Skip to main content
Springer Nature Link
Log in

VUOS: A User-Space Hypervisor Based on System Call Hijacking

  • Conference paper
  • First Online:
Computer Safety, Reliability, and Security. SAFECOMP 2024 Workshops (SAFECOMP 2024)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14989))

Included in the following conference series:

  • 761 Accesses

Abstract

VUOS (View based OS) is a virtual operating system that permits to give to each process a different view of the underlying system, i.e. access only some specific directories or specified system calls. This is currently obtained intercepting system call requests leveraging the ptrace system call. All the system call requests are forwarded to a VUOS hypervisor (umvu) that runs in user space. For each request, the hypervisor can use its own system call implementation or forward it to the Linux kernel. Running the hypervisor in the user space, like any other user process, increases the security because, in the case of sandbox escape bugs, the potentially malicious process obtains only limited system access. This approach can be seen as an extension to system calls of the FUSE behavior. FUSE (File system in Userspace) is a user-space file system framework that permits users to implement their own file systems without patching the Linux kernel. A kernel module forwards requests for each FUSE-mounted file system to its corresponding user process. FUSE is specific for file systems. VUOS instead permits to implement several system services in user space, like virtual devices, virtual networking and file systems (including reimplementing FUSE as a VUOS module).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    VU was chosen because sounds like “view”.

References

  1. Xu, Q., Patel, R.: Hardware Virtualization. In: Data Plane Development Kit (DPDK), pp. 219–227. CRC Press (2020). https://doi.org/10.1201/9780429353512-13

  2. Watada, J., Roy, A., Kadikar, R., Pham, H., Xu, B.: Emerging trends, techniques and open issues of containerization: a review. IEEE Access 7, 152443–152472 (2019). https://doi.org/10.1109/ACCESS.2019.2945930

    Article  Google Scholar 

  3. Reshetova, E., Karhunen, J., Nyman, T., Asokan, N.: Security of OS-level virtualization technologies. In: Bernsmed, K., Fischer-Hübner, S. (eds.) NordSec 2014. LNCS, vol. 8788, pp. 77–93. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11599-3_5

    Chapter  Google Scholar 

  4. ptrace(2) - Linux manual page. https://www.man7.org/linux/man-pages/man2/ptrace.2.html. Accessed 02 May 2024

  5. Edge, J.: A seccomp overview. https://lwn.net/Articles/656307/. Accessed 02 May 2024

  6. Seccomp BPF (SECure COMPuting with filters). https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html. Accessed 02 May 2024

  7. Gardenghi, L., Goldweber, M., Davoli, R.: View-OS: a new unifying approach against the global view assumption. In: Bubak, M., van Albada, G.D., Dongarra, J., Sloot, P.M.A. (eds.) ICCS 2008. LNCS, vol. 5101, pp. 287–296. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-69384-0_34

    Chapter  Google Scholar 

  8. mount(8) - Linux manual page. https://www.man7.org/linux/man-pages/man8/mount.8.html. Accessed 02 May 2024

  9. VirtualSquare wiki. https://wiki.virtualsquare.org. Accessed 02 May 2024

  10. Davoli, R.: VXVDEX: Internet of threads and networks of namespaces. In: 2017 IEEE International Conference on Communications (ICC), pp. 1–6 (2017). https://doi.org/10.1109/ICC.2017.7996595

  11. Anjali, Caraza-Harter, T., Swift, M.M.: Blending containers and virtual machines: a study of firecracker and gVisor. In: Proceedings of the 16th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, pp. 101–113. VEE ’20, Association for Computing Machinery, New York, NY, USA (2020). https://doi.org/10.1145/3381052.3381315

  12. Deshane, T., Shepherd, Z., Matthews, J., Ben-Yehuda, M., Shah, A., Rao, B.: Quantitative comparison of Xen and KVM. Xen Summit, Boston, MA, USA (2008)

    Google Scholar 

  13. gVisor Platform Guide. https://gvisor.dev/docs/architecture_guide/platforms/. Accessed 02 May 2024

  14. Vangoor, B.K.R., Tarasov, V., Zadok, E.: To FUSE or not to FUSE: Performance of User-Space file systems. In: 15th USENIX Conference on File and Storage Technologies (FAST 17), pp. 59–72. USENIX Association, Santa Clara, CA (2017). https://www.usenix.org/conference/fast17/technical-sessions/presentation/vangoor

  15. libfuse repository. https://github.com/libfuse/libfuse. Accessed 02 May 2024

  16. rclone mount. https://rclone.org/commands/rclone_mount/. Accessed 02 May 2024

  17. SSHFS repository. https://github.com/libfuse/sshfs. Accessed 02 May 2024

  18. Tazaki, H., Nakamura, R., Sekiya, Y.: Library Operating System with Mainline Linux Network Stack. In: netdev0.1 (2015). https://netdevconf.info/0.1/papers/Library-Operating-System-with-Mainline-Linux-Network-Stack.pdf

  19. gVisor Homepage. https://gvisor.dev/. Accessed 02 May 2024

  20. Sartakov, V.A., Vilanova, L., Eyers, D., Shinagawa, T., Pietzuch, P.: CAP-VMs: capability-Based isolation and sharing in the cloud. In: 16th USENIX Symposium on Operating Systems Design and Implementation (OSDI 22), pp. 597–612. USENIX Association, Carlsbad, CA (2022). https://www.usenix.org/conference/osdi22/presentation/sartakov

  21. Watson, R.N., et al.: CHERI: a hybrid capability-system architecture for scalable software compartmentalization. In: 2015 IEEE Symposium on Security and Privacy, pp. 20–37 (2015). https://doi.org/10.1109/SP.2015.9

  22. Chen, J., et al.: DuVisor: a User-level Hypervisor Through Delegated Virtualization (2022). https://doi.org/10.48550/arXiv.2201.09652

  23. Bellard, F.: QEMU, a fast and portable dynamic translator. In: 2005 USENIX Annual Technical Conference (USENIX ATC 05). USENIX Association, Anaheim, CA (2005). https://www.usenix.org/conference/2005-usenix-annual-technical-conference/qemu-fast-and-portable-dynamic-translator

  24. Findlay, W., Somayaji, A., Barrera, D.: bpfbox: simple precise process confinement with eBPF. In: Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop, pp. 91–103. CCSW’20, Association for Computing Machinery, New York, NY, USA (2020). https://doi.org/10.1145/3411495.3421358

  25. Jia, J., et al.: Programmable System Call Security with eBPF (2023). https://doi.org/10.48550/arXiv.2302.10366

Download references

Acknowledgements

This work was partially supported by project SERICS (PE00000014) under the MUR National Recovery and Resilience Plan funded by the European Union - NextGenerationEU.

Author information

Authors and Affiliations

  1. INFN-CNAF, Bologna, Italy

    Luca Bassi

  2. GARR, Roma, Italy

    Luca Bassi

  3. Universitas Mercatorum, Rome, Italy

    Davide Berardi

  4. Alma Mater Studiorum – Università degli Studi di Bologna, Bologna, Italy

    Renzo Davoli

Authors
  1. Luca Bassi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Davide Berardi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Renzo Davoli
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Davide Berardi .

Editor information

Editors and Affiliations

  1. University of Florence, Florence, Italy

    Andrea Ceccarelli

  2. Fraunhofer IKS, Munich, Germany

    Mario Trapp

  3. University of Florence, Florence, Italy

    Andrea Bondavalli

  4. AIT Austrian Institute of Technology GmbH, Vienna, Austria

    Erwin Schoitsch

  5. Mälardalens University, Vasteras, Sweden

    Barbara Gallina

  6. GTS Deutschland GmbH, Ditzingen, Germany

    Friedemann Bitsch

Ethics declarations

Disclosure of Interests

Author Renzo Davoli is a member of committee for TOAST 2024.

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Bassi, L., Berardi, D., Davoli, R. (2024). VUOS: A User-Space Hypervisor Based on System Call Hijacking. In: Ceccarelli, A., Trapp, M., Bondavalli, A., Schoitsch, E., Gallina, B., Bitsch, F. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2024 Workshops. SAFECOMP 2024. Lecture Notes in Computer Science, vol 14989. Springer, Cham. https://doi.org/10.1007/978-3-031-68738-9_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-68738-9_23

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-68737-2

  • Online ISBN: 978-3-031-68738-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics