Xing Gao,Zhongshu Gu,Zhengfa Li,Hani Jamjoom,Cong Wang

DOI: https://doi.org/10.1145/3319535.3354227

2019-01-01

Abstract:Linux Control Groups, i.e., cgroups, are the key building blocks to enable operating-system-level containerization. The cgroups mechanism partitions processes into hierarchical groups and applies different controllers to manage system resources, including CPU, memory, block I/O, etc. Newly spawned child processes automatically copy cgroups attributes from their parents to enforce resource control. Unfortunately, inherited cgroups confinement via process creation does not always guarantee consistent and fair resource accounting. In this paper, we devise a set of exploiting strategies to generate out-of-band>workloads via de-associating processes from their original process groups. The system resources consumed by such workloads will not be charged to the appropriate cgroups. To further demonstrate the feasibility, we present five case studies within Docker containers to demonstrate how to break the resource rein of cgroups in realistic scenarios. Even worse, by exploiting those cgroups' insufficiencies in a multi-tenant container environment, an adversarial container is able to greatly amplify the amount of consumed resources, significantly slow-down other containers on the same host, and gain extra unfair advantages on the system resources. We conduct extensive experiments on both a local testbed and an Amazon EC2 cloud dedicated server. The experimental results demonstrate that a container can consume system resources (e.g., CPU) as much as $200\times$ of its limit, and reduce both computing and I/O performance of particular workloads in other co-resident containers by 95%.

Luis Augusto Dias Knob,Matteo Franzil,Domenico Siracusa

2024-01-19

Abstract:Kubernetes (K8s) has grown in popularity over the past few years to become the de-facto standard for container orchestration in cloud-native environments. While research is not new to topics such as containerization and access control security, the Application Programming Interface (API) interactions between K8s and its runtime interfaces have not been studied thoroughly. In particular, the CRI-API is responsible for abstracting the container runtime, managing the creation and lifecycle of containers along with the downloads of the respective images. However, this decoupling of concerns and the abstraction of the container runtime renders K8s unaware of the status of the downloading process of the container images, obstructing the monitoring of the resources allocated to such process. In this paper, we discuss how this lack of status information can be exploited as a Denial of Service attack in a K8s cluster. We show that such attacks can generate up to 95% average CPU usage, prevent downloading new container images, and increase I/O and network usage for a potentially unlimited amount of time. Finally, we propose two possible mitigation strategies: one, implemented as a stopgap solution, and another, requiring more radical architectural changes in the relationship between K8s and the CRI-API.

Cryptography and Security

Qiang Wu,Jiadi Yu,Li Lu,Shiyou Qian,Guangtao Xue

DOI: https://doi.org/10.1109/icpads47876.2019.00037

2019-01-01

Abstract:Nowadays, the container-based virtualization technologies have become very popular due to lightweight nature, scalability, flexibility and others. Kubernetes is one of the most popular container cluster management systems, which enables users to deploy applications on the container easily, so more and more web applications are deployed in a Kubernetes clusters. However, a Kubernetes cluster is generally designed to handle the peak of workloads, so that most of resources are idle in usual time, which results in an huge waste of resource. Hence, it is necessary to design a system to improve the cluster resource utilization and promise Quality of Service (QoS) in a Kubernetes cluster. In this paper, we propose a generic system to dynamically adjust the scale of a Kubernetes cluster, which is able to reduce the waste of resource on the premise of QoS guarantee. The proposed system contains four modules: monitor module, QoS module, scaling module, and executing module. First, the monitor module uses two open-source tools, Heapster and InfluxDB, to monitor and store real-time status of a Kubernetes cluster. Then, to guarantee QoS in the Kubernetes cluster, the QoS module presents a method to automatically decide a threshold of CPU utilization that is able to meet requirements of a specific application. Next, the scaling module provides a cluster scaling algorithm to get an ideal number of nodes in the Kubernetes cluster, which is used to allocate resources in a cluster-level allocation. Finally, according to the ideal number of nodes, the executing module adjusts the scale of the Kubernetes cluster to carry out the application. Extensive experiments in real environments show that, on average, the proposed system improves CPU utilization of a Kubernetes cluster by 28.99%.

Bipin Gajbhiye,Om Goel,Pandi Kirupa Gopalakrishna Pandian

DOI: https://doi.org/10.36676/jqst.v1.i2.16

2024-06-30

Abstract:The rise of containerized environments, exemplified by Docker and Kubernetes, has revolutionized software deployment and orchestration, enabling agile development and efficient resource utilization. However, the adoption of these technologies also introduces unique security challenges that organizations must address to safeguard their applications and infrastructure. This paper explores the complexities of managing vulnerabilities in containerized and Kubernetes environments, offering a comprehensive analysis of the potential risks and strategies to mitigate them.Containers encapsulate applications with their dependencies, ensuring consistency across different environments. However, this encapsulation can mask underlying vulnerabilities in the application code, base images, or third-party libraries. The ephemeral nature of containers, designed to be short-lived and scalable, adds another layer of complexity, as vulnerabilities can propagate rapidly across environments if not detected and addressed promptly. Moreover, the shared nature of the underlying host operating system and kernel in containerized environments increases the attack surface, making it crucial to secure both the containers and the host.Kubernetes, as a powerful orchestration platform, introduces additional layers of complexity in vulnerability management. The dynamic nature of Kubernetes clusters, with their multiple components such as pods, services, and nodes, can lead to misconfigurations, inadequate access controls, and exposure to security threats. Misconfigurations, such as overly permissive network policies or improper role-based access controls (RBAC), can lead to unauthorized access, privilege escalation, and data breaches. Additionally, the integration of third-party plugins and extensions into Kubernetes clusters can introduce new vulnerabilities, making it imperative to monitor and manage these components effectively.This paper delves into several key aspects of vulnerability management in containerized and Kubernetes environments. Firstly, it examines the importance of securing container images by employing best practices such as using minimal base images, regularly updating images, and scanning them for known vulnerabilities. The paper highlights the role of image scanning tools that can detect vulnerabilities in both base images and application code, emphasizing the need for continuous scanning throughout the development lifecycle.Secondly, the paper discusses the significance of runtime security in containerized environments. While securing container images is critical, monitoring and protecting containers during runtime is equally important. The paper explores tools and techniques for runtime security, including anomaly detection, behavior analysis, and intrusion detection systems that can identify and respond to threats in real-time.Furthermore, the paper addresses the challenges of managing vulnerabilities in Kubernetes clusters. It underscores the importance of securing the Kubernetes control plane, which includes securing API servers, etcd databases, and implementing stringent RBAC policies. The paper also explores the role of network security in Kubernetes, advocating for the use of network policies to control traffic flow between pods and ensure that only authorized communication is allowed.In addition to technical measures, the paper emphasizes the need for organizational practices to manage vulnerabilities effectively. This includes fostering a security-first culture, conducting regular security audits, and ensuring that development and operations teams are aligned on security best practices. The paper also highlights the importance of incident response planning and the need for rapid patching and updates to address newly discovered vulnerabilities.In conclusion, managing vulnerabilities in containerized and Kubernetes environments requires a multifaceted approach that combines technical measures with organizational practices. As organizations increasingly rely on these technologies for their application deployment and orchestration, a proactive and holistic approach to security is essential to mitigate risks and protect critical assets. This paper provides a roadmap for organizations to enhance their vulnerability management strategies, ensuring that their containerized and Kubernetes environments are secure, resilient, and capable of withstanding evolving threats.

