Samuel P. Mullinix,Erikton Konomi,Renee Davis Townsend,Reza M. Parizi

DOI: https://doi.org/10.48550/arXiv.2008.04814

2020-08-12

Abstract:Linux containers have risen in popularity in the last few years, making their way to commercial IT service offerings (such as PaaS), application deployments, and Continuous Delivery/Integration pipelines within various development teams. Along with the wide adoption of Docker, security vulnerabilities and concerns have also surfaced. In this survey, we examine the state of security for the most popular container system at the moment: Docker. We will also look into its origins stemming from the Linux technologies built into the OS itself; examine intrinsic vulnerabilities, such as the Docker Image implementation; and provide an analysis of current tools and modern methodologies used in the field to evaluate and enhance its security. For each section, we pinpoint metrics of interest, as they have been revealed by researchers and experts in the domain and summarize their findings to paint a holistic picture of the efforts behind those findings. Lastly, we look at tools utilized in the industry to streamline Docker security scanning and analytics which provide built-in aggregation of key metrics.

Cryptography and Security,Software Engineering

Wei Liu,Jun Yan,Xingshen Wei,Haiqing Wang,Shishun Zhu

DOI: https://doi.org/10.1109/cieec50170.2021.9510589

2021-05-28

Abstract:In recent years, due to the elastic container technical characteristics and active open source community support, container technology has become an important basic technology for the new digital infrastructure of power. Now, the container technology is very popular and widely used in power cloud platform, but the problem of power system security risk caused by container can’t be ignored. Aiming at the problem of container security, this paper proposes a lightweight container security enhancement framework. Based on the methods of lightweight hardware virtualization isolation, cloud trust, and transparent encryption and decryption of container data, we implemented the container framework in the power cloud platform. Experiments show that the mechanism has played a practical role and has little impact on the business in terms of performance.

Jiahao Sun,Chengrong Wu,Jiawei Ye

DOI: https://doi.org/10.1109/smartcloud49737.2020.00010

2020-01-01

Abstract:Compared to the virtual machine, containers that share the host's operating system kernel is a more lightweight virtualization technology. The container technology makes it easier and faster to deploy and update applications and the container orchestration technology provide people with a powerful tools to manage containers which make the clouds based on containers become popular. But at the same time, the container technology also introduces many security challenges. Among them, the vulnerabilities and malware in container images, as well as some wrong settings that violate security compliance rules, have become main potential security threats. In addition, tampered malicious images are likely to become entry points for the attacks to the cloud platform infrastructure and other containers. In this paper, we proposes a container cloud security enhancement system, based on blockchain technology. On the one hand, this system combines multi-apsects security checks to prevent the upload of images that contain security threats to the cloud environment. on the other hand, Using blockchain technology to verify the integrity of the image and record the information about security to prevent the generation of malicious containers based on tampered images. In addition, the security of the container cloud environment is further improved by scanning the images in the image repositories periodically, patching the images and upgrading the running containers in the cloud.

Delu Huang,Handong Cui,Shihao Wen,Cheng Huang

DOI: https://doi.org/10.1109/ICCC47050.2019.9064441

2019-01-01

Abstract:Docker container technology is an emerging virtualization technology which has a very high efficiency in the phases of development and deployment. Although Docker container technology shows better convenience than traditional virtualization technology-virtual machine, it suffers the poor security due to the unmatured auditing procedures of Docker image releasing. Thus, to protect the security of host computer or local Docker containers from the attacks of malicious Docker containers, it is necessary to detect the potential threats existing in Docker images and find the risks when Docker container instances run in the host computer. This paper gives a detailed analysis on Docker's existing security mechanisms and the main threats Docker users must face. Finally, the corresponding threats detection techniques for Docker images and Docker container instances are presented, and the experiment result proves the effectivity of the proposed detection framework.

Dongyang Zhan,Kai Tan,Lin Ye,Haining Yu,Hao Liu

DOI: https://doi.org/10.32604/cmc.2021.019432

2021-01-01

Abstract:: Cloud computing plays an important role in today’s Internet environment, which meets the requirements of scalability, security and reliability by using virtualization technologies. Container technology is one of the two mainstream virtualization solutions. Its lightweight, high deployment effi-ciency make container technology widely used in large-scale cloud computing. While container technology has created huge benefits for cloud service providers and tenants, it cannot meet the requirements of security monitoring and management from a tenant perspective. Currently, tenants can only run their security monitors in the target container, but it is not secure because the attacker is able to detect and compromise the security monitor. In this paper, a secure external monitoring approach is proposed to monitor target containers in another management container. The management container is transparent for target containers, but it can obtain the executing information of target containers, providing a secure monitoring environment. Security monitors running inside management containers are secure for the cloud host, since the management containers are not privileged. We implement the transparent external management containers by performing the one-way isolation of processes and files. For process one-way isolation, we leverage Linux namespace technology to let management container become the parent of target containers. By mounting the file system of target container to that of the management container, file system one-way isolation is achieved. Compared with the existing host-based monitoring approach, our approach is more secure and suitable in the cloud environment.

