{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,10]],"date-time":"2026-04-10T10:10:36Z","timestamp":1775815836600,"version":"3.50.1"},"reference-count":70,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2025,5,27]],"date-time":"2025-05-27T00:00:00Z","timestamp":1748304000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Proc. ACM Meas. Anal. Comput. Syst."],"published-print":{"date-parts":[[2025,5,27]]},"abstract":"<jats:p>\n            Container technology, characterized by its convenience in deployment and exceptional performance, has emerged as a dominant force in the realm of cloud computing. However, the shared kernel among different containers and the common practice of running multiple applications within a single container pose threats to user data from malicious co-resident containers or other malicious programs within the same container. To address this problem, we introduce a novel container architecture design -\n            <jats:italic toggle=\"yes\">UniContainer.<\/jats:italic>\n            <jats:italic toggle=\"yes\">UniContainer<\/jats:italic>\n            partitions original containers, allowing each component to run within an independent customized Unikernel, thereby enhancing isolation both between containers and within containers. We implement a prototype of\n            <jats:italic toggle=\"yes\">UniContainer<\/jats:italic>\n            based on Unikraft, enabling automated analysis of target container system call logs and configuration of optimal Unikraft images, while preserving the convenience of container technology deployment. Through experimental evaluation, we validate the effectiveness and performance of\n            <jats:italic toggle=\"yes\">UniContainer,<\/jats:italic>\n            maximizing the outstanding performance benefits of container technology.\n          <\/jats:p>","DOI":"10.1145\/3727134","type":"journal-article","created":{"date-parts":[[2025,6,4]],"date-time":"2025-06-04T09:43:35Z","timestamp":1749030215000},"page":"1-23","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["UniContainer: Unlocking the Potential of Unikernel for Secure and Efficient Containerization"],"prefix":"10.1145","volume":"9","author":[{"ORCID":"https:\/\/orcid.org\/0009-0009-3635-7785","authenticated-orcid":false,"given":"Zhicong","family":"Zhang","sequence":"first","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China and School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8565-1923","authenticated-orcid":false,"given":"Qihang","family":"Zhou","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-8141-8183","authenticated-orcid":false,"given":"Shaowen","family":"Xu","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China and School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0002-2547-3667","authenticated-orcid":false,"given":"Nan","family":"Jiang","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China and School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9858-3587","authenticated-orcid":false,"given":"Weijuan","family":"Zhang","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8376-3235","authenticated-orcid":false,"given":"Xiaoqi","family":"Jia","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China and School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China"}]}],"member":"320","published-online":{"date-parts":[[2025,6,3]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"Application container market size & share analysis - growth trends & forecasts (2023 - 2028). https:\/\/www.mordorintelligence.com\/industry-reports\/application-container-market."},{"key":"e_1_2_1_2_1","unstructured":"Application container market size growth trends analysis 2024--2028. https:\/\/www.technavio.com\/report\/application-container-market-analysis."},{"key":"e_1_2_1_3_1","unstructured":"bitnami\/memcached - docker image | docker hub. https:\/\/hub.docker.com\/r\/bitnami\/memcached."},{"key":"e_1_2_1_4_1","unstructured":"busybox - docker image | docker hub. https:\/\/hub.docker.com\/_\/busybox."},{"key":"e_1_2_1_5_1","unstructured":"capabilities(7) - linux manual page. https:\/\/www.man7.org\/linux\/man-pages\/man7\/capabilities.7.html."},{"key":"e_1_2_1_6_1","unstructured":"cgroups(7) - linux manual page. https:\/\/man7.org\/linux\/man-pages\/man7\/cgroups.7.html."