{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,13]],"date-time":"2025-11-13T17:23:40Z","timestamp":1763054620171,"version":"3.45.0"},"publisher-location":"New York, NY, USA","reference-count":73,"publisher":"ACM","funder":[{"DOI":"10.13039\/501100000038","name":"Natural Sciences and Engineering Research Council of Canada","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100000038","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,10,13]]},"DOI":"10.1145\/3764860.3768325","type":"proceedings-article","created":{"date-parts":[[2025,10,1]],"date-time":"2025-10-01T13:54:43Z","timestamp":1759326883000},"page":"1-9","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Comparing Isolation Mechanisms with OSmosis"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3194-6037","authenticated-orcid":false,"given":"Sidhartha","family":"Agrawal","sequence":"first","affiliation":[{"name":"University of British Columbia, Vancouver, Canada"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0000-6759-1069","authenticated-orcid":false,"given":"Shaurya","family":"Patel","sequence":"additional","affiliation":[{"name":"University of British Columbia, Google, Vancouver, Canada"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0000-3037-5514","authenticated-orcid":false,"given":"Arya","family":"Stevinson","sequence":"additional","affiliation":[{"name":"Oracle Labs, Vancouver, Canada and University of British Columbia"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0002-5047-5605","authenticated-orcid":false,"given":"Linh","family":"Pham","sequence":"additional","affiliation":[{"name":"Hammerspace, Toronto, Canada and University of British Columbia"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0004-6594-0359","authenticated-orcid":false,"given":"Ilias","family":"Karimalis","sequence":"additional","affiliation":[{"name":"University of British Columbia, Vancouver, Canada"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9547-7458","authenticated-orcid":false,"given":"Hugo","family":"Lefeuvre","sequence":"additional","affiliation":[{"name":"University of British Columbia, Vancouver, Canada"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0005-3416-5254","authenticated-orcid":false,"given":"Aastha","family":"Mehta","sequence":"additional","affiliation":[{"name":"University of British Columbia, Vancouver, Canada"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3263-7236","authenticated-orcid":false,"given":"Reto","family":"Achermann","sequence":"additional","affiliation":[{"name":"University of British Columbia, Vancouver, Canada"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2165-4658","authenticated-orcid":false,"given":"Margo I.","family":"Seltzer","sequence":"additional","affiliation":[{"name":"University of British Columbia, Vancouver, Canada"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2025,10,13]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"[n.d.]. All Linux CVEs. https:\/\/cve.mitre.org\/cgi-bin\/cvekey.cgi?keyword=linux [Accessed 10-09-2025]."},{"key":"e_1_3_2_1_2_1","unstructured":"[n.d.]. Apptainer User Guide. https:\/\/apptainer.org\/docs\/user\/main\/. [Accessed 10-09-2025]."},{"key":"e_1_3_2_1_3_1","unstructured":"[n.d.]. cgroups(7) - Linux manual page. https:\/\/man7.org\/linux\/man-pages\/man7\/cgroups.7.html [Accessed 10-09-2025]."},{"key":"e_1_3_2_1_4_1","unstructured":"[n. d.]. clone(2) - Linux manual page. https:\/\/man7.org\/linux\/man-pages\/man2\/clone.2.html [Accessed 10-09-2025]."},{"key":"e_1_3_2_1_5_1","unstructured":"[n.d.]. Docker. https:\/\/docs.docker.com\/ [Accessed 10-09-2025]."},{"key":"e_1_3_2_1_6_1","unstructured":"[n. d.]. Firejail Security Sandbox. https:\/\/firejail.wordpress.com\/. [Accessed 10-09-2025]."},{"key":"e_1_3_2_1_7_1","unstructured":"[n.d.]. FreeBSD Manual Pages: jail. https:\/\/www.freebsd.org\/cgi\/man.cgi?jail [Accessed 10-09-2025]."},{"key":"e_1_3_2_1_8_1","unstructured":"[n.d.]. Genode Operating System Framework. https:\/\/genode.org\/ [Accessed 10-09-2025]."},{"key":"e_1_3_2_1_9_1","unstructured":"[n. d.]. The Linux Kernel documentation: Overlay Filesystem. https:\/\/docs.kernel.org\/filesystems\/overlayfs.html. [Accessed 10-09-2025]."},{"key":"e_1_3_2_1_10_1","unstructured":"[n. d.]. namespaces(7) - Linux manual page. https:\/\/man7.org\/linux\/man-pages\/man7\/namespaces.7.html [Accessed 10-09-2025]."},{"key":"e_1_3_2_1_11_1","unstructured":"[n.d.]. NetworkX: Network Analysis in Python. https:\/\/networkx.org\/. [Accessed 18-04-2025]."},{"key":"e_1_3_2_1_12_1","unstructured":"[n. d.]. OpenVZ Container. https:\/\/wiki.openvz.org\/Container [Accessed 10-09-2025]."},{"key":"e_1_3_2_1_13_1","unstructured":"[n.d.]. Oracle Solaris Information Library: zones(5). https:\/\/docs.oracle.com\/cd\/E36784_01\/html\/E36883\/zones-5.html#REFMAN5zones-5 [Accessed 10-09-2025]."},{"key":"e_1_3_2_1_14_1","unstructured":"[n.d.]. Rootless mode. https:\/\/docs.docker.com\/engine\/security\/rootless [Accessed 10-09-2025]."},{"key":"e_1_3_2_1_15_1","unstructured":"[n.d.]. SecComp BPF Secure Computing with filters. https:\/\/www.kernel.org\/doc\/html\/v5.0\/userspace-api\/seccomp_filter.html. [Accessed 10-09-2025]."},{"key":"e_1_3_2_1_16_1","unstructured":"[n.d.]. SELinux(8) - Linux manual page. https:\/\/man7.org\/linux\/man-pages\/man8\/selinux.8.html. [Accessed 10-09-2025]."},{"key":"e_1_3_2_1_17_1","unstructured":"[n.d.]. The seL4 Microkernel. https:\/\/sel4.systems\/ [Accessed 10-09-2025]."},{"key":"e_1_3_2_1_18_1","unstructured":"[n. d.]. What is gRPC? Core concepts architecture and lifecycle. https:\/\/grpc.io\/docs\/what-is-grpc\/core-concepts\/. [Accessed 10-09-2025]."},{"key":"e_1_3_2_1_19_1","unstructured":"[n.d.]. What is Podman? https:\/\/docs.podman.io\/en\/latest\/index.html. [Accessed 10-09-2025]."},{"key":"e_1_3_2_1_20_1","unstructured":"2019. CVE-2019-19332. https:\/\/www.cve.org\/CVERecord?id=CVE-2019-19332 [Accessed 10-09-2025]."},{"key":"e_1_3_2_1_21_1","unstructured":"2021. CVE-2021-22543. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=2021-22543 [Accessed 10-09-2025]."},{"key":"e_1_3_2_1_22_1","unstructured":"2021. CVE-2021-43056. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-43056 [Accessed 10-09-2025]."},{"volume-title":"Physical Addressing on Real Hardware in Isabelle\/HOL","author":"Achermann Reto","key":"e_1_3_2_1_23_1","unstructured":"Reto Achermann, Lukas Humbel, David Cock, and Timothy Roscoe. 2018. Physical Addressing on Real Hardware in Isabelle\/HOL. In Interactive Theorem Proving, Jeremy Avigad and Assia Mahboubi (Eds.). Springer International Publishing, Cham, 1--19."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/3447786.3456249"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/945445.945462"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/1629575.1629579"},{"key":"e_1_3_2_1_27_1","unstructured":"D Elliott Bell and Leonard J LaPadula. 1973. Secure computer systems: Mathematical foundations. Technical Report."},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/800216.806598"},{"key":"e_1_3_2_1_29_1","unstructured":"Davis Catherman. 2022. Why you should use Apptainer. https:\/\/medium.com\/@dcat52\/why-you-should-use-apptainer-21ef1fe7e0bb. [Accessed 10-09-2025]."},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/SERE.2013.12"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/1460833.1460871"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/360051.360056"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/3625275.3625400"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/3593856.3595903"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354227"},{"key":"e_1_3_2_1_36_1","unstructured":"Xiling Gong Peter Pi and Tencent Blade Team. 2019. Exploiting Qualcomm WLAN and Modem Over the Air. Technical Report. https:\/\/i.blackhat.com\/USA-19\/Thursday\/us-19-Pi-Exploiting-Qualcomm-WLAN-And-Modem-Over-The-Air-wp.pdf [Accessed 10-09-2025]."},{"key":"e_1_3_2_1_37_1","volume-title":"Project Zero: An EPYC Escape: Case-study of a KVM breakout. https:\/\/googleprojectzero.blogspot.com\/2021\/06\/an-epyc-escape-case-study-of-kvm.html [Accessed 10-09-2025].","author":"Zero Google Project","year":"2021","unstructured":"Google Project Zero. 2021. Project Zero: An EPYC Escape: Case-study of a KVM breakout. https:\/\/googleprojectzero.blogspot.com\/2021\/06\/an-epyc-escape-case-study-of-kvm.html [Accessed 10-09-2025]."},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/1478873.1478928"},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00268"},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978327"},{"key":"e_1_3_2_1_41_1","volume-title":"Proceedings of the 16th USENIX Symposium on Operating Systems Design and Implementation (OSDI'22)","author":"Jing Yuzhuo","year":"2022","unstructured":"Yuzhuo Jing and Peng Huang. 2022. Operating System Support for Safe and Efficient Auxiliary Execution. In Proceedings of the 16th USENIX Symposium on Operating Systems Design and Implementation (OSDI'22). USENIX Association. https:\/\/www.usenix.org\/conference\/osdi22\/presentation\/jing"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/3620678.3624648"},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/3447786.3456248"},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1109\/CONECCT50063.2020.9198653"},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/775265.775268"},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP61157.2025.00075"},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3623154"},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/224056.224075"},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1145\/322017.322025"},{"key":"e_1_3_2_1_50_1","volume-title":"Proceedings of the 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI'16)","author":"Litton James","year":"2016","unstructured":"James Litton, Anjo Vahldiek-Oberwagner, Eslam Elnikety, Deepak Garg, Bobby Bhattacharjee, and Peter Druschel. 2016. Light-Weight Contexts: An OS Abstraction for Safety and Performance. In Proceedings of the 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI'16). https:\/\/dl.acm.org\/doi\/10.5555\/3026877.3026882"},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1145\/3575693.3575731"},{"key":"e_1_3_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/2451116.2451167"},{"key":"e_1_3_2_1_53_1","unstructured":"Rory McCune. 2016. The Dangers of Docker.sock. https:\/\/raesene.github.io\/blog\/2016\/03\/06\/The-Dangers-Of-Docker.sock\/ [Accessed 10-09-2025]."},{"key":"e_1_3_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1147\/sj.93"},{"key":"e_1_3_2_1_55_1","volume-title":"Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control. Ph. D. Dissertation","author":"Miller Mark Samuel","year":"2006","unstructured":"Mark Samuel Miller. 2006. Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control. Ph. D. Dissertation. Johns Hopkins University, Baltimore, Maryland, USA."},{"key":"e_1_3_2_1_56_1","unstructured":"OscarAkaElvis. 2018. How can I call docker daemon of the host-machine from a container? https:\/\/stackoverflow.com\/questions\/48152736\/how-can-i-call-docker-daemon-of-the-host-machine-from-a-container [Accessed 10-09-2025]."},{"key":"e_1_3_2_1_57_1","unstructured":"Palo Alto Networks. 2024. The State of Cloud-Native Security. https:\/\/www.paloaltonetworks.com\/apps\/pan\/public\/downloadResource?pagePath=\/content\/pan\/en_US\/resources\/research\/state-of-cloud-native-security-2024 [Accessed 10-09-2025]."},{"key":"e_1_3_2_1_58_1","unstructured":"Qualys. 2024. The State of Cloud and SaaS Security Report. https:\/\/cdn2.qualys.com\/docs\/mktg\/qualys-state-of-cloud-and-saas-security-report.pdf [Accessed 10-09-2025]."