Zhaofeng Yu,Lin Ye,Hongli Zhang,Dongyang Zhan

DOI: https://doi.org/10.1007/978-3-030-78612-0_8

2021-01-01

Abstract:In recent years, container technology has been widely used in cloud computing, so the security monitoring technology for containers has also received widespread attention. To enhance the isolation of containers, cloud service providers usually run containers in different virtual machines. In this environment, in-container security tools can be detected or attacked by in-container attackers, and in-VM security tools face the risk of container escape attacks. This paper proposes a container-oriented virtual machine introspection technology to secure containers in cloud computing. It runs in cloud hypervisor and analyzes in-VM containers, so it is more secure and transparent. Even though there is container escaping to the operating system of VM, the security monitors are secure. Firstly, our approach automatically identifies the namespace and container processes in the virtual machine from outside by using virtual machine introspection technology. Secondly, security analysis is performed on processes belonging to different containers in the virtual machine, and our system can perform real-time abnormal response based on the analysis results. Finally, our system can monitor container escape behaviors from outside. Experimental results show that the approach proposed in this paper can automatically perform security analysis for different containers, and can monitor container escape behaviors with acceptable overhead.

Sohome Adhikari,Sabur Baidya

2024-04-28

Abstract:The paper reviews the comparative study of security measures, challenges, and best practices with a view to enhancing cyber safety in containerized platforms. This review is intended to give insight into the enhanced security posture of containerized environments, with a view to examining safety vulnerabilities in containerization platforms, exploring strategies for increasing containers isolation and assessing how encryption techniques play an important role in providing secure applications. The paper also provides practical guidance for organizations seeking to strengthen their cyber security defenses in the containerization area platforms.

Cryptography and Security

Baohua Zhao,Zhihao Wang,Ningyu An,Chunhui Ren

DOI: https://doi.org/10.1088/1742-6596/1871/1/012016

2021-01-01

Journal of Physics Conference Series

Abstract:Container technology has a series of advantages such as low physical resource consumption, fast startup speed, high concurrency, and can run in a variety of environments. It is widely used in scenarios such as big data and cloud computing. Container technology has certain advantages in performance, but there are some shortcomings in security. The container technology shares the kernel with the host, and its security mainly depends on the host. Once the attacker breaks through the host’s defense, he can easily access the files deployed in the container, steal or tamper with the file data, and cause losses to users and users. In response to the above problems, this paper proposes a container-oriented isolation control technology, which realizes further isolation of files inside the container by adding domain names to programs and files. If the program domain name matches the file part, the files in the current container cannot be accessed, and the security of the files in the container can be effectively ensured after the host is compromised.

Lijun Wang,Haodong Zou,Ling Wang,Xin Chen,Jinghang Yu

DOI: https://doi.org/10.1109/ICEACE60673.2023.10442536

2023-01-01

Abstract:In recent years, cloud computing technology has been widely applied, and virtualization technology is an important supporting technology. Different from virtual machine technology, container technology has been widely used due to its advantages of elasticity, scalability, lightweight, high availability, high resource utilization, agility, and support for rapid dynamic expansion. However, it has also brought new container security issues. This paper proposes a node security determination method to evaluate container security to achieve node security determination.

Qingyang Zeng,Mohammad Kavousi,Yinhong Luo,Ling Jin,Yan Chen

DOI: https://doi.org/10.1016/j.cose.2023.103173

IF: 5.105

2023-01-01

Computers & Security

Abstract:Cloud-native systems have recently emerged as one of the most popular platforms for application development, providing lightweight virtualization, simplified DevOps procedures, scaling, resource efficiency, monitoring, and more. The typical cloud-native system may include containers, container orchestrators, and service meshes. However, a number of attacks exploit vulnerabilities in different components, leading the attacker to gain control over the cloud-native system. In this paper, we collect, classify, exploit, and mitigate vulnerabilities of different components. Firstly, we choose Docker, Kubernetes, and Istio as the most popular cloud technologies and give each an overview. Secondly, we give an in-depth analysis of the vulnerabilities. We collect cloud-native vulnerabilities over the past five years and propose two classifications of those vulnerabilities. One is based on the architecture of the component, and the other is based on the attack enabled. We exploit vulnerabilities that enable us to discover some insightful findings and provide mitigation solutions. Third, we analyze 15 open-source security tools provided for the cloud-native environment. We argue that among all these security tools, none of them covers all features which we will discuss in this paper. We believe that our analysis of cloud security vulnerabilities and open-source security tools can benefit the security of the cloud-native ecosystem.

Wenbo Shen,Yifei Wu,Yutian Yang,Qirui Liu,Nanzi Yang,Jinku Li,Kangjie Lu,Jianfeng Ma

DOI: https://doi.org/10.1109/tdsc.2024.3403920

2024-01-01

Abstract:OS-level virtualization (a.k.a. container) has become a fundamental technology in cloud computing due to the efficiency provided by the shared-kernel design. However, this design results in containers sharing thousands of kernel variables and data structures (termed abstract resources ), which are prevalent but under-protected. Without exploiting other kernel vulnerabilities, a non-privileged container can easily exhaust abstract resources to cause DoS attacks against other containers. Even worse, our experiments demonstrate that abstract resource attacks are a broad class of attacks that affect Linux, FreeBSD, Fuchsia, and all shared-kernel container environments on the top four cloud vendors. To defend against the abstract resource attack, we automatically analyze vulnerable abstract resources in the Linux kernel and detect 501 container-exhaustible resources. To confine these abstract resources dynamically, we propose two new techniques: the flexible in-kernel attachment for flexible resource consumption attachment and the tree-based resource accounting for efficient usage retrieval. Based on these two techniques, we design and implement a fl exible a bstract re s ource confinement framewor k , named Flask, to achieve flexible and efficient abstract resource confinement. Our evaluation shows Flask can efficiently limit abstract resource usage with less than 0.6% performance overhead.

Bipin Gajbhiye,Om Goel,Pandi Kirupa Gopalakrishna Pandian

DOI: https://doi.org/10.36676/jqst.v1.i2.16

2024-06-30

Abstract:The rise of containerized environments, exemplified by Docker and Kubernetes, has revolutionized software deployment and orchestration, enabling agile development and efficient resource utilization. However, the adoption of these technologies also introduces unique security challenges that organizations must address to safeguard their applications and infrastructure. This paper explores the complexities of managing vulnerabilities in containerized and Kubernetes environments, offering a comprehensive analysis of the potential risks and strategies to mitigate them.Containers encapsulate applications with their dependencies, ensuring consistency across different environments. However, this encapsulation can mask underlying vulnerabilities in the application code, base images, or third-party libraries. The ephemeral nature of containers, designed to be short-lived and scalable, adds another layer of complexity, as vulnerabilities can propagate rapidly across environments if not detected and addressed promptly. Moreover, the shared nature of the underlying host operating system and kernel in containerized environments increases the attack surface, making it crucial to secure both the containers and the host.Kubernetes, as a powerful orchestration platform, introduces additional layers of complexity in vulnerability management. The dynamic nature of Kubernetes clusters, with their multiple components such as pods, services, and nodes, can lead to misconfigurations, inadequate access controls, and exposure to security threats. Misconfigurations, such as overly permissive network policies or improper role-based access controls (RBAC), can lead to unauthorized access, privilege escalation, and data breaches. Additionally, the integration of third-party plugins and extensions into Kubernetes clusters can introduce new vulnerabilities, making it imperative to monitor and manage these components effectively.This paper delves into several key aspects of vulnerability management in containerized and Kubernetes environments. Firstly, it examines the importance of securing container images by employing best practices such as using minimal base images, regularly updating images, and scanning them for known vulnerabilities. The paper highlights the role of image scanning tools that can detect vulnerabilities in both base images and application code, emphasizing the need for continuous scanning throughout the development lifecycle.Secondly, the paper discusses the significance of runtime security in containerized environments. While securing container images is critical, monitoring and protecting containers during runtime is equally important. The paper explores tools and techniques for runtime security, including anomaly detection, behavior analysis, and intrusion detection systems that can identify and respond to threats in real-time.Furthermore, the paper addresses the challenges of managing vulnerabilities in Kubernetes clusters. It underscores the importance of securing the Kubernetes control plane, which includes securing API servers, etcd databases, and implementing stringent RBAC policies. The paper also explores the role of network security in Kubernetes, advocating for the use of network policies to control traffic flow between pods and ensure that only authorized communication is allowed.In addition to technical measures, the paper emphasizes the need for organizational practices to manage vulnerabilities effectively. This includes fostering a security-first culture, conducting regular security audits, and ensuring that development and operations teams are aligned on security best practices. The paper also highlights the importance of incident response planning and the need for rapid patching and updates to address newly discovered vulnerabilities.In conclusion, managing vulnerabilities in containerized and Kubernetes environments requires a multifaceted approach that combines technical measures with organizational practices. As organizations increasingly rely on these technologies for their application deployment and orchestration, a proactive and holistic approach to security is essential to mitigate risks and protect critical assets. This paper provides a roadmap for organizations to enhance their vulnerability management strategies, ensuring that their containerized and Kubernetes environments are secure, resilient, and capable of withstanding evolving threats.

