The objective of this project is to investigate novel applications using existing features of the Linux kernel, such facilities for container-based virtualization, to construct (and tear down) dynamic isolated domains on demand. When used together with additional Linux kernel security mechanisms like LSMs, cgroups and kernel hardening, this approach can provide strong compartmentalization while keeping the performance overhead acceptable even for mobile devices.
Possible applications include:
- More user-friendly means of specifying access control rules for user data and assigning privileges for applications.
- Extending the domain securely across the device boundary to another device (e.g., allowing an application domain to be migrated to another device).