/\/tandasat.github.io\/blog\/2023\/07\/05\/intel-vt-rp-part-1.html. (Accessed on 11\/23\/2023)."},{"key":"e_1_3_2_1_13_1","unstructured":"2024. Intel\u00ae Software Guard Extensions (Intel\u00ae SGX). https:\/\/www.intel.com\/content\/www\/us\/en\/architecture-and-technology\/software-guard-extensions.html. (Accessed on 10\/25\/2023)."},{"key":"e_1_3_2_1_14_1","unstructured":"2024. ipc_namespaces(7) - Linux manual page. https:\/\/man7.org\/linux\/man-pages\/man7\/ipc_namespaces.7.html. (Accessed on 07\/09\/2024)."},{"key":"e_1_3_2_1_15_1","unstructured":"2024. Is there a maximum number of containers running on a Docker host? - Stack Overflow. https:\/\/reurl.cc\/x6WX0E. (Accessed on 10\/24\/2023)."},{"key":"e_1_3_2_1_16_1","first-page":"2015","volume":"11889","year":"2024","unstructured":"2024. ISO\/IEC 11889-1:2015 - Information technology --- Trusted platform module library --- Part 1: Architecture. https:\/\/www.iso.org\/standard\/66510.html. (Accessed on 11\/03\/2023).","journal-title":"ISO\/IEC"},{"key":"e_1_3_2_1_17_1","unstructured":"2024. Linux Test Project --- Linux Test Project 1.0 documentation. https:\/\/linux-test-project.readthedocs.io\/en\/latest\/. (Accessed on 04\/16\/2024)."},{"key":"e_1_3_2_1_18_1","unstructured":"2024. logzio\/elasticsearch-stress-test: Stress test tool for Elasticsearch. https:\/\/github.com\/logzio\/elasticsearch-stress-test. (Accessed on 06\/18\/2024)."},{"key":"e_1_3_2_1_19_1","unstructured":"2024. Memcached - Official Image | Docker Hub. https:\/\/hub.docker.com\/_\/memcached."},{"key":"e_1_3_2_1_20_1","unstructured":"2024. mount_namespaces(7) - Linux manual page. https:\/\/man7.org\/linux\/man-pages\/man7\/mount_namespaces.7.html. (Accessed on 07\/09\/2024)."},{"key":"e_1_3_2_1_21_1","unstructured":"2024. Mysql - Official Image | Docker Hub. https:\/\/hub.docker.com\/_\/mysql."},{"key":"e_1_3_2_1_22_1","unstructured":"2024. The Netperf Homepage. https:\/\/hewlettpackard.github.io\/netperf\/. (Accessed on 04\/16\/2024)."},{"key":"e_1_3_2_1_23_1","unstructured":"2024. nginx - Official Image | Docker Hub. https:\/\/hub.docker.com\/_\/nginx. (Accessed on 06\/18\/2024)."},{"key":"e_1_3_2_1_24_1","unstructured":"2024. postgres - Official Image | Docker Hub. https:\/\/hub.docker.com\/_\/postgres. (Accessed on 06\/18\/2024)."},{"key":"e_1_3_2_1_25_1","unstructured":"2024. RedisLabs\/memtier_benchmark: NoSQL Redis and Memcache traffic generation and benchmarking tool. https:\/\/github.com\/RedisLabs\/memtier_benchmark. (Accessed on 10\/26\/2023)."},{"key":"e_1_3_2_1_26_1","unstructured":"2024. traefik - Official Image | Docker Hub. https:\/\/hub.docker.com\/_\/traefik. (Accessed on 06\/18\/2024)."},{"key":"e_1_3_2_1_27_1","unstructured":"2024. TrustZone for Cortex-A - Arm\u00ae. https:\/\/www.arm.com\/en\/technologies\/trustzone-for-cortex-a. (Accessed on 10\/25\/2023)."},{"key":"e_1_3_2_1_28_1","unstructured":"2024. Ubuntu Manpage: hackbench - scheduler benchmark\/stress test. https:\/\/manpages.ubuntu.com\/manpages\/xenial\/man8\/hackbench.8.html. (Accessed on 06\/18\/2024)."},{"key":"e_1_3_2_1_29_1","volume-title":"12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16)","author":"Arnautov Sergei","year":"2016","unstructured":"Sergei Arnautov, Bohdan Trach, Franz Gregor, Thomas Knauth, Andre Martin, Christian Priebe, Joshua Lind, Divya Muthukumaran, Dan O'keeffe, Mark L Stillwell, et al. 2016. {SCONE}: Secure linux containers with intel {SGX}. In 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16). 689--703."},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/2799647"},{"key":"e_1_3_2_1_31_1","volume-title":"2005 USENIX Annual Technical Conference (USENIX ATC 05)","author":"Bellard Fabrice","year":"2005","unstructured":"Fabrice Bellard. 2005. QEMU, a Fast and Portable Dynamic Translator. In 2005 USENIX Annual Technical Conference (USENIX ATC 05). USENIX Association, Anaheim, CA. https:\/\/www.usenix.org\/conference\/2005-usenix-annual-technical-conference\/qemu-fast-and-portable-dynamic-translator"},{"key":"e_1_3_2_1_32_1","volume-title":"Trusted Container Extensions for Container-based Confidential Computing. arXiv preprint arXiv:2205.05747","author":"Brasser Ferdinand","year":"2022","unstructured":"Ferdinand Brasser, Patrick Jauernig, Frederik Pustelnik, Ahmad-Reza Sadeghi, and Emmanuel Stapf. 2022. Trusted Container Extensions for Container-based Confidential Computing. arXiv preprint arXiv:2205.05747 (2022)."},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/2490301.2451145"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/1353535.1346284"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/2714576.2714618"},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICYCS.2008.535"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354227"},{"key":"e_1_3_2_1_38_1","volume-title":"2022 USENIX Annual Technical Conference (USENIX ATC 22)","author":"Gu Jinyu","year":"2022","unstructured":"Jinyu Gu, Hao Li, Wentai Li, Yubin Xia, and Haibo Chen. 2022. {EPK}: Scalable and Efficient Memory Protection Keys. In 2022 USENIX Annual Technical Conference (USENIX ATC 22). 609--624."},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/3081333.3081349"},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/1506409.1506429"},{"key":"e_1_3_2_1_41_1","volume-title":"2019 USENIX Annual Technical Conference (USENIX ATC 19)","author":"Hedayati Mohammad","year":"2019","unstructured":"Mohammad Hedayati, Spyridoula Gravani, Ethan Johnson, John Criswell, Michael L Scott, Kai Shen, and Mike Marty. 2019. Hodor:{Intra-Process} isolation for {High-Throughput} data plane libraries. In 2019 USENIX Annual Technical Conference (USENIX ATC 19). 489--504."},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/2451116.2451146"},{"key":"e_1_3_2_1_43_1","volume-title":"2018 USENIX Annual Technical Conference (USENIX ATC 18)","author":"Hua Zhichao","year":"2018","unstructured":"Zhichao Hua, Dong Du, Yubin Xia, Haibo Chen, and Binyu Zang. 2018. {EPTI}: Efficient Defence against Meltdown Attack for Unpatched {VMs}. In 2018 USENIX Annual Technical Conference (USENIX ATC 18). 255--266."},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1007\/s11432-019-2707-6"},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.2200\/S00126ED1V01Y200808SPT001"},{"key":"e_1_3_2_1_46_1","volume-title":"Proceedings of the Linux symposium","volume":"1","author":"Kivity Avi","year":"2007","unstructured":"Avi Kivity, Yaniv Kamay, Dor Laor, Uri Lublin, and Anthony Liguori. 2007. kvm: the Linux virtual machine monitor. In Proceedings of the Linux symposium, Vol. 1. Dttawa, Dntorio, Canada, 225--230."},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1145\/3064176.3064217"},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/2980024.2872372"},{"key":"e_1_3_2_1_49_1","volume-title":"28th USENIX Security Symposium (USENIX Security 19)","author":"Li Shih-Wei","year":"2019","unstructured":"Shih-Wei Li, John S Koh, and Jason Nieh. 2019. Protecting cloud virtual machines from hypervisor and host operating system exploits. In 28th USENIX Security Symposium (USENIX Security 19). 1357--1374."},{"key":"e_1_3_2_1_50_1","volume-title":"28th USENIX Security Symposium (USENIX Security 19)","author":"Li Shih-Wei","year":"2019","unstructured":"Shih-Wei Li, John S Koh, and Jason Nieh. 2019. Protecting cloud virtual machines from hypervisor and host operating system exploits. In 28th USENIX Security Symposium (USENIX Security 19). 1357--1374."},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1145\/2749469.2750406"},{"key":"e_1_3_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/3477113.3487275"},{"key":"e_1_3_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2022.3200206"},{"key":"e_1_3_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813690"},{"key":"e_1_3_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.17"},{"key":"e_1_3_2_1_56_1","unstructured":"Larry W McVoy Carl Staelin et al. 1996. lmbench: Portable Tools for Performance Analysis.. In USENIX annual technical conference. San Diego CA USA 279--294."},{"key":"e_1_3_2_1_57_1","volume-title":"29th USENIX Security Symposium (USENIX Security 20)","author":"Mi Zeyu","year":"2020","unstructured":"Zeyu Mi, Dingji Li, Haibo Chen, Binyu Zang, and Haibing Guan. 2020. (Mostly) Exitless {VM} Protection from Untrusted Hypervisor through Disaggregated Nested Virtualization. In 29th USENIX Security Symposium (USENIX Security 20). 1695--1712."},{"key":"e_1_3_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1145\/3302424.3303946"},{"key":"e_1_3_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSEC.2023.3251385"},{"key":"e_1_3_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSEC.2023.3251385"},{"key":"e_1_3_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1145\/3381052.3381328"},{"key":"e_1_3_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00041"},{"key":"e_1_3_2_1_63_1","doi-asserted-by":"publisher","DOI":"10.1145\/2133375.2133377"},{"key":"e_1_3_2_1_64_1","doi-asserted-by":"publisher","DOI":"10.1145\/357401.357402"},{"key":"e_1_3_2_1_65_1","doi-asserted-by":"publisher","DOI":"10.1145\/3373376.3378469"},{"key":"e_1_3_2_1_66_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2017.23500"},{"key":"e_1_3_2_1_67_1","doi-asserted-by":"publisher","DOI":"10.1145\/1755913.1755935"},{"key":"e_1_3_2_1_68_1","doi-asserted-by":"publisher","DOI":"10.1109\/IWQoS49365.2020.9213020"},{"key":"e_1_3_2_1_69_1","volume-title":"2017 USENIX Annual Technical Conference (USENIX ATC 17)","author":"Tsai Chia-Che","year":"2017","unstructured":"Chia-Che Tsai, Donald E Porter, and Mona Vij. 2017. {Graphene-SGX}: A Practical Library {OS} for Unmodified Applications on {SGX}. In 2017 USENIX Annual Technical Conference (USENIX ATC 17). 645--658."},{"key":"e_1_3_2_1_70_1","volume-title":"16th USENIX Symposium on Operating Systems Design and Implementation (OSDI 22)","author":"Hof Alexander Van't","year":"2022","unstructured":"Alexander Van't Hof and Jason Nieh. 2022. {BlackBox}: a container security monitor for protecting containers on untrusted operating systems. In 16th USENIX Symposium on Operating Systems Design and Implementation (OSDI 22). 683--700."},{"key":"e_1_3_2_1_71_1","unstructured":"Richard Wilkins and Brian Richardson. 2013. UEFI secure boot in modern computer security solutions. In UEFI forum. 1--10."},{"key":"e_1_3_2_1_72_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833726"},{"key":"e_1_3_2_1_73_1","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484744"},{"key":"e_1_3_2_1_74_1","doi-asserted-by":"publisher","DOI":"10.1145\/3582016.3582042"},{"key":"e_1_3_2_1_75_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134043"}],"event":{"name":"SoCC '24: ACM Symposium on Cloud Computing","location":"Redmond WA USA","acronym":"SoCC '24","sponsor":["SIGMOD ACM Special Interest Group on Management of Data","SIGOPS ACM Special Interest Group on Operating Systems"]},"container-title":["Proceedings of the ACM Symposium on Cloud Computing"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3698038.3698520","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3698038.3698520","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T18:58:32Z","timestamp":1755889112000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3698038.3698520"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,11,20]]},"references-count":75,"alternative-id":["10.1145\/3698038.3698520","10.1145\/3698038"],"URL":"https:\/\/doi.org\/10.1145\/3698038.3698520","relation":{},"subject":[],"published":{"date-parts":[[2024,11,20]]},"assertion":[{"value":"2024-11-20","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}