Page reclamation technique for VMM based application sandbox

摘要

Sandbox, process container and process isolation all provide the design to control and monitor execution of untrusted applications. Most of these solutions use virtualization to provide VM-equivalent isolation for sandboxed process. Sandboxing incurs sufficient overheads in providing secure execution of untrusted binary. Memory is one of such resources which can be bottleneck for scalability of sandbox to control execution of most of apps on single system. In this research, we present a novel page reclamation technique to reclaim pages from sandboxed applications. Page reclamation evicts pages of process which are least recently used in active working set. Proposed technique use Page modification logging (PML) hardware virtualization extension to get working set of isolated process. We implemented proposed technique as extension to one of sandboxes that use hardware virtualization extensions. In evaluation, we successfully reclaim 5% to 11% memory with negligible CPU overhead.