},{"key":"e_1_2_1_7_1","unstructured":"clone(2) - linux manual page. https:\/\/man7.org\/linux\/man-pages\/man2\/clone.2.html."},{"key":"e_1_2_1_8_1","volume-title":"size and industry growth analysis 2021 -","author":"Cloud","year":"2026","unstructured":"Cloud computing market share, size and industry growth analysis 2021 - 2026. https:\/\/www.industryarc.com\/Report\/19533\/cloud-computing-market.html."},{"key":"e_1_2_1_9_1","unstructured":"The container security platform | gvisor. https:\/\/gvisor.dev."},{"key":"e_1_2_1_10_1","unstructured":"Docker hub. https:\/\/hub.docker.com\/."},{"key":"e_1_2_1_11_1","unstructured":"execve(2) - linux manual page. https:\/\/www.man7.org\/linux\/man-pages\/man2\/execve.2.html."},{"key":"e_1_2_1_12_1","unstructured":"Ffmpeg. https:\/\/ffmpeg.org\/."},{"key":"e_1_2_1_13_1","doi-asserted-by":"crossref","unstructured":"Global application container market (2021 to 2026) - growth trends covid-19 impact and forecasts. https:\/\/www.globenewswire.com\/news-release\/2021\/02\/18\/2178094\/0\/en\/Global-Application-Container-Market-2021-to-2026-Growth-Trends-COVID-19-Impact-and-Forecasts.html.","DOI":"10.1016\/j.focat.2021.08.004"},{"key":"e_1_2_1_14_1","unstructured":"The global cloud computing market size is expected to grow from usd 445.3 billion in 2021 to usd 947.3 billion by 2026 at a compound annual growth rate (cagr) of 16.3%. https:\/\/www.globenewswire.com\/news-release\/2021\/11\/05\/2328288\/0\/en\/The-global-cloud-computing-market-size-is-expected-to-grow-from-USD-445--3-billion-in-2021-to-USD-947--3-billion-by-2026-at-a-Compound-Annual-Growth-Rate-CAGR-of-16--3.html."},{"key":"e_1_2_1_15_1","unstructured":"hellyna\/tar - docker image | docker hub. https:\/\/hub.docker.com\/r\/hellyna\/tar."},{"key":"e_1_2_1_16_1","unstructured":"jitesoft\/sqlite - docker image | docker hub. https:\/\/hub.docker.com\/r\/jitesoft\/sqlite."},{"key":"e_1_2_1_17_1","unstructured":"leplusorg\/hash - docker image | docker hub. https:\/\/hub.docker.com\/r\/leplusorg\/hash."},{"key":"e_1_2_1_18_1","unstructured":"namespaces(7) - linux manual page. https:\/\/man7.org\/linux\/man-pages\/man7\/namespaces.7.html."},{"key":"e_1_2_1_19_1","unstructured":"nginx - docker image | docker hub. https:\/\/hub.docker.com\/_\/nginx."},{"key":"e_1_2_1_20_1","unstructured":"Nvd - cve-2022-0185. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-0185."},{"key":"e_1_2_1_21_1","unstructured":"Nvd - cve-2022-0492. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-0492."},{"key":"e_1_2_1_22_1","unstructured":"Nvd - cve-2022-0847. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-0847."},{"key":"e_1_2_1_23_1","unstructured":"Qemu. https:\/\/www.qemu.org\/."},{"key":"e_1_2_1_24_1","unstructured":"redis - docker image | docker hub. https:\/\/hub.docker.com\/_\/redis."},{"key":"e_1_2_1_25_1","unstructured":"Secure computing with filters. https:\/\/www.kernel.org\/doc\/Documentation\/prctl\/seccomp_filter.txt."},{"key":"e_1_2_1_26_1","unstructured":"selinux(8) - linux manual page. https:\/\/man7.org\/linux\/man-pages\/man8\/selinux.8.html."},{"key":"e_1_2_1_27_1","unstructured":"sha1sum(1) - linux manual page. https:\/\/man7.org\/linux\/man-pages\/man1\/sha1sum.1.html."},{"key":"e_1_2_1_28_1","unstructured":"strace - the linux syscall tracer. https:\/\/github.com\/strace\/strace."},{"key":"e_1_2_1_29_1","unstructured":"unikraft\/dynamic-apps: Pre-built dynamic linux elfs. https:\/\/github.com\/unikraft\/dynamic-apps."},{"key":"e_1_2_1_30_1","unstructured":"unikraft\/run-app-elfloader: Run unikraft elf loader app on linux executables. https:\/\/github.com\/unikraft\/run-app-elfloader."},{"key":"e_1_2_1_31_1","unstructured":"vulhub\/imagemagick - docker image | docker hub. https:\/\/hub.docker.com\/r\/vulhub\/imagemagick."},{"key":"e_1_2_1_32_1","unstructured":"vulhub\/openssl - docker image | docker hub. https:\/\/hub.docker.com\/r\/vulhub\/openssl."},{"key":"e_1_2_1_33_1","unstructured":"Xen project - open source virtualization. https:\/\/xenproject.org\/."},{"key":"e_1_2_1_34_1","volume-title":"Symposium on Networked Systems Design and Implementation","author":"Agache Alexandru","year":"2020","unstructured":"Alexandru Agache, Marc Brooker, Alexandra Iordache, Anthony Liguori, Rolf Neugebauer, Phil Piwonka, and Diana-Maria Popa. Firecracker: Lightweight virtualization for serverless applications. In Symposium on Networked Systems Design and Implementation, 2020."},{"key":"e_1_2_1_35_1","doi-asserted-by":"crossref","first-page":"591","DOI":"10.1109\/SP.2015.42","volume-title":"2015 IEEE Symposium on Security and Privacy","author":"Apecechea Gorka Irazoqui","year":"2015","unstructured":"Gorka Irazoqui Apecechea, Thomas Eisenbarth, and Berk Sunar. S$a: A shared cache attack that works across cores and defies vm sandboxing -- and its application to aes. 2015 IEEE Symposium on Security and Privacy, pages 591--604, 2015."},{"key":"e_1_2_1_36_1","volume-title":"Network and Distributed System Security Symposium","author":"Backes Michael","year":"2013","unstructured":"Michael Backes, Goran Doychev, and Boris K\u00f6pf. Preventing side-channel leaks in web traffic: A formal approach. In Network and Distributed System Security Symposium, 2013."},{"key":"e_1_2_1_37_1","volume-title":"Workshop on Cryptographic Hardware and Embedded Systems","author":"Gandolfi Karine","year":"2001","unstructured":"Karine Gandolfi, Christophe Mourtel, and Francis Olivier. Electromagnetic analysis: Concrete results. In Workshop on Cryptographic Hardware and Embedded Systems, 2001."},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2017.49"},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354227"},{"key":"e_1_2_1_40_1","first-page":"443","volume-title":"23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020","author":"Ghavamnia Seyedhamed","year":"2020","unstructured":"Seyedhamed Ghavamnia, Tapti Palit, Azzedine Benameur, and Michalis Polychronakis. Confine: Automated system call policy generation for container attack surface reduction. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020), pages 443--458, 2020."},{"key":"e_1_2_1_41_1","unstructured":"iximiuz kcq. slimtoolkit\/slim: Slim(toolkit)). https:\/\/github.com\/slimtoolkit\/slim."},{"key":"e_1_2_1_42_1","volume-title":"USENIX Annual Technical Conference","author":"Kivity Avi","year":"2014","unstructured":"Avi Kivity, Dor Laor, Glauber Costa, Pekka Enberg, Nadav Har'El, Don Marti, and Vlad Zolotarov. Osv - optimizing the operating system for virtual machines. In USENIX Annual Technical Conference, 2014."},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/3447786.3456248"},{"key":"e_1_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-66504-3_12"},{"key":"e_1_2_1_45_1","volume-title":"Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems","author":"Lefeuvre Hugo","year":"2021","unstructured":"Hugo Lefeuvre, Vlad-Andrei Badoiu, Alexander Jung, Stefan Teodorescu, Sebastian Rauch, Felipe Huici, Costin Raiciu, and Pierre Olivier. Flexos: towards flexible os isolation. Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, 2021."},{"key":"e_1_2_1_46_1","volume-title":"Loupe: Driving the development of os compatibility layers. ArXiv, abs\/2309.15996","author":"Lefeuvre Hugo","year":"2023","unstructured":"Hugo Lefeuvre, Gaulthier Gain, Vlad-Andrei Badoiu, Daniel Dinca, Vlad-Radu Schiller, Costin Raiciu, Felipe Huici, and Pierre Olivier. Loupe: Driving the development of os compatibility layers. ArXiv, abs\/2309.15996, 2023."},{"key":"e_1_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1145\/3274694.3274720"},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.43"},{"key":"e_1_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICDCS.2018.00169"},{"key":"e_1_2_1_50_1","volume-title":"International Symposium on Recent Advances in Intrusion Detection","author":"Luo Wu","year":"2019","unstructured":"Wu Luo, Qingni Shen, Yutang Xia, and Zhonghai Wu. Container-ima: A privacy-preserving integrity measurement architecture for containers. In International Symposium on Recent Advances in Intrusion Detection, 2019."},{"key":"e_1_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1145\/2490301.2451167"},{"key":"e_1_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/3132747.3132763"},{"key":"e_1_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1109\/CNS.2015.7346869"},{"key":"e_1_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1145\/3302424.3303946"},{"key":"e_1_2_1_55_1","first-page":"81","volume-title":"2020 USENIX Annual Technical Conference (USENIX ATC 20)","author":"Nam Jaehyun","year":"2020","unstructured":"Jaehyun Nam, Seungsoo Lee, Hyunmin Seo, Phil Porras, Vinod Yegneswaran, and Seungwon Shin. {BASTION}: A security enforcement network stack for container networks. In 2020 USENIX Annual Technical Conference (USENIX ATC 20), pages 81--95, 2020."},{"key":"e_1_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1145\/3313808.3313817"},{"key":"e_1_2_1_57_1","volume-title":"International Conference on Smart Computing and Communication","author":"Qin Jingjie","year":"2017","unstructured":"Jingjie Qin, Bin Shi, and Bo Li. Nem: A new in-vm monitoring with high efficiency and strong isolation. In International Conference on Smart Computing and Communication, 2017."},{"key":"e_1_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1145\/3106237.3106271"},{"key":"e_1_2_1_59_1","volume-title":"Proceedings of the Eighteenth European Conference on Computer Systems","author":"Raza Ali","year":"2022","unstructured":"Ali Raza, Thomas Unger, Matthew Boyd, Eric B Munson, Parul Sohal, Ulrich Drepper, Richard Jones, Daniel Bristot De Oliveira, Larry Woodman, Renato Mancuso, Jonathan Appavoo, and Orran Krieger. Unikernel linux (ukl). Proceedings of the Eighteenth European Conference on Computer Systems, 2022."},{"key":"e_1_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1145\/1653662.1653687"},{"key":"e_1_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1145\/3445814.3446731"},{"key":"e_1_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1145\/3297858.3304016"},{"key":"e_1_2_1_63_1","first-page":"1423","volume-title":"27th USENIX Security Symposium (USENIX Security 18)","author":"Sun Yuqiong","year":"2018","unstructured":"Yuqiong Sun, David Safford, Mimi Zohar, Dimitrios Pendarakis, Zhongshu Gu, and Trent Jaeger. Security namespace: making linux security frameworks available to containers. In 27th USENIX Security Symposium (USENIX Security 18), pages 1423--1439, 2018."},{"key":"e_1_2_1_64_1","doi-asserted-by":"publisher","DOI":"10.1145\/3381052.3381326"},{"key":"e_1_2_1_65_1","first-page":"1547","volume-title":"2024 IEEE\/ACM 46th International Conference on Software Engineering (ICSE)","author":"Xia Chun","year":"2023","unstructured":"Chun Xia, Matteo Paltenghi, Jia Le Tian, Michael Pradel, and Lingming Zhang. Fuzz4all: Universal fuzzing with large language models. 2024 IEEE\/ACM 46th International Conference on Software Engineering (ICSE), pages 1547--1559, 2023."},{"key":"e_1_2_1_66_1","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484744"},{"key":"e_1_2_1_67_1","volume-title":"Proceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems","volume":"3","author":"Yasukata Kenichi","year":"2023","unstructured":"Kenichi Yasukata, Hajime Tazaki, and Pierre-Louis Aublin. Exit-less, isolated, and shared access for virtual machines. Proceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 3, 2023."},{"issue":"1","key":"e_1_2_1_68_1","first-page":"30","article-title":"Machine learning systems are bloated and vulnerable","volume":"8","author":"Zhang Huaifeng","year":"2022","unstructured":"Huaifeng Zhang, Mohannad J. Alhanahnah, Fahmi Abdulqadir Ahmed, Dyako Fatih, Philipp Leitner, and Ahmed Ali-Eldin. Machine learning systems are bloated and vulnerable. Proceedings of the ACM on Measurement and Analysis of Computing Systems, 8:1 -- 30, 2022.","journal-title":"Proceedings of the ACM on Measurement and Analysis of Computing Systems"},{"key":"e_1_2_1_69_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICPADS63350.2024.00027"},{"key":"e_1_2_1_70_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jisa.2021.102924"}],"container-title":["Proceedings of the ACM on Measurement and Analysis of Computing Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3727134","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3727134","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T21:32:07Z","timestamp":1755898327000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3727134"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,5,27]]},"references-count":70,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2025,5,27]]}},"alternative-id":["10.1145\/3727134"],"URL":"https:\/\/doi.org\/10.1145\/3727134","relation":{},"ISSN":["2476-1249"],"issn-type":[{"value":"2476-1249","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,5,27]]},"assertion":[{"value":"2025-06-03","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}