ContainerLeaks: Emerging Security Threats of Information Leakages in Container Clouds

Xing Gao, Zhongshu Gu, M. Kayaalp, D. Pendarakis, Haining Wang
{"title":"ContainerLeaks: Emerging Security Threats of Information Leakages in Container Clouds","authors":"Xing Gao, Zhongshu Gu, M. Kayaalp, D. Pendarakis, Haining Wang","doi":"10.1109/DSN.2017.49","DOIUrl":null,"url":null,"abstract":"Container technology provides a lightweight operating system level virtual hosting environment. Its emergence profoundly changes the development and deployment paradigms of multi-tier distributed applications. However, due to the incomplete implementation of system resource isolation mechanisms in the Linux kernel, some security concerns still exist for multiple containers sharing an operating system kernel on a multi-tenancy container cloud service. In this paper, we first present the information leakage channels we discovered that are accessible within the containers. Such channels expose a spectrum of system-wide host information to the containers without proper resource partitioning. By exploiting such leaked host information, it becomes much easier for malicious adversaries (acting as tenants in the container clouds) to launch advanced attacks that might impact the reliability of cloud services. Additionally, we discuss the root causes of the containers' information leakages and propose a two-stage defense approach. As demonstrated in the evaluation, our solution is effective and incurs trivial performance overhead.","PeriodicalId":426928,"journal":{"name":"2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)","volume":"17 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-06-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"108","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/DSN.2017.49","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 108

Abstract

Container technology provides a lightweight operating system level virtual hosting environment. Its emergence profoundly changes the development and deployment paradigms of multi-tier distributed applications. However, due to the incomplete implementation of system resource isolation mechanisms in the Linux kernel, some security concerns still exist for multiple containers sharing an operating system kernel on a multi-tenancy container cloud service. In this paper, we first present the information leakage channels we discovered that are accessible within the containers. Such channels expose a spectrum of system-wide host information to the containers without proper resource partitioning. By exploiting such leaked host information, it becomes much easier for malicious adversaries (acting as tenants in the container clouds) to launch advanced attacks that might impact the reliability of cloud services. Additionally, we discuss the root causes of the containers' information leakages and propose a two-stage defense approach. As demonstrated in the evaluation, our solution is effective and incurs trivial performance overhead.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
ContainerLeaks:容器云中信息泄露的新安全威胁
容器技术提供了一个轻量级的操作系统级虚拟主机环境。它的出现深刻地改变了多层分布式应用程序的开发和部署范式。但是,由于Linux内核中系统资源隔离机制的实现不完整,对于在多租户容器云服务上共享操作系统内核的多个容器来说,仍然存在一些安全问题。在本文中,我们首先介绍了我们发现的在容器内可访问的信息泄漏通道。这样的通道向容器公开了一系列系统范围的主机信息,而没有进行适当的资源分区。通过利用这些泄露的主机信息,恶意攻击者(充当容器云中的租户)更容易发起可能影响云服务可靠性的高级攻击。此外,我们还讨论了容器信息泄漏的根本原因,并提出了两阶段防御方法。正如在评估中所演示的,我们的解决方案是有效的,并且产生了微不足道的性能开销。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
Compromising Security of Economic Dispatch in Power System Operations Implicit Smartphone User Authentication with Sensors and Contextual Machine Learning Towards Automated Discovery of Crash-Resistant Primitives in Binary Executables Sensor-Based Implicit Authentication of Smartphone Users Athena: A Framework for Scalable Anomaly Detection in Software-Defined Networks
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1