research-article

Leveraging Kernel Security Mechanisms to Improve Container Security: a Survey

Authors:

Maxime Bélair,

Sylvie Laniepce,

Jean-Marc MenaudAuthors Info & Claims

ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and Security

Article No.: 76, Pages 1 - 6

https://doi.org/10.1145/3339252.3340502

Published: 26 August 2019 Publication History

Abstract

Containerization is a lightweight virtualization technique reducing virtualization overhead and deployment latency compared to full VM; its popularity is quickly increasing.

However, due to kernel sharing, containers provide less isolation than full VM. Thus, a compromised container may break out of its isolated context and gain root access to the host server. This is a huge concern, especially in multi-tenant cloud environments where we can find running on a single server containers serving very different purposes, such as banking microservices, compute nodes or honeypots. Thus, containers with specific security needs should be able to tune their own security level.

Because OS-level defense approaches inherited from time-sharing OS generally requires administrator rights and aim to protect the entire system, they are not fully suitable to protect usermode containers. Research recently made several contributions to deliver enhanced security to containers from host OS level to (partially) solve these challenges.

In this survey, we propose a new taxonomy on container defense at the infrastructure level with a particular focus on the virtualization boundary, where interactions between kernel and containers take place. We then classify the most promising defense frameworks into these categories.

References

[1]

Amazon. 2019. AWS Firecracker GitHub Repository. https://github.com/firecracker-microvm/firecracker. (2019).

[2]

Pratyush Anand. 2017. A presentation of eBPF. https://opensource.com/article/17/9/intro-ebpf. (2017).

[3]

Sergei Arnautov, Bohdan Trach, Franz Gregor, and others. 2016. SCONE: Secure Linux Containers with Intel SGX. In Proceedings of the 12th USENIX Conference on Operating Systems Design and Implementation (OSDI'16). USENIX Association, Berkeley, CA, USA, 689--703.

Digital Library

[4]

Mick Bauer. 2006. Paranoid Penguin: An Introduction to Novell AppArmor. Linux J. 2006, 148 (Aug. 2006), 13--.

Digital Library

[5]

Marco De Benedictis and Antonio Lioy. 2019. Integrity verification of Docker containers for a lightweight cloud environment. Future Generation Computer Systems (2019).

[6]

Theo De Raadt. 2015. pledge(), a new mitigation mechanism (Hackfest '15). Québec. https://www.openbsd.org/papers/hackfest2015-pledge/mgp00001.html

[7]

D. R. Engler, M. F. Kaashoek, and J. O'Toole, Jr. 1995. Exokernel: An Operating System Architecture for Application-level Resource Management. SIGOPS Oper. Syst. Rev. 29, 5 (Dec. 1995), 251--266.

Digital Library

[8]

Wes Felter, Alexandre Ferreira, Ram Rajamony, and others. 2014. An Updated Performance Comparison of Virtual Machines and Linux Containers. technology 25 (2014), 31.

[9]

Free Software Foundation. 2019. Chroot man page (2). http://man7.org/linux/man-pages/man2/chroot.2.html, (2019).

[10]

OpenStack Foundation. 2019. Kata Containers Website. https://katacontainers.io/. (2019).

[11]

freedesktop.org. 2017. Presentation of Seccomp BPF. https://dri.freedesktop.org/docs/drm/userspace-api/seccomp_filter.html. (2017).

[12]

Nick Frichette. 2019. PoC for CVE-2019-5736-PoC. https://github.com/Frichetten/CVE-2019-5736-PoC. (2019).

[13]

Google. 2019. GVisor GitHub repository. https://github.com/google/gvisor. (2019).

[14]

Google. 2019. Kubernetes GitHub repository. https://github.com/kubernetes/kubernetes. (2019).

[15]

Toshiharu Harada, Takashi Horie, and Kazuo Tanaka. 2004. Task Oriented Management Obviates Your Onus on Linux. Linux Conference 2004 3 (2004).

[16]

Norm Hardy. 1988. The Confused Deputy: (or Why Capabilities Might Have Been Invented). SIGOPS Oper. Syst. Rev. 22, 4 (Oct. 1988), 36--38.

Digital Library

[17]

Yacine Hebbal, Laniepce Sylvie, and Jean-Marc Menaud. 2015. Virtual Machine Introspection: Techniques and Applications. In International Conference on Availability, Reliability and Security. Toulouse, France. https://hal.inria.fr/hal-01165285

Digital Library

[18]

Matthew Hoekstra, Reshma Lal, Pradeep Pappachan, and others. 2013. Using Innovative Instructions to Create Trustworthy Software Solutions. In Proceedings of the 2Nd International Workshop on Hardware and Architectural Support for Security and Privacy (HASP '13). ACM, New York, NY, USA, Article 11, 1 pages.

Digital Library

[19]

Isovalent Inc. 2019. Cilium GitHub repository. https://github.com/cilium/cilium. (2019).

[20]

Jhon Johansen. 2018. Making Linux Security Modules available to Containers: Stacking and Namespacing the LSM. In Proceeding of the Free and Open Source software Developers' European Meeting (FOSDEM '18). Brussels. https://archive.fosdem.org/2018/schedule/event/containers_lsm/

[21]

Daniel Lezcano, Stéphane Hallyn, and Graber Stéphane. 2018. LXC GitHub repository. https://github.com/lxc/lxc. (2018).

[22]

Filipe Manco, Costin Lupu, Florian Schmidt, and others. 2017. My VM is Lighter (and Safer) Than Your Container. In Proceedings of the 26th Symposium on Operating Systems Principles (SOSP '17). ACM, New York, NY, USA, 218--233.

Digital Library

[23]

Dirk Merkel. 2014. Docker: Lightweight Linux Containers for Consistent Development and Deployment. Linux J. 2014, 239, Article 2 (March 2014).

Digital Library

[24]

Mesosphere. 2019. Marathon. https://github.com/mesosphere/marathon. (2019).

[25]

NIST. 2019. NIST report for CVE-2019-5736. https://nvd.nist.gov/vuln/detail/CVE-2019-5736. (2019).

[26]

Rami Rosen. 2013. Resource management:Linux kernel Namespaces and cgroups. https://www.cs.ucsb.edu/ rich/class/cs293b-cloud/papers/lxcnamespace.pdf. (2013).

[27]

Reiner Sailer, Xiaolan Zhang, Trent Jaeger, and others. 2004. Design and Implementation of a TCG-based Integrity Measurement Architecture. In Proceedings of the 13th Conference on USENIX Security Symposium - Volume 13 (SSYM'04). USENIX Association, Berkeley, CA, USA, 16--16.

Digital Library

[28]

Mickaël Salaun. 2018. File access-control per container with Landlock (FOSDEM '18). Brussels. https://landlock.io/talks/2018-02-04_landlock-fosdem.pdf

[29]

Mickaël Salaün. 2018. Landlock Documentation about administrator rights. https://github.com/landlock-lsm/linux/blob/landlock-v8/Documentation/security/landlock/index.rst. (2018).

[30]

Ravi Sandhu. 2013. Access Control Models. https://www.profsandhu.com/cs6393_s13/L2.pdf. (2013).

[31]

Michael Schwarz, Samuel Weiser, and Daniel Gruss. 2019. Practical Enclave Malware with Intel SGX. (2019).

[32]

Zhiming Shen, Zhen Sun, Gur-Eyal Sela, and others. 2019. X-Containers: Breaking Down Barriers to Improve Performance and Isolation of Cloud-Native Containers. In Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS '19). ACM, New York, NY, USA, 121--135.

Digital Library

[33]

Stephen Smalley, Chris Vance, and Wayne Salamon. 2001. Implementing SELinux as a Linux security module. NAI Labs Report 1 (2001), 43.

[34]

M. Souppaya, J. Morello, and K. Scarfon. 2017. Application container security guide. (2017).

[35]

Yuqiong Sun, David Safford, Mimi Zohar, and others. 2018. Security Namespace: Making Linux Security Frameworks Available to Containers. In Proceedings of the 27th USENIX Conference on Security Symposium (SEC'18). USENIX Association, Berkeley, CA, USA, 1423--1439.

Digital Library

[36]

Chris Wright, Crispin Cowan, Stephen Smalley, and others. 2002. Linux Security Modules: General Security Support for the Linux Kernel. In Proceedings of the 11th USENIX Security Symposium. USENIX Association, Berkeley, CA, USA, 17--31.

Digital Library

Cited By

Zehra SSyed HSamad FFaseeha UAhmed HKhurram Khan M(2024)Securing the Shared Kernel: Exploring Kernel Isolation and Emerging Challenges in Modern Cloud ComputingIEEE Access10.1109/ACCESS.2024.350721512(179281-179317)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3507215
Kanishka Jayalath RAhmad HGoel DShuja Syed MUllah F(2024)Microservice Vulnerability Analysis: A Literature Review With Empirical InsightsIEEE Access10.1109/ACCESS.2024.348137412(155168-155204)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3481374
Horchulhack PViegas ESantin ARamos FTedeschi P(2024)Detection of quality of service degradation on multi-tenant containerized servicesJournal of Network and Computer Applications10.1016/j.jnca.2024.103839224:COnline publication date: 1-Apr-2024
https://dl.acm.org/doi/10.1016/j.jnca.2024.103839
Show More Cited By

Index Terms

Leveraging Kernel Security Mechanisms to Improve Container Security: a Survey

Recommendations

SNAPPY: programmable kernel-level policies for containers
SAC '21: Proceedings of the 36th Annual ACM Symposium on Applied Computing

Compared to full virtualization, containerization reduces virtualization overhead and resource usage, offers reduced deployment latency and improves reusability. For these reasons, containerization is massively used in an increasing number of ...
Container-based operating system virtualization: a scalable, high-performance alternative to hypervisors
EuroSys '07: Proceedings of the 2nd ACM SIGOPS/EuroSys European Conference on Computer Systems 2007

Hypervisors, popularized by Xen and VMware, are quickly becoming commodity. They are appropriate for many usage scenarios, but there are scenarios that require system virtualization with high degrees of both isolation and efficiency. Examples include ...
Container-based operating system virtualization: a scalable, high-performance alternative to hypervisors
EuroSys'07 Conference Proceedings

Hypervisors, popularized by Xen and VMware, are quickly becoming commodity. They are appropriate for many usage scenarios, but there are scenarios that require system virtualization with high degrees of both isolation and efficiency. Examples include ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and Security

August 2019

979 pages

ISBN:9781450371643

DOI:10.1145/3339252

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 August 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ARES '19

ARES '19: 14th International Conference on Availability, Reliability and Security

August 26 - 29, 2019

CA, Canterbury, United Kingdom

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

15
Total Citations
View Citations
979
Total Downloads

Downloads (Last 12 months)115
Downloads (Last 6 weeks)15

Reflects downloads up to 16 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zehra SSyed HSamad FFaseeha UAhmed HKhurram Khan M(2024)Securing the Shared Kernel: Exploring Kernel Isolation and Emerging Challenges in Modern Cloud ComputingIEEE Access10.1109/ACCESS.2024.350721512(179281-179317)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3507215
Kanishka Jayalath RAhmad HGoel DShuja Syed MUllah F(2024)Microservice Vulnerability Analysis: A Literature Review With Empirical InsightsIEEE Access10.1109/ACCESS.2024.348137412(155168-155204)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3481374
Horchulhack PViegas ESantin ARamos FTedeschi P(2024)Detection of quality of service degradation on multi-tenant containerized servicesJournal of Network and Computer Applications10.1016/j.jnca.2024.103839224:COnline publication date: 1-Apr-2024
https://dl.acm.org/doi/10.1016/j.jnca.2024.103839
Khadse MDakhane D(2024)A Review on Network Covert Channel Construction and Attack DetectionConcurrency and Computation: Practice and Experience10.1002/cpe.831637:1Online publication date: 26-Oct-2024
https://doi.org/10.1002/cpe.8316
Olabanji DFitch TMatthew O(2023)Multi-tenancy in Cloud-native Architecture: A Systematic Mapping StudyWSEAS TRANSACTIONS ON COMPUTERS10.37394/23205.2023.22.422(25-43)Online publication date: 7-Mar-2023
https://doi.org/10.37394/23205.2023.22.4
Li YHu HLiu WYang X(2023)An Optimal Active Defensive Security Framework for the Container-Based Cloud with Deep Reinforcement LearningElectronics10.3390/electronics1207159812:7(1598)Online publication date: 29-Mar-2023
https://doi.org/10.3390/electronics12071598
Hong SXu LHuang JLi HHu HGu G(2023)SysFlow: Toward a Programmable Zero Trust Framework for System SecurityIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.326415218(2794-2809)Online publication date: 2023
https://doi.org/10.1109/TIFS.2023.3264152
Zhu HGehrmann C(2022)Kub-Sec, an automatic Kubernetes cluster AppArmor profile generation engine2022 14th International Conference on COMmunication Systems & NETworkS (COMSNETS)10.1109/COMSNETS53615.2022.9668504(129-137)Online publication date: 4-Jan-2022
https://doi.org/10.1109/COMSNETS53615.2022.9668504
Jolak RRosenstatter TMohamad MStrandberg KSangchoolie BNowdehi NScandariato R(2022)CONSERVEJournal of Systems and Software10.1016/j.jss.2021.111158186:COnline publication date: 1-Apr-2022
https://dl.acm.org/doi/10.1016/j.jss.2021.111158
Bélair MLaniepce SMenaud JHung CHong JBechini ASong E(2021)SNAPPYProceedings of the 36th Annual ACM Symposium on Applied Computing10.1145/3412841.3442037(1636-1645)Online publication date: 22-Mar-2021
https://dl.acm.org/doi/10.1145/3412841.3442037
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents