Understanding file system operations of a secure container runtime using system call tracing technique

Sunwoo Jang; Young Kyoon Suh; Byungchul Tak

doi:10.1587/transinf.2023EDL8039

Understanding file system operations of a secure container runtime using system call tracing technique

Amazon Korea

Research output: Contribution to journal › Article › peer-review

Abstract

This letter presents a technique that observes system call mapping behavior of the proxy kernel layer of secure container runtimes. We applied it to file system operations of a secure container runtime, gVisor. We found that gVisor's operations can become more expensive than the native by 48× more syscalls for open, and 6× for read and write.

Original language	English
Pages (from-to)	229-233
Number of pages	5
Journal	IEICE Transactions on Information and Systems
Volume	E107D
Issue number	2
DOIs	https://doi.org/10.1587/transinf.2023EDL8039
State	Published - Feb 2024

Keywords

Secure container runtime
System call
gvisor

Access to Document

10.1587/transinf.2023EDL8039

Cite this

@article{19dc0d6df48a492e8a86d5b42d59e27c,

title = "Understanding file system operations of a secure container runtime using system call tracing technique",

abstract = "This letter presents a technique that observes system call mapping behavior of the proxy kernel layer of secure container runtimes. We applied it to file system operations of a secure container runtime, gVisor. We found that gVisor's operations can become more expensive than the native by 48× more syscalls for open, and 6× for read and write.",

keywords = "Secure container runtime, System call, gvisor",

author = "Sunwoo Jang and Suh, \{Young Kyoon\} and Byungchul Tak",

year = "2024",

month = feb,

doi = "10.1587/transinf.2023EDL8039",

language = "English",

volume = "E107D",

pages = "229--233",

journal = "IEICE Transactions on Information and Systems",

issn = "0916-8532",

publisher = "Maruzen Co., Ltd/Maruzen Kabushikikaisha",

number = "2",

}

TY - JOUR

T1 - Understanding file system operations of a secure container runtime using system call tracing technique

AU - Jang, Sunwoo

AU - Suh, Young Kyoon

AU - Tak, Byungchul

PY - 2024/2

Y1 - 2024/2

N2 - This letter presents a technique that observes system call mapping behavior of the proxy kernel layer of secure container runtimes. We applied it to file system operations of a secure container runtime, gVisor. We found that gVisor's operations can become more expensive than the native by 48× more syscalls for open, and 6× for read and write.

AB - This letter presents a technique that observes system call mapping behavior of the proxy kernel layer of secure container runtimes. We applied it to file system operations of a secure container runtime, gVisor. We found that gVisor's operations can become more expensive than the native by 48× more syscalls for open, and 6× for read and write.

KW - Secure container runtime

KW - System call

KW - gvisor

UR - https://www.scopus.com/pages/publications/85185220529

U2 - 10.1587/transinf.2023EDL8039

DO - 10.1587/transinf.2023EDL8039

M3 - Article

AN - SCOPUS:85185220529

SN - 0916-8532

VL - E107D

SP - 229

EP - 233

JO - IEICE Transactions on Information and Systems

JF - IEICE Transactions on Information and Systems

IS - 2

ER -

Understanding file system operations of a secure container runtime using system call tracing technique

Abstract

Keywords

Access to Document

Other files and links

Fingerprint

Cite this