Xing Gao,Zhongshu Gu,Zhengfa Li,Hani Jamjoom,Cong Wang

DOI: https://doi.org/10.1145/3319535.3354227

2019-01-01

Abstract:Linux Control Groups, i.e., cgroups, are the key building blocks to enable operating-system-level containerization. The cgroups mechanism partitions processes into hierarchical groups and applies different controllers to manage system resources, including CPU, memory, block I/O, etc. Newly spawned child processes automatically copy cgroups attributes from their parents to enforce resource control. Unfortunately, inherited cgroups confinement via process creation does not always guarantee consistent and fair resource accounting. In this paper, we devise a set of exploiting strategies to generate out-of-band>workloads via de-associating processes from their original process groups. The system resources consumed by such workloads will not be charged to the appropriate cgroups. To further demonstrate the feasibility, we present five case studies within Docker containers to demonstrate how to break the resource rein of cgroups in realistic scenarios. Even worse, by exploiting those cgroups' insufficiencies in a multi-tenant container environment, an adversarial container is able to greatly amplify the amount of consumed resources, significantly slow-down other containers on the same host, and gain extra unfair advantages on the system resources. We conduct extensive experiments on both a local testbed and an Amazon EC2 cloud dedicated server. The experimental results demonstrate that a container can consume system resources (e.g., CPU) as much as $200\times$ of its limit, and reduce both computing and I/O performance of particular workloads in other co-resident containers by 95%.

Haneul Lee,Soonhong Kwon,Jong-Hyouk Lee

DOI: https://doi.org/10.3390/electronics12040940

IF: 2.9

2023-02-16

Electronics

Abstract:Docker has become widely used as an open-source platform for packaging and running applications as containers. It is in the limelight especially at companies and IT developers that provide cloud services thanks to its advantages such as the portability of applications and being lightweight. Docker provides communication between multiple containers through internal network configuration, which makes it easier to configure various services by logically connecting containers to each other, but cyberattacks exploiting the vulnerabilities of the Docker container network, e.g., distributed denial of service (DDoS) and cryptocurrency mining attacks, have recently occurred. In this paper, we experiment with cyberattacks such as ARP spoofing, DDoS, and elevation of privilege attacks to show how attackers can execute various attacks and analyze the results in terms of network traffic, CPU consumption, and malicious reverse shell execution. In addition, by examining the attacks from the network perspective of the Docker container environment, we lay the groundwork for detecting and preventing lateral movement attacks that may occur between the Docker containers.

engineering, electrical & electronic,computer science, information systems,physics, applied

Wenya Wang,Xingwei Lin,Jingyi Wang,Wang Gao,Dawu Gu,Wei Lv,Jiashui Wang

DOI: https://doi.org/10.1145/3576915.3616609

2023-01-01

Abstract:Node.js applications are becoming more and more widely adopted on the server side, partly due to the convenience of building these applications on top of the runtime provided by popular Node.js engines and the large number of third-party packages provided by the Node Package Management (npm) registry. Node.js provides Node.js applications with system interaction capabilities using system calls. However, such convenience comes with a price, i.e., the attack surface of JavaScript arbitrary code execution (ACE) vulnerabilities is expanded to the system call level. There lies a noticeable gap between existing protection techniques in the JavaScript code level (either by code debloating or read-write-execute permission restriction) and a targeted defense for emerging critical system call level exploitation. To fill the gap, we design and implement HODOR1, a lightweight runtime protection system based on enforcing precise system call restrictions when running a Node.js application. HODOR achieved this by addressing several nontrivial technical challenges. First, HODOR requires to construct high-quality call graphs for both the Node.js application (in JavaScript) and its underlying Node.js framework (in JavaScript and C/C++). Specifically, HODOR incorporates several important optimizations in both the JavaScript and C/C++ levels to improve the state-of-the-art tools for building more precise call graphs. Then, HODOR creates the main-thread whitelist and the thread-pool whitelist respectively containing the identified necessary system calls based on the call graphs mappings. Finally, with the whitelists, HODOR implements lightweight system call restriction using the Linux kernel feature Secure Computing Mode (seccomp) to shrink the attack surface. We utilize HODOR to protect 168 real-world Node.js applications compromised by arbitrary code/command execution attacks. HODOR could reduce the attack surface to 19.42% on average with negligible runtime overhead (i.e., <3%).