Tahir Alyas,Sikandar Ali,Habib Ullah Khan,Ali Samad,Khalid Alissa,Muhammad Asif Saleem

DOI: https://doi.org/10.1155/2022/6819002

IF: 1.968

2022-08-13

Security and Communication Networks

Abstract:Containers have evolved to support microservice architecture as a low-cost alternative to virtual machines. Containers are increasingly prevalent in the virtualization landscape because of better working; containers can bear considerably less overhead than the conventional hypervisor-based component virtual machines. However, containers directly communicate with the host kernel, and attackers can co-locate containers in the host system quicker than virtual machines. This causes significant security issues in container technology. The security hardening system is currently targeted at implementing universal access management regulations that make it difficult to assess the required procedure for accessing containers. Security mechanisms include an explicit awareness of the purpose and actions of the container and entail manual interaction and configuration. A user-friendly container protection scheme implemented an access policy to comply with its anticipated and legitimate application performance. In this study, container technology constraints have been overcome by proposing a unique Docker-sec mechanism. Docker-sec uses four mechanisms; the original collection has been improved during container runtime by additional rules that constrain the capacity of the container, further representing the applications in practice, file system, processes, network isolation, and vulnerability scanning of Docker images over different workload. Different vulnerabilities have been scanned with a CVE severity level. Results showed that inter-container communication with the system is more secure containers from zero vulnerabilities with an overhead of 3.45%.

computer science, information systems,telecommunications

Xiaowei Zhao,Hong Yan,Jiantong Zhang

DOI: https://doi.org/10.1080/03088839.2016.1253883

2016-11-29

Abstract:Containers, which permit fast and safe handling between modal systems, are the main equipment used in intermodal transport. Unfortunately, enhancement of the efficiency and velocity of container operations has created a breach in traditional security, also known as container security. This paper presents a critical literature review of container security operations. We aim to identify current trends and future research directions in container security. We propose a classification framework based on the following elements: presenting the container security perspective, identifying threats, evaluating container security, balancing costs/benefits and the degree of security, balancing time savings/reduction and the degree of security, and securing containerized transportation processes. We discuss the current studies of these problems, the methodologies adopted and important insights into container security.

transportation

Yang Luo,Wu Luo,Xiaoning Sun,Qingni Shen,Anbang Ruan,Zhonghai Wu

DOI: https://doi.org/10.1109/trustcom.2016.0119

2016-01-01

Abstract:Over the last few years, the cloud computing industry has witnessed the wider adoption of the container-based technologies. And it is obvious to see that Docker has become the de facto standard of the container-based approaches. However, the security mechanism of Docker is far from satisfaction owing to its rapid development without adequate security concerns. This paper primarily identifies several possible covert channels against Docker, which causes critical results like information leak between one container and another (or even the host). Furthermore, we also categorizes the Linux capabilities used by Docker into different groups and find a way to identify the misconfiguration of capabilities based on our classification result. We prove false-negative capabilities to be dangerous by finding a covert channel associated with them. The paper also demonstrates how false-positive capabilities are already well restricted by the current isolating mechanism of Docker via a call analysis approach. So these capabilities can be securely granted to the containers. The experimental results indicate that the proposed covert channels can reach a capacity as high as 733.5b/s at the precision no lower than 90%. At last, the paper discusses what could be done when using Docker to increase its level of security.

Kui Ren,Cong Wang,Qian Wang

DOI: https://doi.org/10.1109/MIC.2012.14

IF: 2.68

2012-01-01

IEEE Internet Computing

Abstract:Cloud computing represents today's most exciting computing paradigm shift in information technology. However, security and privacy are perceived as primary obstacles to its wide adoption. Here, the authors outline several critical security challenges and motivate further investigation of security solutions for a trustworthy public cloud environment.