Xiaolong Zhang,Lanqing Li,Yuan Wang,E. Chen,Lidan Shou

DOI: https://doi.org/10.1109/access.2021.3100082

IF: 3.9

2021-01-01

IEEE Access

Abstract:With the popularity of container-based microservices and cloud-native architectures, Kubernetes has established itself as the de facto standard for container orchestration. Kubernetes is known for its advantage in easy deployment and operations for applications; however, it suffers from low resource utilization, incurring high server provisioning and operational costs, due to following reasons. First, it is common practice for latency-sensitive services to be over-provisioned for the peak load: Kubernetes might consider such peak-load provisioning as constant, even though the actual resource utilization is low. Second, the isolation between different containers is poor and cannot prevent performance degradation when best-effort jobs and latency-sensitive services run together. Users may have to run these two classes of workloads on separate machines to avoid interference, resulting in higher provisioning costs. This paper presents a highly scalable cluster scheduling system named Zeus, which is designed based on Kubernetes extension mechanisms. Zeus achieves safe colocation of best-effort jobs and latency-sensitive services. Furthermore, Zeus schedules best-effort jobs based on the real server utilization and can adaptively allocate resources between the two classes of workloads. In addition, Zeus enhances container isolation by coordinating software and hardware isolation features. As a result, Zeus can effectively improve the resource utilization of Kubernetes clusters. We discuss the design and implementation of Zeus and evaluate its effectiveness using latency-sensitive services and best-effort jobs in a massive production environment. The results show that by colocating latency-sensitive services with best-effort jobs, Zeus can increase the average CPU utilization from 15% to 60% without SLO violations.

Yajin Zhou,Kunal Patel,Lei Wu,Zhi Wang,Xuxian Jiang

DOI: https://doi.org/10.1145/2714576.2714598

2015-01-01

Abstract:ABSTRACTUsers of Android phones increasingly entrust personal information to third-party apps. However, recent studies reveal that many apps, even benign ones, could leak sensitive information without user awareness or consent. Previous solutions either require to modify the Android framework thus significantly impairing their practical deployment, or could be easily defeated by malicious apps using a native library. In this paper, we propose AppCage, a system that thoroughly confines the run-time behavior of third-party Android apps without requiring framework modifications or root privilege. AppCage leverages two complimentary user-level sandboxes to interpose and regulate an app's access to sensitive APIs. Specifically, dex sandbox hooks into the app's Dalvik virtual machine instance and redirects each sensitive framework API to a proxy which strictly enforces the user-defined policies, and native sandbox leverages software fault isolation to prevent the app's native libraries from directly accessing the protected APIs or subverting the dex sandbox. We have implemented a prototype of AppCage. Our evaluation shows that AppCage can successfully detect and block attempts to leak private information by third-party apps, and the performance overhead caused by AppCage is negligible for apps without native libraries and minor for apps with them.

Akond Rahman,Shazibul Islam Shamim,Dibyendu Brinto Bose,Rahul Pandita

DOI: https://doi.org/10.1145/3579639

IF: 3.685

2023-01-10

ACM Transactions on Software Engineering and Methodology

Abstract:Context : Kubernetes has emerged as the de-facto tool for automated container orchestration. Business and government organizations are increasingly adopting kubernetes for automated software deployments. Kubernetes is being used to provision applications in a wide range of domains, such as time series forecasting, edge computing, and high performance computing. Due to such a pervasive presence, Kubernetes-related security misconfigurations can cause large-scale security breaches. Thus, a systematic analysis of security misconfigurations in Kubernetes manifests, i.e., configuration files used for Kubernetes, can help practitioners secure their Kubernetes clusters. Objective : The goal of this paper is to help practitioners secure their Kubernetes clusters by identifying security misconfigurations that occur in Kubernetes manifests . Methodology : We conduct an empirical study with 2,039 Kubernetes manifests mined from 92 open-source software repositories to systematically characterize security misconfigurations in Kubernetes manifests. We also construct a static analysis tool called Security Linter for Kubernetes Manifests ( SLI-KUBE ) to quantify the frequency of the identified security misconfigurations. Results : In all, we identify 11 categories of security misconfigurations, such as absent resource limit, absent securityContext , and activation of hostIPC . Specifically, we identify 1,051 security misconfigurations in 2,039 manifests. We also observe the identified security misconfigurations affect entities that perform mesh-related load balancing, as well as provision pods and stateful applications. Furthermore, practitioners agreed to fix 60% of 10 misconfigurations reported by us. Conclusion : Our empirical study shows Kubernetes manifests to include security misconfigurations, which necessitates security-focused code reviews and application of static analysis when Kubernetes manifests are developed.

computer science, software engineering

Qingyang Zeng,Mohammad Kavousi,Yinhong Luo,Ling Jin,Yan Chen

DOI: https://doi.org/10.1016/j.cose.2023.103173

IF: 5.105

2023-01-01

Computers & Security

Abstract:Cloud-native systems have recently emerged as one of the most popular platforms for application development, providing lightweight virtualization, simplified DevOps procedures, scaling, resource efficiency, monitoring, and more. The typical cloud-native system may include containers, container orchestrators, and service meshes. However, a number of attacks exploit vulnerabilities in different components, leading the attacker to gain control over the cloud-native system. In this paper, we collect, classify, exploit, and mitigate vulnerabilities of different components. Firstly, we choose Docker, Kubernetes, and Istio as the most popular cloud technologies and give each an overview. Secondly, we give an in-depth analysis of the vulnerabilities. We collect cloud-native vulnerabilities over the past five years and propose two classifications of those vulnerabilities. One is based on the architecture of the component, and the other is based on the attack enabled. We exploit vulnerabilities that enable us to discover some insightful findings and provide mitigation solutions. Third, we analyze 15 open-source security tools provided for the cloud-native environment. We argue that among all these security tools, none of them covers all features which we will discuss in this paper. We believe that our analysis of cloud security vulnerabilities and open-source security tools can benefit the security of the cloud-native ecosystem.

Francesco Minna,Balakrishnan Chandrasekaran,Agathe Blaise,Filippo Rebecchi,Fabio Massacci

DOI: https://doi.org/10.1109/msec.2021.3094726

2021-09-01

Abstract:Container-orchestration software such as Kubernetes make it easy to deploy and manage modern cloud applications based on microservices. Yet, its network abstractions pave the way for "unexpected attacks" if we approach cloud network security with the same mental model of traditional network security.

computer science, information systems, software engineering

Yutian Yang,Wenbo Shen,Bonan Ruan,Wenmao Liu,Kui Ren

DOI: https://doi.org/10.1109/tpsisa52974.2021.00016

2021-01-01

Abstract:In recent years, containerization has become a major trend in the cloud due to its high resource utilization efficiency and convenient DevOps support. However, the complexity of container system also introduces attack surfaces. This paper aims to summarize security challenges in the container cloud. In particular, we first divide the whole container system into different layers according to their functionalities, including the kernel layer, the container layer, and the orchestration layer. We then summarize security-related technologies. After that, we discuss the security challenges for each layer. Finally, we present the current protection status for the container system and highlight future research directions. Our study shows that to improve the container cloud security, we need to design and implement more robust kernel isolation mechanisms, conduct systematic and thorough security analysis on existing container techniques, and develop comprehensive configuration checking tools.

Yi He,Roland Guo,Yunlong Xing,Xijia Che,Kun Sun,Zhuotao Liu,Ke Xu,Qi Li

2023-01-01

Abstract:The extended Berkeley Packet Filter (eBPF) provides powerful and flexible kernel interfaces to extend the kernel functions for user space programs via running bytecode directly in the kernel space. It has been widely used by cloud services to enhance container security, network management, and system observability. However, we discover that the offensive eBPF that has been extensively discussed in Linux hosts can bring new attack surfaces to containers. With eBPF tracing features, attackers can break the container's isolation and attack the host, e.g., steal sensitive data, DoS, and even escape the container. In this paper, we study the eBPF-based cross container attacks and reveal their security impacts in real world services. With eBPF attacks, we successfully compromise five online Jupyter/Interactive Shell services and the Cloud Shell of Google Cloud Platform. Furthermore, we find that the Kubernetes services offered by three leading cloud vendors can be exploited to launch cross-node attacks after the attackers escape the container via eBPF. Specifically, in Alibaba's Kubernetes services, attackers can compromise the whole cluster by abusing their over-privileged cloud metrics or management Pods. Unfortunately, the eBPF attacks on containers are seldom known and can hardly be discovered by existing intrusion detection systems. Also, the existing eBPF permission model cannot confine the eBPF and ensure secure usage in shared-kernel container environments. To this end, we propose a new eBPF permission model to counter the eBPF attacks in containers.

Md. Shazibul Islam Shamim,Farzana Ahamed Bhuiyan,Akond Rahman

DOI: https://doi.org/10.48550/arXiv.2006.15275

2020-06-27

Abstract:Kubernetes is an open-source software for automating management of computerized services. Organizations, such as IBM, Capital One and Adidas use Kubernetes to deploy and manage their containers, and have reported benefits related to deployment frequency. Despite reported benefits, Kubernetes deployments are susceptible to security vulnerabilities, such as those that occurred at Tesla in 2018. A systematization of Kubernetes security practices can help practitioners mitigate vulnerabilities in their Kubernetes deployments. The goal of this paper is to help practitioners in securing their Kubernetes installations through a systematization of knowledge related to Kubernetes security practices. We systematize knowledge by applying qualitative analysis on 104 Internet artifacts. We identify 11 security practices that include (i) implementation of role-based access control (RBAC) authorization to provide least privilege, (ii) applying security patches to keep Kubernetes updated, and (iii) implementing pod and network specific security policies.

Cryptography and Security,Software Engineering

Nanzi Yang,Wenbo Shen,Jinku Li,Yutian Yang,Kangjie Lu,Jietao Xiao,Tianyu Zhou,Chenggang Qin,Wang Yu,Jianfeng Ma,Kui Ren

DOI: https://doi.org/10.1145/3460120.3484744

2021-01-01

Abstract:Due to its faster start-up speed and better resource utilization efficiency, OS-level virtualization has been widely adopted and has become a fundamental technology in cloud computing. Compared to hardware virtualization, OS-level virtualization leverages the shared-kernel design to achieve high efficiency and runs multiple user-space instances (a.k.a., containers) on the shared kernel. However, in this paper, we reveal a new attack surface that is intrinsic to OS-level virtualization, affecting Linux, FreeBSD, and Fuchsia. The root cause is that the shared-kernel design in OS-level virtualization results containers in sharing thousands of kernel variables and data structures directly and indirectly. Without exploiting any kernel vulnerabilities, a non-privileged container can easily exhaust the shared kernel variables and data structure instances to cause DoS attacks against other containers. Compared with the physical resources, these kernel variables or data structure instances (termed abstract resources) are more prevalent but underprotected. To show the importance of confining abstract resources, we conduct abstract resource attacks that target different aspects of the OS kernel. The results show that attacking abstract resources is highly practical and critical. We further conduct a systematic analysis to identify vulnerable abstract resources in the Linux kernel, which successfully detects 1,010 abstract resources and 501 of them can be repeatedly consumed dynamically. We also conduct the attacking experiments in the self-deployed shared-kernel container environments on the top 4 cloud vendors. The results show that all environments are vulnerable to abstract resource attacks. We conclude that containing abstract resources is hard and give out multiple strategies for mitigating the risks.

Jietao Xiao,Nanzi Yang,Wenbo Shen,Jinku Li,Xin Guo,Zhiqiang Dong,Fei Xie,Jianfeng Ma

2023-01-01

Abstract:People proposed to use virtualization techniques to reinforce the isolation between containers. In the design, each container runs inside a lightweight virtual machine (called microVM). MicroVM-based containers benefit from both the security of microVM and the high efficiency of the container, and thus are widely used on the public cloud. However, in this paper, we demonstrate a new attack surface that can be exploited to break the isolation of the microVM-based container, called operation forwarding attacks. Our key observation is that certain operations of the microVM-based container are forwarded to host system calls and host kernel functions. The attacker can leverage the operation forwarding to exploit the host kernel's vulnerabilities and exhaust host resources. To fully understand the security risk of operation forwarding attacks, we divide the components of the microVM-based container into three layers according to their functionalities and present corresponding attacking strategies to exploit the operation forwarding of each layer. Moreover, we design eight attacks against Kata Containers and Firecracker-based containers and conduct experiments on the local environment, AWS, and Alibaba Cloud. Our results show that the attacker can trigger potential privilege escalation, downgrade 93.4% IO performance and 75.0% CPU performance of the victim container, and even crash the host. We further give security suggestions for mitigating these attacks.

Nanzi Yang,Wenbo Shen,Jinku Li,Yutian Yang,Kangjie Lu,Jietao Xiao,Tianyu Zhou,Chenggang Qin,Wang Yu,Jianfeng Ma,Kui Ren

DOI: https://doi.org/10.1145/3460120.3484744

2021-01-01

Abstract:Due to its faster start-up speed and better resource utilization efficiency, OS-level virtualization has been widely adopted and has become a fundamental technology in cloud computing. Compared to hardware virtualization, OS-level virtualization leverages the shared-kernel design to achieve high efficiency and runs multiple user-space instances (a.k.a., containers) on the shared kernel. However, in this paper, we reveal a new attack surface that is intrinsic to OS-level virtualization, affecting Linux, FreeBSD, and Fuchsia. The root cause is that the shared-kernel design in OS-level virtualization results containers in sharing thousands of kernel variables and data structures directly and indirectly. Without exploiting any kernel vulnerabilities, a non-privileged container can easily exhaust the shared kernel variables and data structure instances to cause DoS attacks against other containers. Compared with the physical resources, these kernel variables or data structure instances (termed abstract resources) are more prevalent but under-protected. To show the importance of confining abstract resources, we conduct abstract resource attacks that target different aspects of the OS kernel. The results show that attacking abstract resources is highly practical and critical. We further conduct a systematic analysis to identify vulnerable abstract resources in the Linux kernel, which successfully detects 1,010 abstract resources and 501 of them can be repeatedly consumed dynamically. We also conduct the attacking experiments in the self-deployed shared-kernel container environments on the top 4 cloud vendors. The results show that all environments are vulnerable to abstract resource attacks. We conclude that containing abstract resources is hard and give out multiple strategies for mitigating the risks.

Hirokuni Kitahara,Kugamoorthy Gajananan,Yuji Watanabe

DOI: https://doi.org/10.1109/bigdata50022.2020.9377815

2020-12-10

Abstract:Container integrity monitoring is defined as key requirements for regulatory compliance, such as PCI-DSS, in which any unexpected changes such as file updates or program runs must be logged for later audit. Syscall monitoring provides comprehensive monitoring of such change events on container, while it suffered from large amount of false alarms unless well-defined allowlist rules are coordinated before deploying container. Defining such comprehensive allowlist is not feasible especially when managing various kinds of application workloads in large-scale enterprise cluster. We propose new approach for identifying real anomaly of syscall events effectively without relying on any predefined allowlist configuration in this paper. Our novel filtering algorithm based on the knowledge acquired autonomously from Kubernetes cluster control plane reduces 99.999 % noise effectively and distilling only abnormal events in real time. Our experiment with real applications on more than 4000 containers demonstrates its effectiveness even on large-scale cluster.

Zhibo Zhang,Lei Zhang,Guangliang Yang,Yanjun Chen,Jiahao Xu,Min Yang

DOI: https://doi.org/10.1109/tifs.2024.3390553

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:In app-in-app ecosystems, mobile applications (i.e., host apps) often delegate their rich resources to hosted parties (i.e., sub-apps), which can be utilized to provide millions of effective services including shopping, banking, and government. These resources vary from system abilities (e.g., web socket and GPS location) to app and user data (e.g., storage and phone number). This leads to an important research question-carefully design and enforce security regulations on these cross-party delegated resources (CPDR). Real-world host apps, according to our study, adopt 11 common security regulations in protecting the integrity, confidentiality, and availability of CPDR. However, existing practice and compliance between host apps and sub-apps are vague and inconsistent, leading to violations of these security regulations. To the best of our knowledge, no prior works have studied these security regulations. In this paper, we perform the first systematic study of the security regulations and their security weaknesses in real-world app-in-app ecosystems. We propose three novel attack vectors including masquerade attack, data-driven attack, and channel hijacking. We find that violations of the common security regulations are widespread among all 9 studied app-in-app ecosystems. More importantly, such security weakness can lead to severe consequences such as manipulating sub-apps' back-end servers and stealing sensitive user data. We responsibly report all of our findings to host app developers of affected app-in-app ecosystems and help them fix their vulnerabilities. The code of this work is available at https://github.com/TitaniumB/MiniAppSecurity.git.

Shouyin Xu,Yuewu Wang,Lingguang Lei,Kun Sun,Jiwu Jing,Siyuan Ma,Jie Wang,Heqing Huang

DOI: https://doi.org/10.1109/tifs.2024.3411915

IF: 7.231

2024-06-22

IEEE Transactions on Information Forensics and Security

Abstract:Container technology is widely adopted due to its features such as light weight and ease of rapid deployment. However, as an OS-level virtualization mechanism, container isolation relies on the kernel's security mechanisms and the kernel permission data (usually non-control flow data) used by these mechanisms. None of the existing mitigation schemes for non-control flow data attacks provide an effective and practical solution to container security since they either trigger too much overhead, have limited effectiveness over attacks launched in specific ways, or can only be used to protect some specific kernel data. In addition, none of them accurately identify the kernel data associated with container isolation. In this paper, we provide a solution called Condo that enhances container isolation by protecting the associated kernel permission data. We first present a generic non-control flow kernel data protection mechanism that protects different types of kernel data uniformly with low overhead and is not limited by attack methods or data types. We then demystify the models of various kernel access control mechanisms in the container environment, and identify the subject and object permission data that are critical to container isolation. Finally, we provide a solution named Condo to enhance container isolation, which is completely transparent to the existing container ecosystem, including containerized applications and container management/orchestration tools such as Docker. Experimental results show that Condo can effectively reduce the compromises of container isolation due to memory corruption attacks with an acceptable overhead.

computer science, theory & methods,engineering, electrical & electronic

Marco Barletta,Marcello Cinque,Catello Di Martino,Zbigniew T. Kalbarczyk,Ravishankar K. Iyer

2024-04-17

Abstract:In this paper, we i) analyze and classify real-world failures of Kubernetes (the most popular container orchestration system), ii) develop a framework to perform a fault/error injection campaign targeting the data store preserving the cluster state, and iii) compare results of our fault/error injection experiments with real-world failures, showing that our fault/error injections can recreate many real-world failure patterns. The paper aims to address the lack of studies on systematic analyses of Kubernetes failures to date.

Distributed, Parallel, and Cluster Computing

Rui Chang,Liehui Jiang,Wenzhi Chen,Hong-qi He,Shuiqiao Yang,Hang Jiang,Wei Liu,Yong Liu

DOI: https://doi.org/10.1002/cpe.4180

2018-01-01

Abstract:This paper discusses security issues on the user equipment, which is the last mile of social networks. One of the main Achilles' heel of social networks is not the organization of networks themselves, but the user devices, typically Android ones. The existing system of privileges makes it easy to infiltrate the network via applications installed on users' devices. Conventional signature-based and static analysis methods are vulnerable. Access to privacy- and security-relevant parts of the application programming interface is controlled by the corresponding permission in a manifest file. While requesting access to permissions, it may offer opportunities to malicious codes, which will cause security issues. Few works among permission analysis, however, pay attention to the prevention of permission leakage on both hardware and software frameworks. In this paper we tackle the challenge of providing our multilayered permission-based security extension scheme on Android platforms. We propose a usage and access control model and an effective method of preventing permission leakage based on ARM TrustZone security extension mechanism. In contrast to previous work, the proposed security architecture provides a permission-based mandatory access control on Android middleware, Linux kernel, and hardware layers. The evaluation results demonstrate the effectiveness of the proposed scheme in mitigating permission leakage vulnerabilities.