Mengqi Zhan,Yang Li,Huiran Yang,Guangxi Yu,Bo Li,Weiping Wang

DOI: https://doi.org/10.1109/tsc.2022.3194266

IF: 11.019

2022-01-01

IEEE Transactions on Services Computing

Abstract:Denial of service (DoS) attacks have increasingly exploited vulnerabilities in algorithms or implementation methods in application-layer programs. In this type of attack, called CPU-exhaustion DoS attack, a few well-crafted requests may consume a lot of server resources, which is essentially different from traditional volumetric DoS attacks. Due to the lack of recognizable patterns, the traditional network-layer defense mechanism is usually unable to detect such sophisticated DoS attacks. In this article, we propose Coda, a framework for detecting application-layer CPU-exhaustion DoS attacks in containers. Coda monitors the CPU time consumed by each connection and uses statistical methods to detect attacks. It traces system calls and other related information from the container based on Linux eBPF at the host level. Some specific system calls are used to indicate the establishment and closure of the connection, which in turn indicate the start/end of the request processing. After triggering these specific system calls, Coda starts/ends monitoring the CPU time consumed by a connection. An attack can be detected when the CPU time consumed by an attack connection is statistically different from that consumed by a legitimate connection. Coda has the following key advantages. First, it works with programs built in different programming languages. Second, it remains agnostic to the source code of protected programs. Third, it supports monitoring the container and is transparent to the container. Through evaluation of real-world attacks, we demonstrate that Coda can accurately detect ongoing application-layer CPU-exhaustion DoS attacks with low additional overhead.

computer science, information systems, software engineering

Yang Luo,Wu Luo,Xiaoning Sun,Qingni Shen,Anbang Ruan,Zhonghai Wu

DOI: https://doi.org/10.1109/trustcom.2016.0119

2016-01-01

Abstract:Over the last few years, the cloud computing industry has witnessed the wider adoption of the container-based technologies. And it is obvious to see that Docker has become the de facto standard of the container-based approaches. However, the security mechanism of Docker is far from satisfaction owing to its rapid development without adequate security concerns. This paper primarily identifies several possible covert channels against Docker, which causes critical results like information leak between one container and another (or even the host). Furthermore, we also categorizes the Linux capabilities used by Docker into different groups and find a way to identify the misconfiguration of capabilities based on our classification result. We prove false-negative capabilities to be dangerous by finding a covert channel associated with them. The paper also demonstrates how false-positive capabilities are already well restricted by the current isolating mechanism of Docker via a call analysis approach. So these capabilities can be securely granted to the containers. The experimental results indicate that the proposed covert channels can reach a capacity as high as 733.5b/s at the precision no lower than 90%. At last, the paper discusses what could be done when using Docker to increase its level of security.

Junchi Xing,Haifeng Zhou,Jinfan Shen,Kai Zhu,Yansong Wang,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/ICT.2018.8464855

2018-01-01

Abstract:Distributed Denial-of-Service (DDoS) attack has been a "nightmare" for cloud. A countermeasure is to establish an Intrusion Detection and Prevention System (IDPS) for cloud. Nevertheless, current IDPSes fail to achieve the detection and prevention in a flexible and lightweight way. In this paper, we propose a novel scheme of IDPS for overcoming the above problem, termed as Auto-scaling IDPS (AsIDPS). AsIDPS is based on Software-Defined Networking (SDN) and Docker container technologies. It first detects abnormal traffic based on the flow statistics collected in SDN switches in real-time. By the SDN controller, the abnormal traffic will be directed to the created Docker containers with Snort running on them for further detection and clean-up. Particularly, the Docker containers can be automatically scaled out or scaled down on demand. The Snort will also deliver an alert to the SDN controller if it detects attack traffic so as to perform a countermeasure if necessary. Benefitting from the flexible network management offered by SDN and the lightweight Docker container, AsIDPS is able to build a flexible and lightweight defense against DDoS attack in cloud. Based on our prototype implementation, we validate the effectiveness of AsIDPS in defending DDoS attack, and also verify its flexibility and lightweight.

Xuhao Wang,Qingni Shen,Wu Luo,Pengfei Wu

DOI: https://doi.org/10.1109/cloud49709.2020.00089

2020-01-01

Abstract:Container technology has been used for running multiple isolated operating system distros on a host or deploying large scale microservice-based applications. In most cases, containers share the same kernel with the host and other containers on the same host, and the application in the container can make system calls of the host kernel like a normal process on the host. Seccomp is a security mechanism for the Linux kernel, through which we can prohibit certain system calls from being executed by the program. Docker began to support the seccomp mechanism from version 1.10 and disables around 44 system calls out of 300+ by default. However, for a particular container, there are still many system calls that are unnecessary for running it allowed to be executed, and the abuse of system calls by a compromised container can trigger the security vulnerabilities of a host kernel. Unfortunately, Docker does not provide a way to get the necessary system calls for a particular container. In this paper, we propose RSDS, a method combining dynamic analysis and static analysis to get the necessary system calls for a particular container. Our experiments show that our solution can reduce system calls by 69.27%-85.89% compared to the default configuration on an x86-64 PC with Ubuntu 16.04 host OS and does not affect the functionalities of these containers.

Dongyang Zhan,Zhaofeng Yu,Xiangzhan Yu,Hongli Zhang,Lin Ye

DOI: https://doi.org/10.1109/tsc.2022.3173791

IF: 11.019

2022-01-01

IEEE Transactions on Services Computing

Abstract:Linux Seccomp is widely used by the program developers and the system maintainers to secure the operating systems, which can block unused syscalls for different applications and containers to shrink the attack surface of the operating systems. However, it is difficult to configure the whitelist of a container or application without the help of program developers. Docker containers block about only 50 syscalls by default, and lots of unblocked useless syscalls introduce a big kernel attack surface. To obtain the dependent syscalls, dynamic tracking is a straight-forward approach but it cannot get the full syscall list. Static analysis can construct an over-approximated syscall list, but the list contains many false positives. In this paper, a systematic dependent syscall analysis approach, sysverify, is proposed by combining static analysis and dynamic verification together to shrink the kernel attack surface. The semantic gap between the binary executables and syscalls is bridged by analyzing the binary and the source code, which builds the mapping between the library APIs and syscalls systematically. To further reduce the attack surface at best effort, we propose a dynamic verification approach to intercept and analyze the security of the invocations of indirect-call-related or rarely invoked syscalls with low overhead.

Wenbo Shen,Yifei Wu,Yutian Yang,Qirui Liu,Nanzi Yang,Jinku Li,Kangjie Lu,Jianfeng Ma

DOI: https://doi.org/10.1109/tdsc.2024.3403920

2024-01-01

Abstract:OS-level virtualization (a.k.a. container) has become a fundamental technology in cloud computing due to the efficiency provided by the shared-kernel design. However, this design results in containers sharing thousands of kernel variables and data structures (termed abstract resources ), which are prevalent but under-protected. Without exploiting other kernel vulnerabilities, a non-privileged container can easily exhaust abstract resources to cause DoS attacks against other containers. Even worse, our experiments demonstrate that abstract resource attacks are a broad class of attacks that affect Linux, FreeBSD, Fuchsia, and all shared-kernel container environments on the top four cloud vendors. To defend against the abstract resource attack, we automatically analyze vulnerable abstract resources in the Linux kernel and detect 501 container-exhaustible resources. To confine these abstract resources dynamically, we propose two new techniques: the flexible in-kernel attachment for flexible resource consumption attachment and the tree-based resource accounting for efficient usage retrieval. Based on these two techniques, we design and implement a fl exible a bstract re s ource confinement framewor k , named Flask, to achieve flexible and efficient abstract resource confinement. Our evaluation shows Flask can efficiently limit abstract resource usage with less than 0.6% performance overhead.

Zhongqiang Chen,Zhongrong Chen,Alex Delis

DOI: https://doi.org/10.1093/comjnl/bxl042

2007-01-01

The Computer Journal

Abstract:By penetrating into a large number of machines and stealthily installing malicious pieces of code, a distributed denial of service (DDoS) attack constructs a hierarchical network and uses it to launch coordinated assaults. DDoS attacks often exhaust the network bandwidth, processing capacity and information resources of victims, thus, leading to unavailability of computing systems services. Various defense mechanisms for the detection, mitigation and/or prevention of DDoS attacks have been suggested including resource redundancy, traceback of attack origins and identification of programs with suspicious behavior. Contemporary DDoS attacks employ sophisticated techniques including formation of hierarchical networks, one-way communication channels, encrypted messages, dynamic ports allocation and source address spoofing to hide the attackers' identities; such techniques make both detection and tracing of DDoS activities a challenge and render traditional DDoS defense mechanisms ineffective. In this paper, we propose the DDoS Container, a comprehensive framework that uses network-based detection methods to overcome the above complex and evasive types of attacks; the framework operates in 'inline' mode to inspect and manipulate ongoing traffic in real-time. By keeping track of connections established by both potential DDoS attacks and legitimate applications, the suggested DDoS Container carries out stateful inspection on data streams and correlates events among sessions. The framework performs stream re-assembly and dissects the resulting aggregations against protocols followed by various known DDoS attacks facilitating their identification. The traffic pattern analysis and data correlation of the framework further enhance its detection accuracy on DDoS traffic camouflaged with encryption. Actions available on identified DDoS traffic range from simple alerting to message blocking and proactive session termination. Experimentation with the prototype of our DDoS Container shows its effectiveness in classifying DDoS traffic.

Yijiang Xu,Muxian Zhou,Qing Gao,Shikun Zhang,Zhonghai Wu

DOI: https://doi.org/10.1109/saner60148.2024.00101

2024-01-01

Abstract:With the widespread use of container technology, attackers may invade the kernel by maliciously executing certain system calls, causing damage to the host and other containers. In order to reduce the attack surface of the underlying system, Docker supports specifying a container's allowlist of system calls with seccomp configurations. Java is a mainstream programming language used by the container projects in the Docker Hub, but how to generate the allowlist of system calls for Java containers is still an open question. Firstly, most of previous efforts about container allowlist of system calls focused on the C/C++ binary code rather than Java bytecode. Secondly, some existing works on Java bytecode mainly paid attention to the security vulnerabilities analysis, and cannot be used to analyze system calls required by Java programs. In this paper, we propose the first bytecode-based system call analysis approach, named SWAT 4J, tailored for Java containers operating on x86_64 architecture. SWAT4J can generate the allowlist of system calls required for Java containers by combining static and dynamic analysis. For static analysis, SWAT4J can identify the indirect calling relationships between Java bytecode and system calls, and determine the system calls required for a containerized application. For dynamic analysis, SWAT4J can trace the system calls required for container startup. The seccomp configuration file is optimized through the combining set of system calls. In the end, we experimented with 5 types of popular open source Java containers projects from Docker Official Images. Compared to 323 system calls in Ubuntu 16.04, SWAT4J successfully reduce the number of system calls by 56.04%-59.44%, and reduce the probability of vulnerabilities without affecting the functionality of the container.

Xi Ling,Jiongchi Yu,Ziming Zhao,Zhihao Zhou,Haitao Xu,Binbin Chen,Fan Zhang

DOI: https://doi.org/10.1007/978-3-031-54773-7_12

2024-01-01

Abstract:With the proliferation of Internet development, Distributed Denial of Service (DDoS) attacks are on the rise. As rule-based traffic analysis frameworks and Deep Packet Inspection (DPI) defense measures can effectively thwart many DDoS attacks, attackers keep exploring various attack surfaces and traffic amplification strategies to nullify the defense. In this paper, we propose DDoSMiner, an automated framework for DDoS attack characterization and vulnerability mining. DDoSMiner analyzes system call patterns of the TCP-based DDoS attack family, then generates Attack Call Flow Graph (ACFG) by discerning the differences between DDoS attack traffic and benign traffic. Furthermore, DDoSMiner identifies and extracts drop nodes and pivotal TCP states from the distinctive characteristics of attack traffic, then passes to the symbolic execution framework for exploring variants of the DDoS attack. We collectively analyze six types of TCP-based DDoS attacks, construct the corresponding ACFG, and identify a set of attack traffic variants. The attack traffic variants are evaluated on the widely used Network Intrusion Detection System (NIDS) Snort with three popular rule sets. The result shows that DDoSMiner indeed discovers the new DDoS attack trace, and the corresponding attack traffic can bypass all three defense toolkits.

Baohua Zhao,Zhihao Wang,Ningyu An,Chunhui Ren

DOI: https://doi.org/10.1088/1742-6596/1871/1/012016

2021-01-01

Journal of Physics Conference Series

Abstract:Container technology has a series of advantages such as low physical resource consumption, fast startup speed, high concurrency, and can run in a variety of environments. It is widely used in scenarios such as big data and cloud computing. Container technology has certain advantages in performance, but there are some shortcomings in security. The container technology shares the kernel with the host, and its security mainly depends on the host. Once the attacker breaks through the host’s defense, he can easily access the files deployed in the container, steal or tamper with the file data, and cause losses to users and users. In response to the above problems, this paper proposes a container-oriented isolation control technology, which realizes further isolation of files inside the container by adding domain names to programs and files. If the program domain name matches the file part, the files in the current container cannot be accessed, and the security of the files in the container can be effectively ensured after the host is compromised.

