Jin H.,Services Computing Technology and System Laboratory |
Jin H.,Cluster and Grid Computing Laboratory |
Jin H.,Huazhong University of Science and Technology |
Cheng G.,Xiangtan University |
And 4 more authors.
Computers and Mathematics with Applications | Year: 2013
Cherub is an on-demand virtualization mechanism aiming to provide fine-grained application protection in untrusted environments. By leveraging late launch technology, Cherub dynamically inserts a lightweight virtual machine monitor (VMM) under a commodity operating system (OS) when critical pieces of an application code or data are to be processed. The novel design of Cherub with a double-shadowed page table extends VMM level memory protection into application level, such that it can isolate selected memory pages of a target process from the rest and other processes in the same OS environment. With this, Cherub enables fine-grained memory access control and therefore flexible security objectives. Compared to existing approaches, Cherub has the benefits of small code size, low performance overhead, no change to existing applications and commodity OS, and selective protection capability within a single application space. We implement Cherub in Linux and our analysis and evaluation demonstrate its effectiveness and practicality. © 2012 Elsevier Ltd. All rights reserved.
Zhao F.,Huazhong University of Science and Technology |
Zhao F.,Services Computing Technology and System Laboratory |
Zhao F.,Cluster and Grid Computing Laboratory |
Huang H.,Huazhong University of Science and Technology |
And 6 more authors.
Computers and Mathematics with Applications | Year: 2011
To enhance security in dynamic networks, it is important to evaluate the vulnerabilities and offer economic and practical patching strategy since vulnerability is the major driving force for attacks. In this paper, a hybrid ranking approach is presented to estimate vulnerabilities under the dynamic scenarios, which is a combination of low-level rating for vulnerability instances and high-level evaluation for the security level of the network system. Moreover, a novel quantitative model, an adapted attack graph, is also proposed to escaping isolated scoring, which takes the dynamic and logic relations among exploits into account, and significantly benefits to vulnerability analysis. To validate applicability and performance of our approach, a hybrid ranking case is implemented as experimental platform. The ranking results show that our approach differentiates the influential levels among vulnerabilities under dynamic attacking scenarios and economically enhances the security of network system. © 2011 Elsevier Ltd. All rights reserved.