Weiqi Zhang,Baosheng Wang,Wenping Deng,Hao Zeng

DOI: https://doi.org/10.1007/978-3-319-94268-1_74

2018-01-01

Abstract:The recent rise of container systems like Docker has created a lot of excitement in data center. Its ability to package, transfer and run application code across many different environments enables new levels of fluidity in how we manage applications. However, container's easy-to-manage and second-boot features increase the degree of network dispersion and management difficulties, which causes the networking and security issues in container network. Aiming at the lack of control in container network, this paper designs a network control architecture for large-scale container clusters to solve the key issue of large-scale container clusters deployment in the network adapter and isolation control. Specifically, we design two different container network models and a policy-based security isolation by using VLAN partition and iptables. The experimental results show that our network control architecture could achieve rapid VLAN division and accurate isolation of node-to-node communication.

Shouyin Xu,Yuewu Wang,Lingguang Lei,Kun Sun,Jiwu Jing,Siyuan Ma,Jie Wang,Heqing Huang

DOI: https://doi.org/10.1109/tifs.2024.3411915

IF: 7.231

2024-06-22

IEEE Transactions on Information Forensics and Security

Abstract:Container technology is widely adopted due to its features such as light weight and ease of rapid deployment. However, as an OS-level virtualization mechanism, container isolation relies on the kernel's security mechanisms and the kernel permission data (usually non-control flow data) used by these mechanisms. None of the existing mitigation schemes for non-control flow data attacks provide an effective and practical solution to container security since they either trigger too much overhead, have limited effectiveness over attacks launched in specific ways, or can only be used to protect some specific kernel data. In addition, none of them accurately identify the kernel data associated with container isolation. In this paper, we provide a solution called Condo that enhances container isolation by protecting the associated kernel permission data. We first present a generic non-control flow kernel data protection mechanism that protects different types of kernel data uniformly with low overhead and is not limited by attack methods or data types. We then demystify the models of various kernel access control mechanisms in the container environment, and identify the subject and object permission data that are critical to container isolation. Finally, we provide a solution named Condo to enhance container isolation, which is completely transparent to the existing container ecosystem, including containerized applications and container management/orchestration tools such as Docker. Experimental results show that Condo can effectively reduce the compromises of container isolation due to memory corruption attacks with an acceptable overhead.

computer science, theory & methods,engineering, electrical & electronic

Yi He,Roland Guo,Yunlong Xing,Xijia Che,Kun Sun,Zhuotao Liu,Ke Xu,Qi Li

2023-01-01

Abstract:The extended Berkeley Packet Filter (eBPF) provides powerful and flexible kernel interfaces to extend the kernel functions for user space programs via running bytecode directly in the kernel space. It has been widely used by cloud services to enhance container security, network management, and system observability. However, we discover that the offensive eBPF that has been extensively discussed in Linux hosts can bring new attack surfaces to containers. With eBPF tracing features, attackers can break the container's isolation and attack the host, e.g., steal sensitive data, DoS, and even escape the container. In this paper, we study the eBPF-based cross container attacks and reveal their security impacts in real world services. With eBPF attacks, we successfully compromise five online Jupyter/Interactive Shell services and the Cloud Shell of Google Cloud Platform. Furthermore, we find that the Kubernetes services offered by three leading cloud vendors can be exploited to launch cross-node attacks after the attackers escape the container via eBPF. Specifically, in Alibaba's Kubernetes services, attackers can compromise the whole cluster by abusing their over-privileged cloud metrics or management Pods. Unfortunately, the eBPF attacks on containers are seldom known and can hardly be discovered by existing intrusion detection systems. Also, the existing eBPF permission model cannot confine the eBPF and ensure secure usage in shared-kernel container environments. To this end, we propose a new eBPF permission model to counter the eBPF attacks in containers.

Xinchen Xu,Aidong Xu,Yixin Jiang,Zhen Wang,Qianru Wang,Yunan Zhang,Hong Wen

DOI: https://doi.org/10.1088/1742-6596/1673/1/012067

2020-01-01

Journal of Physics Conference Series

Abstract:With the development of the 5G technology, edge computing will sink the computing center to the edge of the network close to the user, with low latency, high security, and lightweight features. The development of edge computing also puts forward a series of requirements for security, standardization, and unification. Docker container technology highly meets the existing needs of edge computing due to its lightweight, standardization, convenience, and security isolation. This article mainly analyzes the vulnerability of Docker containers and summarizes the security problems faced by the application of Docker container technology under edge computing systems. It also introduces a container monitoring software Prometheus and proposes a feasible edge computing risk monitoring model based on the Docker engine and Prometheus monitoring software.