Nanzi Yang,Wenbo Shen,Jinku Li,Yutian Yang,Kangjie Lu,Jietao Xiao,Tianyu Zhou,Chenggang Qin,Wang Yu,Jianfeng Ma,Kui Ren

DOI: https://doi.org/10.1145/3460120.3484744

2021-01-01

Abstract:Due to its faster start-up speed and better resource utilization efficiency, OS-level virtualization has been widely adopted and has become a fundamental technology in cloud computing. Compared to hardware virtualization, OS-level virtualization leverages the shared-kernel design to achieve high efficiency and runs multiple user-space instances (a.k.a., containers) on the shared kernel. However, in this paper, we reveal a new attack surface that is intrinsic to OS-level virtualization, affecting Linux, FreeBSD, and Fuchsia. The root cause is that the shared-kernel design in OS-level virtualization results containers in sharing thousands of kernel variables and data structures directly and indirectly. Without exploiting any kernel vulnerabilities, a non-privileged container can easily exhaust the shared kernel variables and data structure instances to cause DoS attacks against other containers. Compared with the physical resources, these kernel variables or data structure instances (termed abstract resources) are more prevalent but under-protected. To show the importance of confining abstract resources, we conduct abstract resource attacks that target different aspects of the OS kernel. The results show that attacking abstract resources is highly practical and critical. We further conduct a systematic analysis to identify vulnerable abstract resources in the Linux kernel, which successfully detects 1,010 abstract resources and 501 of them can be repeatedly consumed dynamically. We also conduct the attacking experiments in the self-deployed shared-kernel container environments on the top 4 cloud vendors. The results show that all environments are vulnerable to abstract resource attacks. We conclude that containing abstract resources is hard and give out multiple strategies for mitigating the risks.

Nanzi Yang,Wenbo Shen,Jinku Li,Yutian Yang,Kangjie Lu,Jietao Xiao,Tianyu Zhou,Chenggang Qin,Wang Yu,Jianfeng Ma,Kui Ren

DOI: https://doi.org/10.1145/3460120.3484744

2021-01-01

Abstract:Due to its faster start-up speed and better resource utilization efficiency, OS-level virtualization has been widely adopted and has become a fundamental technology in cloud computing. Compared to hardware virtualization, OS-level virtualization leverages the shared-kernel design to achieve high efficiency and runs multiple user-space instances (a.k.a., containers) on the shared kernel. However, in this paper, we reveal a new attack surface that is intrinsic to OS-level virtualization, affecting Linux, FreeBSD, and Fuchsia. The root cause is that the shared-kernel design in OS-level virtualization results containers in sharing thousands of kernel variables and data structures directly and indirectly. Without exploiting any kernel vulnerabilities, a non-privileged container can easily exhaust the shared kernel variables and data structure instances to cause DoS attacks against other containers. Compared with the physical resources, these kernel variables or data structure instances (termed abstract resources) are more prevalent but underprotected. To show the importance of confining abstract resources, we conduct abstract resource attacks that target different aspects of the OS kernel. The results show that attacking abstract resources is highly practical and critical. We further conduct a systematic analysis to identify vulnerable abstract resources in the Linux kernel, which successfully detects 1,010 abstract resources and 501 of them can be repeatedly consumed dynamically. We also conduct the attacking experiments in the self-deployed shared-kernel container environments on the top 4 cloud vendors. The results show that all environments are vulnerable to abstract resource attacks. We conclude that containing abstract resources is hard and give out multiple strategies for mitigating the risks.

Mubin Ul Haque,Leonardo Horn Iwaya,M. Ali Babar

DOI: https://doi.org/10.1145/3382494.3410693

2020-08-11

Abstract:Docker technology has been increasingly used among software developers in a multitude of projects. This growing interest is due to the fact that Docker technology supports a convenient process for creating and building containers, promoting close cooperation between developer and operations teams, and enabling continuous software delivery. As a fast-growing technology, it is important to identify the Docker-related topics that are most popular as well as existing challenges and difficulties that developers face. This paper presents a large-scale empirical study identifying practitioners' perspectives on Docker technology by mining posts from the Stack Overflow (SoF) community. Method: A dataset of 113,922 Docker-related posts was created based on a set of relevant tags and contents. The dataset was cleaned and prepared. Topic modelling was conducted using Latent Dirichlet Allocation (LDA), allowing the identification of dominant topics in the domain. Our results show that most developers use SoF to ask about a broad spectrum of Docker topics including framework development, application deployment, continuous integration, web-server configuration and many more. We determined that 30 topics that developers discuss can be grouped into 13 main categories. Most of the posts belong to categories of application development, configuration, and networking. On the other hand, we find that the posts on monitoring status, transferring data, and authenticating users are more popular among developers compared to the other topics. Specifically, developers face challenges in web browser issues, networking error and memory management. Besides, there is a lack of experts in this domain. Our research findings will guide future work on the development of new tools and techniques, helping the community to focus efforts and understand existing trade-offs on Docker topics.

Software Engineering,Information Retrieval

Kai Chen,Yufei Zhao,Jing Guo,Zhimin Gu,Longxi Han,Keyi Tang

DOI: https://doi.org/10.3390/electronics13234773

IF: 2.9

2024-12-04

Electronics

Abstract:With the rapid advancement in edge computing, container technology has gained widespread adoption. This is due to its lightweight isolation mechanisms, high portability, and fast deployment capabilities. Despite these advantages, container technology also introduces significant security risks. One of the most critical is container escape. However, current detection research is incomplete. Many methods lack comprehensive detection coverage or fail to fully reconstruct the attack process. To address these gaps, this paper proposes a container escape detection method based on a dependency graph. The method uses various nodes and edges to describe diverse system behaviors. This approach enables the detection of a broader range of attack types. It also effectively captures the contextual relationships between system events, facilitating attack traceability and reconstruction. We design a method to identify container processes on the dependency graph through label generation and propagation. Based on this, container escape detection is implemented using file access control within the graph. Experimental results demonstrate the effectiveness of the proposed method in detecting container escapes.

engineering, electrical & electronic,computer science, information systems,physics, applied

Xinchen Xu,Aidong Xu,Yixin Jiang,Zhen Wang,Qianru Wang,Yunan Zhang,Hong Wen

DOI: https://doi.org/10.1088/1742-6596/1673/1/012067

2020-01-01

Journal of Physics Conference Series

Abstract:With the development of the 5G technology, edge computing will sink the computing center to the edge of the network close to the user, with low latency, high security, and lightweight features. The development of edge computing also puts forward a series of requirements for security, standardization, and unification. Docker container technology highly meets the existing needs of edge computing due to its lightweight, standardization, convenience, and security isolation. This article mainly analyzes the vulnerability of Docker containers and summarizes the security problems faced by the application of Docker container technology under edge computing systems. It also introduces a container monitoring software Prometheus and proposes a feasible edge computing risk monitoring model based on the Docker engine and Prometheus monitoring software.

Jietao Xiao,Nanzi Yang,Wenbo Shen,Jinku Li,Xin Guo,Zhiqiang Dong,Fei Xie,Jianfeng Ma

2023-01-01

Abstract:People proposed to use virtualization techniques to reinforce the isolation between containers. In the design, each container runs inside a lightweight virtual machine (called microVM). MicroVM-based containers benefit from both the security of microVM and the high efficiency of the container, and thus are widely used on the public cloud. However, in this paper, we demonstrate a new attack surface that can be exploited to break the isolation of the microVM-based container, called operation forwarding attacks. Our key observation is that certain operations of the microVM-based container are forwarded to host system calls and host kernel functions. The attacker can leverage the operation forwarding to exploit the host kernel's vulnerabilities and exhaust host resources. To fully understand the security risk of operation forwarding attacks, we divide the components of the microVM-based container into three layers according to their functionalities and present corresponding attacking strategies to exploit the operation forwarding of each layer. Moreover, we design eight attacks against Kata Containers and Firecracker-based containers and conduct experiments on the local environment, AWS, and Alibaba Cloud. Our results show that the attacker can trigger potential privilege escalation, downgrade 93.4% IO performance and 75.0% CPU performance of the victim container, and even crash the host. We further give security suggestions for mitigating these attacks.

Yutian Yang,Wenbo Shen,Bonan Ruan,Wenmao Liu,Kui Ren

DOI: https://doi.org/10.1109/tpsisa52974.2021.00016

2021-01-01

Abstract:In recent years, containerization has become a major trend in the cloud due to its high resource utilization efficiency and convenient DevOps support. However, the complexity of container system also introduces attack surfaces. This paper aims to summarize security challenges in the container cloud. In particular, we first divide the whole container system into different layers according to their functionalities, including the kernel layer, the container layer, and the orchestration layer. We then summarize security-related technologies. After that, we discuss the security challenges for each layer. Finally, we present the current protection status for the container system and highlight future research directions. Our study shows that to improve the container cloud security, we need to design and implement more robust kernel isolation mechanisms, conduct systematic and thorough security analysis on existing container techniques, and develop comprehensive configuration checking tools.