references.bib

@online{redis-latency-generated-by-fork,
    author   = {Redis Ltd.},
    title    = {Diagnosing latency issues: Latency generated by fork},
    date     = {2011-09-08},
    url      = {https://redis.io/docs/reference/optimization/latency/#latency-generated-by-fork},
    urldate  = {2022-09-08},
    keywords = {fork latency Redis},
}

@online{shared_subtree,
    author   = {Ram Pai linuxram@us.ibm.com},
    title    = {Shared Subtrees},
    date     = {2005-11-07},
    url      = {https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt},
    urldate  = {2022-09-09},
    keywords = {mount namespaces shared subtree Linux kernel}
}
@online{lwn_io_uring,
    author   = {Jonathan Corbet},
    title    = {Ringing in a new asynchronous I/O API},
    date     = {2019-01-15},
    url      = {https://lwn.net/Articles/776703/},
    urldate  = {2022-09-10},
    keywords = {io_uring Linux kernel asynchronous I/O},
}
@online{lwn_io_uring_2,
    author   = {Jonathan Corbet},
    title    = {The rapid growth of io\_uring},
    date     = {2020-01-24},
    url      = {https://lwn.net/Articles/810414/},
    urldate  = {2022-11-14},
    keywords = {io_uring Linux kernel asynchronous I/O},
}
@online{io_uring_kernel_recipes,
    author = {Jens Axboe},
    title = {Kernel Recipes 2019 – Faster IO through io\_uring},
    date = {2019-09-27},
    url = {https://kernel-recipes.org/en/2019/talks/faster-io-through-io_uring/},
    urldate = {2022-11-14},
    keywords = {io_uring Linux kernel asynchronous I/O},
}
@online{io_uring_paper,
    author = {Jens Axboe},
    title = {Efficient IO with io\_uring},
    date = {2019-10-15},
    url = {https://kernel.dk/io_uring.pdf},
    urldate = {2022-11-14},
    keywords = {io_uring Linux kernel asynchronous I/O},
}
@online{man_pid_namespaces,
    author   = {man-pages project},
    title    = {pid\_namespaces - overview of Linux PID namespaces},
    url      = {https://man7.org/linux/man-pages/man7/pid_namespaces.7.html},
    urldate  = {2022-11-13},
    keywords = {pid namespaces Linux kernel},
}
@online{man_mount_namespaces,
    author   = {man-pages project},
    title    = {mount\_namespaces - overview of Linux mount namespaces},
    url      = {https://man7.org/linux/man-pages/man7/mount_namespaces.7.html},
    urldate  = {2023-10-20},
    keywords = {mount namespaces Linux kernel},
}
@online{man_poll,
    author   = {man-pages project},
    title    = {poll, ppoll - wait for some event on a file descriptor},
    url      = {https://man7.org/linux/man-pages/man2/poll.2.html},
    urldate  = {2022-11-14},
    keywords = {poll syscall Linux kernel},
}
@online{man_recvmsg,
    author   = {man-pages project},
    title    = {recv, recvfrom, recvmsg - receive a message from a socket},
    url      = {https://man7.org/linux/man-pages/man2/recv.2.html},
    urldate  = {2022-11-19},
    keywords = {read syscall Linux kernel},
}
@online{man_prctl,
    author   = {man-pages project},
    title    = {prctl - operations on a process or thread},
    url      = {https://man7.org/linux/man-pages/man2/prctl.2.html},
    urldate  = {2022-11-14},
    keywords = {prctl syscall Linux kernel},
}
@online{man_getppid,
    author   = {man-pages project},
    title    = {getpid, getppid - get process identification},
    url      = {https://man7.org/linux/man-pages/man2/getppid.2.html},
    urldate  = {2022-11-14},
    keywords = {getppid syscall Linux kernel},
}
@online{man_getrlimit_setrlimit_prlimit,
    author   = {man-pages project},
    title    = {getrlimit, setrlimit, prlimit - get/set resource limits},
    url      = {https://man7.org/linux/man-pages/man2/prlimit.2.html},
    urldate  = {2023-10-18},
    keywords = {getrlimit setrlimit prlimit syscall Linux kernel},
}
@online{man_pidfd_open,
    author   = {man-pages project},
    title    = {pidfd\_open - obtain a file descriptor that refers to a process},
    url      = {https://man7.org/linux/man-pages/man2/pidfd_open.2.html},
    urldate  = {2022-11-14},
    keywords = {pidfd_open syscall Linux kernel},
}
@online{man_setuid,
    author   = {man-pages project},
    title    = {setuid - set user identity},
    url      = {https://man7.org/linux/man-pages/man2/setuid.2.html},
    urldate  = {2023-10-18},
    keywords = {setuid syscall Linux kernel},
}
@online{man_open,
    author   = {man-pages project},
    title    = {open, openat, creat - open and possibly create a file},
    url      = {https://man7.org/linux/man-pages/man2/open.2.html},
    urldate  = {2023-03-15},
    keywords = {open syscall Linux kernel},
}
@online{man_seccomp,
    author   = {man-pages project},
    title    = {seccomp - operate on Secure Computing state of the process},
    url      = {https://man7.org/linux/man-pages/man2/seccomp.2.html},
    urldate  = {2023-03-15},
    keywords = {seccomp syscall Linux kernel},
}
@online{man_ptrace,
    author   = {man-pages project},
    title    = {ptrace - process trace},
    url      = {https://man7.org/linux/man-pages/man2/ptrace.2.html},
    urldate  = {2023-03-15},
    keywords = {ptrace syscall Linux kernel},
}
@online{man_unix,
    author   = {man-pages project},
    title    = {unix - sockets for local interprocess communication},
    url      = {https://man7.org/linux/man-pages/man7/unix.7.html},
    urldate  = {2023-10-20},
    keywords = {unix socket SCM_RIGHTS syscall Linux kernel},
}
@online{man_execveat,
    author   = {man-pages project},
    title    = {execveat - execute program relative to a directory file descriptor},
    url      = {https://man7.org/linux/man-pages/man2/execveat.2.html},
    urldate  = {2023-10-20},
    keywords = {execveat syscall Linux kernel},
}
@online{kvm_website,
    author   = {},
    title    = {Official website of Kernel Virtual Machine},
    url      = {https://www.linux-kvm.org/},
    urldate  = {2022-11-23},
    keywords = {KVM virtualization virtual machine Linux kernel},
}
@online{qemu_website,
    author   = {},
    title    = {Official website of QEMU --- A generic and open source machine emulator and virtualizer},
    url      = {https://www.qemu.org/},
    urldate  = {2022-11-23},
    keywords = {QEMU virtualization virtual machine Linux kernel},
}
@online{virtualbox_website,
    author   = {Oracle},
    title    = {Official website of VirtualBox},
    url      = {https://www.virtualbox.org/},
    urldate  = {2022-11-23},
    keywords = {virtualbox virtualization virtual machine},
}
@online{vmware_workstation_website,
    author   = {VMWare},
    title    = {Official website of VMWare Workstation},
    url      = {https://www.vmware.com/products/workstation/},
    urldate  = {2022-11-23},
    keywords = {vmware workstation virtualization virtual machine},
}
@online{podman_rootless_containers_presentation,
    author   = {Giuseppe Scrivano},
    title    = {Rootless containers with Podman
and fuse-overlayfs},
    date     = {2019-06-04},
    url      = {https://indico.cern.ch/event/757415/contributions/3421994/attachments/1855302/3047064/Podman_Rootless_Containers.pdf},
    urldate  = {2022-11-28},
    keywords = {rootless containers Linux CernVm Workshop},
}
@online{rootless_containers_rs,
    author   = {rootlesscontaine.rs},
    title    = {Rootless Containers},
    url      = {https://rootlesscontaine.rs},
    urldate  = {2022-11-28},
    keywords = {rootless containers Linux},
}
@online{systemd_nspawn,
    author   = {systemd},
    title    = {systemd-nspawn — Spawn a command or OS in a light-weight container},
    url      = {https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html},
    urldate  = {2022-11-28},
    keywords = {systemd-nspawn containers Linux},
}
@online{sim_project,
    author   = {Krzysztof Małysa},
    title    = {Sim project},
    url      = {https://github.com/varqox/sim},
    urldate  = {2023-03-15},
    keywords = {online judge competitive programming Linux},
}
@online{sip,
    author   = {Krzysztof Małysa},
    title    = {Sip -- a tool for preparing problem packages for the Sim platform},
    url      = {https://github.com/varqox/sip},
    urldate  = {2023-03-15},
    keywords = {online judge competitive programming Linux preparing problem packages},
}
@online{proot,
    author   = {},
    title    = {PRoot — chroot, mount --bind, and binfmt\_misc without privilege/setup},
    url      = {https://proot-me.github.io},
    urldate  = {2023-03-29},
    keywords = {linux ptrace syscalls chroot rootfs chroot-environment userland-exec},
}
@online{perf,
    title={perf: Linux profiling with performance counters},
    url={https://perf.wiki.kernel.org/index.php/Main_Page},
    urldate = {2023-11-25},
    keywords = {linux perf},
}
@article{Merkel:2014:DLL:2600239.2600241,
  abstract = {Docker promises the ability to package applications and their dependencies into lightweight containers that move easily between different distros, start up quickly and are isolated from each other.},
  acmid = {2600241},
  added-at = {2017-10-22T14:23:58.000+0200},
  address = {Houston, TX},
  articleno = {2},
  author = {Merkel, Dirk},
  biburl = {https://www.bibsonomy.org/bibtex/21068627bcea58a3a8a0175e7e223cadc/marcsaric},
  description = {Docker},
  interhash = {a7d0ad142659c9c7b601d357bcf4a64a},
  intrahash = {1068627bcea58a3a8a0175e7e223cadc},
  issn = {1075-3583},
  issue_date = {March 2014},
  journal = {Linux J.},
  keywords = {docker linux software},
  month = mar,
  number = 239,
  publisher = {Belltown Media},
  timestamp = {2017-10-22T14:23:58.000+0200},
  title = {Docker: Lightweight Linux Containers for Consistent Development and Deployment},
  url = {http://dl.acm.org/citation.cfm?id=2600239.2600241},
  volume = 2014,
  year = 2014
}
@inproceedings{conf/cisis/BeserraMEBSF15,
  added-at = {2016-04-27T00:00:00.000+0200},
  author = {Beserra, David and Moreno, Edward David and Endo, Patricia Takako and Barreto, Jymmy and Sadok, Djamel and Fernandes, Stenio},
  biburl = {https://www.bibsonomy.org/bibtex/21c79dda5eb7ebf500ebca33176fc0b1a/dblp},
  booktitle = {CISIS},
  crossref = {conf/cisis/2015},
  ee = {http://doi.ieeecomputersociety.org/10.1109/CISIS.2015.53},
  interhash = {0d43d30f1993e94dff6a02006deb8ee9},
  intrahash = {1c79dda5eb7ebf500ebca33176fc0b1a},
  isbn = {978-1-4799-8870-9},
  keywords = {dblp},
  pages = {358-363},
  publisher = {IEEE Computer Society},
  timestamp = {2016-04-28T11:39:58.000+0200},
  title = {Performance Analysis of LXC for HPC Environments.},
  url = {http://dblp.uni-trier.de/db/conf/cisis/cisis2015.html#BeserraMEBSF15},
  year = 2015
}
@inproceedings{time_of_check_time_of_use,
    author = {Jinpeng Wei and Calton Pu},
    title = {{TOCTTOU} Vulnerabilities in {UNIX-Style} File Systems: An Anatomical Study},
    booktitle = {4th USENIX Conference on File and Storage Technologies (FAST 05)},
    year = {2005},
    address = {San Francisco, CA},
    url = {https://www.usenix.org/conference/fast-05/tocttou-vulnerabilities-unix-style-file-systems-anatomical-study},
    publisher = {USENIX Association},
    month = dec,
}
@article{LEE2017350,
title = {Design and implementation of the secure compiler and virtual machine for developing secure IoT services},
journal = {Future Generation Computer Systems},
volume = {76},
pages = {350-357},
year = {2017},
issn = {0167-739X},
doi = {https://doi.org/10.1016/j.future.2016.03.014},
url = {https://www.sciencedirect.com/science/article/pii/S0167739X16300589},
author = {YangSun Lee and Junho Jeong and Yunsik Son},
keywords = {Secure software, IoT services, S/W weakness, Program analysis, Compiler construction, Virtual machine},
abstract = {Recent years have seen the development of computing environments for IoT (Internet of Things) services, which exchange large amounts of information using various heterogeneous devices that are always connected to networks. Since the data communication and services occur on a variety of devices, which not only include traditional computing environments and mobile devices such as smartphones, but also household appliances, embedded devices, and sensor nodes, the security requirements are becoming increasingly important at this point in time. Already, in the case of mobile applications, security has emerged as a new issue, as the dissemination and use of mobile applications have been rapidly expanding. This software, including IoT services and mobile applications, is continuously exposed to malicious attacks by hackers, because it exchanges data in the open Internet environment. The security weaknesses of this software are the direct cause of software breaches causing serious economic loss. In recent years, the awareness that developing secure software is intrinsically the most effective way to eliminate the software vulnerability, rather than strengthening the security system of the external environment, has increased. Therefore, methodology based on the use of secure coding rules and checking tools is attracting attention to prevent software breaches in the coding stage to eliminate the above vulnerabilities. This paper proposes a compiler and a virtual machine with secure software concepts for developing secure and trustworthy services for IoT environments. By using a compiler and virtual machine, we approach the problem in two stages: a prevention stage, in which the secure compiler removes the security weaknesses from the source code during the application development phase, and a monitoring stage, in which the secure virtual machine monitors abnormal behavior such as buffer overflow attacks or untrusted input data handling while applications are running.}
}
@inproceedings{prevelakis2001sandboxing,
  title={Sandboxing Applications.},
  author={Prevelakis, Vassilis and Spinellis, Diomidis},
  booktitle={Usenix annual technical conference, freenix track},
  pages={119--126},
  year={2001},
  organization={Citeseer}
}
@INPROCEEDINGS{5635141,
  author={van der Burg, Sander and Dolstra, Eelco},
  booktitle={2010 IEEE 21st International Symposium on Software Reliability Engineering},
  title={Automating System Tests Using Declarative Virtual Machines},
  year={2010},
  volume={},
  number={},
  pages={181-190},
  doi={10.1109/ISSRE.2010.34}
}
@article{marevs2012new,
  title={A New Contest Sandbox.},
  author={Mare{\v{s}}, Martin and Blackham, Bernard},
  journal={Olympiads in Informatics},
  volume={6},
  pages={100-109},
  year={2012},
  publisher = {Vilnius University},
  url = {https://ioi.te.lv/oi/pdf/INFOL094.pdf},
}
@online{sio2jail,
  title={SIO2Jail: A tool for supervising execution of programs submitted in algorithmic competitions},
  author={Wojciech Dubiel, Tadeusz Dudkiewicz, Przemysław Kozłowski and Maciej Wachulec},
  year={2018},
  keywords={Linux namespaces, seccomp, sandboxing, CPU time limit, Olympiad in Informatics, programming competitions},
  abstract={Following thesis describes SIO2Jail, a tool for fair and repeatable measurement during algorithmic competitions. In adopted model programs are judged based on correctness, and speed - expressed in number of instructions.
SIO2Jail has been compared with the previous solution - oitimetool. Both were tested in regards to efficiency and accuracy. New solution was thereafter deployed in a production environment as an alternative, available tool.},
},
@article{SPACEK20151665,
title = {Docker as Platform for Assignments Evaluation},
journal = {Procedia Engineering},
volume = {100},
pages = {1665-1671},
year = {2015},
note = {25th DAAAM International Symposium on Intelligent Manufacturing and Automation, 2014},
issn = {1877-7058},
doi = {https://doi.org/10.1016/j.proeng.2015.01.541},
url = {https://www.sciencedirect.com/science/article/pii/S1877705815005688},
author = {František Špaček and Radomír Sohlich and Tomáš Dulík},
keywords = {Linux, Docker, Containers, Sandbox, Assignments evaluation},
abstract = {Programming courses are significant part of IT experts’ education process. To being able to provide adequate teaching quality in such courses, lecturers should be exempted from routine tasks like source code compilation, testing and grading. Current computers are equipped with enough computational power to automate these routine tasks. This paper discusses the analysis and realization of such a system for user submitted automatic source code evaluation. The main system requirement was the safe runtime environment (sandbox) for executing potentially dangerous programs. Container based platform Docker was selected after research of ready to use sandbox technologies. This platform simplifies access to isolation mechanism which are implemented in the current Linux kernel and provides API for system integration. The implemented system around Docker platform is named APAC (Automatic Programming Assignment Checker). In the paper APAC's architecture and implementation are described and discussed.}
}
@article{merry2010performance,
  title={Performance analysis of sandboxes for reactive tasks},
  author={Merry, Bruce},
  journal={Olympiads in Informatics},
  volume={4},
  pages={87--94},
  year={2010}
}
@article{merry2009using,
  title={Using a Linux security module for contest security},
  author={Merry, Bruce},
  journal={Olympiads in Informatics},
  volume={3},
  pages={67--73},
  year={2009}
}
@article{kolstad2009infrastructure,
  title={Infrastructure for contest task development},
  author={Kolstad, Rob},
  journal={Olympiads in Informatics},
  volume={3},
  pages={38--59},
  year={2009}
}
@article{tochev2010validating,
  title={Validating the Security and Stability of the Grader for a Programming Contest System.},
  author={Tochev, Tocho and Bogdanov, Tsvetan},
  journal={Olympiads in Informatics},
  volume={4},
  pages={113-119},
  year={2010}
}
@article{marevs2007perspectives,
  title={Perspectives on grading systems},
  author={Mare{\v{s}}, Martin},
  journal={Olympiads in Informatics},
  pages={124--130},
  year={2007}
}
@article{marevs2011fairness,
  title={Fairness of Time Constraints.},
  author={Mare{\v{s}}, Martin},
  journal={Olympiads in Informatics},
  volume={5},
  pages={92--102},
  year={2011}
}
@article{yee2010native,
  title={Native client: A sandbox for portable, untrusted x86 native code},
  author={Yee, Bennet and Sehr, David and Dardyk, Gregory and Chen, J Bradley and Muth, Robert and Ormandy, Tavis and Okasaka, Shiki and Narula, Neha and Fullagar, Nicholas},
  journal={Communications of the ACM},
  volume={53},
  number={1},
  pages={91--99},
  year={2010},
  publisher={ACM New York, NY, USA}
}
@inproceedings{jana2011txbox,
  title={TxBox: Building secure, efficient sandboxes with system transactions},
  author={Jana, Suman and Porter, Donald E and Shmatikov, Vitaly},
  booktitle={2011 IEEE Symposium on Security and Privacy},
  pages={329--344},
  year={2011},
  organization={IEEE}
}
@inproceedings{li2014minibox,
  title={$\{$MiniBox$\}$: A $\{$Two-Way$\}$ Sandbox for x86 Native Code},
  author={Li, Yanlin and McCune, Jonathan and Newsome, James and Perrig, Adrian and Baker, Brandon and Drewry, Will},
  booktitle={2014 USENIX annual technical conference (USENIX ATC 14)},
  pages={409--420},
  year={2014}
}
@article{garfinkel2004janus,
  title={Janus: A practical tool for application sandboxing},
  author={Garfinkel, T},
  journal={http://www. cs. berkeley. edu/daw/janus},
  year={2004}
}
@inproceedings{garfinkel2004ostia,
  title={Ostia: A Delegating Architecture for Secure System Call Interposition.},
  author={Garfinkel, Tal and Pfaff, Ben and Rosenblum, Mendel and others},
  booktitle={NDSS},
  year={2004}
}
@inproceedings{provos2003improving,
  title={Improving Host Security with System Call Policies.},
  author={Provos, Niels},
  booktitle={USENIX Security Symposium},
  pages={257--272},
  year={2003}
}
@inproceedings{kim2013practical,
  title={Practical and effective sandboxing for non-root users},
  author={Kim, Taesoo and Zeldovich, Nickolai},
  booktitle={2013 USENIX Annual Technical Conference (USENIX ATC 13)},
  pages={139--144},
  year={2013}
}
@article{raknes2016nsroot,
  title={nsroot: Minimalist process isolation tool implemented with linux namespaces},
  author={Raknes, Inge Alexander and Fjukstad, Bj{\o}rn and Bongo, Lars Ailo},
  journal={arXiv preprint arXiv:1609.03750},
  year={2016}
}
@online{netblue30/firejail,
    author={netblue30/firejail},
    title={Linux namespaces and seccomp-bpf sandbox.},
    url={https://github.com/netblue30/firejail},
    urldate={2023-10-17},
}
@online{google/nsjail,
    author={Google},
    title={A light-weight process isolation tool, making use of Linux namespaces and seccomp-bpf syscall filters},
    url={https://github.com/google/nsjail},
    urldate={2023-10-17},
}
@online{flatpak,
    author={Flatpak},
    title={Flatpak - the future of application distribution},
    url={https://flatpak.org/},
    urldate={2023-10-17},
}
@inproceedings{mccune2010trustvisor,
  title={TrustVisor: Efficient TCB reduction and attestation},
  author={McCune, Jonathan M and Li, Yanlin and Qu, Ning and Zhou, Zongwei and Datta, Anupam and Gligor, Virgil and Perrig, Adrian},
  booktitle={2010 IEEE Symposium on Security and Privacy},
  pages={143--158},
  year={2010},
  organization={IEEE}
}
@online{cwe_toctou,
    title={CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition},
    url={https://cwe.mitre.org/data/definitions/367.html},
    urldate={2023-10-19},
}
@online{bubblewrap,
    title={Low-level unprivileged sandboxing tool used by Flatpak and similar projects},
    url={https://github.com/containers/bubblewrap},
    urldate={2023-10-19},
}
@inproceedings{cochak2021runc,
  title={RunC and Kata runtime using Docker: a network perspective comparison},
  author={Cochak, Henrique Zanela and Koslovski, Guilherme Pi{\^e}gas and Pillon, Maur{\'\i}cio Aronne and Miers, Charles Christian},
  booktitle={2021 IEEE Latin-American Conference on Communications (LATINCOM)},
  pages={1--6},
  year={2021},
  organization={IEEE}
}
@online{strace,
    title={strace - trace system calls and signals},
    url={https://man7.org/linux/man-pages/man1/strace.1.html},
    urldate={2023-10-20},
}
@onilne{bubblewrap_cve,
    title={CVE-2017-5226 -- Bubblewrap escape},
    url={https://security-tracker.debian.org/tracker/CVE-2017-5226},
    urldate={2023-10-22},
}