},{"key":"e_1_3_2_1_59_1","doi-asserted-by":"publisher","unstructured":"Alessandro Randazzo and Ilenia Tinnirello. 2019. Kata Containers: An Emerging Architecture for Enabling MEC Services in Fast and Secure Way. In 2019 Sixth International Conference on Internet of Things: Systems Management and Security (IOTSMS). doi:10.1109\/IOTSMS48152.2019.8939164","DOI":"10.1109\/IOTSMS48152.2019.8939164"},{"key":"e_1_3_2_1_60_1","unstructured":"RedHat. 2024. Linux Capabilities and Seccomp for Docker. https:\/\/docs.redhat.com\/en\/documentation\/red_hat_enterprise_linux_atomic_host\/7\/html\/container_security_guide\/linux_capabilities_and_seccomp#linux_capabilities. [Accessed 10-09-2025]."},{"key":"e_1_3_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1145\/3471621.3471839"},{"key":"e_1_3_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1145\/800216.806586"},{"key":"e_1_3_2_1_63_1","doi-asserted-by":"publisher","DOI":"10.1109\/PROC.1975.9939"},{"key":"e_1_3_2_1_64_1","volume-title":"Principles of Computer System Design: an Introduction","author":"Saltzer Jerome H.","unstructured":"Jerome H. Saltzer and M. Frans Kaashoek. 2009. Principles of Computer System Design: an Introduction (1st ed.). Morgan Kaufmann.","edition":"1"},{"key":"e_1_3_2_1_65_1","volume-title":"Access Control: Policies, Models, and Mechanisms. In Foundations of Security Analysis and Design","author":"Samarati Pierangela","year":"2001","unstructured":"Pierangela Samarati and Sabrina Capitani de Vimercati. 2001. Access Control: Policies, Models, and Mechanisms. In Foundations of Security Analysis and Design, Riccardo Focardi and Roberto Gorrieri (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 137--196."},{"key":"e_1_3_2_1_66_1","volume-title":"Proceedings of the 16th USENIX Symposium on Operating Systems Design and Implementation (OSDI'22)","author":"Sartakov Vasily A","year":"2022","unstructured":"Vasily A Sartakov, Llu\u00eds Vilanova, David Eyers, Takahiro Shinagawa, and Peter Pietzuch. 2022. CAP-VMs:Capability-Based Isolation and Sharing in the Cloud. In Proceedings of the 16th USENIX Symposium on Operating Systems Design and Implementation (OSDI'22). https:\/\/www.usenix.org\/conference\/osdi22\/presentation\/sartakov"},{"key":"e_1_3_2_1_67_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-22863-6_24"},{"key":"e_1_3_2_1_68_1","doi-asserted-by":"publisher","DOI":"10.1145\/2988336.2988337"},{"key":"e_1_3_2_1_69_1","doi-asserted-by":"publisher","DOI":"10.1145\/2988545"},{"key":"e_1_3_2_1_70_1","doi-asserted-by":"publisher","DOI":"10.1145\/3694715.3695947"},{"key":"e_1_3_2_1_71_1","unstructured":"David W. 2025. Rootless and Standard Docker: A Useful Comparison. https:\/\/overcast.blog\/rootless-and-standard-docker-a-useful-comparison-6e07e19ab505. [Accessed 10-09-2025]."},{"key":"e_1_3_2_1_72_1","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484744"},{"key":"e_1_3_2_1_73_1","doi-asserted-by":"publisher","DOI":"10.1145\/3564625.3564634"}],"event":{"name":"SOSP '25: ACM SIGOPS 31st Symposium on Operating Systems Principles","sponsor":["SIGOPS ACM Special Interest Group on Operating Systems"],"location":"Seoul Republic of Korea","acronym":"SOSP '25"},"container-title":["Proceedings of the 13th Workshop on Programming Languages and Operating Systems"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3764860.3768325","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,13]],"date-time":"2025-11-13T17:20:26Z","timestamp":1763054426000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3764860.3768325"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,10,13]]},"references-count":73,"alternative-id":["10.1145\/3764860.3768325","10.1145\/3764860"],"URL":"https:\/\/doi.org\/10.1145\/3764860.3768325","relation":{},"subject":[],"published":{"date-parts":[[2025,10,13]]},"assertion":[{"value":"2025-10-13","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}