A review of native container security for running applications

Flauzac, Olivier; Mauhourat, Fabien; Nolot, Florent

doi:10.1016/j.procs.2020.07.025

Cited by 22 publications

(14 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…With the help of a risk library, there are many methods proposed to deal with image-security issues on container-based clouds. The most popular methods take uses of Linux features (i.e., CGroup and Capabilities) to isolate the hardware resource, and to divide the privileges, respectively [ 21 ]. They provide the general security protection of the storage and networking for containers.…”

Section: Related Workmentioning

confidence: 99%

Microservice Security Framework for IoT by Mimic Defense Mechanism

Ying

Zhao

Deng

2022

Sensors

View full text Add to dashboard Cite

Containers and microservices have become the most popular method for hosting IoT applications in cloud servers. However, one major security issue of this method is that if a container image contains software with security vulnerabilities, the associated microservices also become vulnerable at run-time. Existing works attempted to reduce this risk with vulnerability-scanning tools. They, however, demand an up-to-date database and may not work with unpublished vulnerabilities. In this paper, we propose a novel system to strengthen container security from unknown attack using the mimic defense framework. Specifically, we constructed a resource pool with variant images and observe the inconsistency in execution results, from which we can identify potential vulnerabilities. To avoid continuous attack, we created a graph-based scheduling strategy to maximize the randomness and heterogeneity of the images used to replace the current images. We implemented a prototype using Kubernetes. Experimental results show that our framework makes hackers have to send 54.9% more random requests to complete the attack and increases the defence success rate by around 8.16% over the baseline framework to avoid the continuous unknown attacks.

show abstract

Section: Related Workmentioning

confidence: 99%

Microservice Security Framework for IoT by Mimic Defense Mechanism

Ying

Zhao

Deng

2022

Sensors

View full text Add to dashboard Cite

show abstract

“…Software based mechanism are based on either Linux Security Features (LSFs) or Linux Security Modules (LSMs). These Linux kernel features include the solutions using the namespaces, Control Groups (CGroups), Capabilities Dropping and Computation Mode (Seccomp) [61], [63]. Hardware-based protection can be…”

Section: ) Security Solutions For Virtualized Edgementioning

confidence: 99%

An Overview of the Security Landscape of Virtual Mobile Networks

et al. 2021

View full text Add to dashboard Cite

5G enables the use of different types of services over the same physical infrastructure through the concepts and technologies of virtualization, softwarization, network slicing and cloud computing. Mobile Virtual Network Operators (MVNOs), using these concepts, provide an opportunity to share the same physical infrastructure among multiple operators. Each MVNO can have own distinct operating and support systems. However, the technologies used to enable such an environment have their own explicit security challenges and solutions. The integrated environment built upon these novel concepts and technologies, thus, will have complex security implications and requirements to be satisfied. In this vain, this article provides an overview of the security challenges and potential solutions for MVNOs.

show abstract

“…Wist et al [166] scanned 2,500 Docker Hub images, mapped their vulnerabilities using the Common Vulnerability Scoring System (CVSS), and compared the vulnerabilities across the types of images, the types of scripting languages, and packages. In another research, Flauzac et al [63] reviewed the native containers security by conducting a static comparison of 6 container runtime solutions, namely LXC (Linux Containers), LXD (an open-source container management extension for LXC), Singularity, Docker (runc), Kata-containers (kata-runtime) and gVisor(runsc), in terms of their abilities to isolate system resources such as storage, network, processor, and memory. However, this is carried out in the container's default and standalone state and therefore does not reflect a real operating environment that is used by a container.…”

Section: Vulnerability Analysismentioning

confidence: 99%

“…Enhancement of container engine security In this paper, we use Docker as the representative container engine for security survey as it is the most popular and pervasively used by enterprises and businesses. However, a couple of reports state that an alternative container engine called Kata 13 container which is developed by IBM and Hyper.sh can offer better security isolation while maintaining efficiency and performance and it has a strong reference customer in the form of Baidu AI Cloud [97], [63], [94]. Therefore, another direction of study is a comprehensive comparison of the security and performance between Kata container and Docker container and investigate the possibility of a Docker substitute or areas for Docker's security enhancements.…”

Section: Future Research Directionsmentioning

confidence: 99%

“…To alleviate the security concerns, several research works have been done on containers security, some focusing on vulnerability analysis [32], [58], [166], [63], [150], [98], [18], [108], and others on mitigation strategies [114], [126], [17], [44], [51], [82], [38], [151], [11], [13], [148], [103], [30], [47], [96]. However, most of the related works only focus on a specific vulnerability, threat, use-case or subsystem of containers.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Threat Modeling and Security Analysis of Containers: A Survey

Wong¹,

Chekole²,

Ochoa³

et al. 2021

Preprint

View full text Add to dashboard Cite

Traditionally, applications that are used in large and small enterprises were deployed on "bare metal" servers installed with operating systems. Recently, the use of multiple virtual machines (VMs) on the same physical server was adopted due to cost reduction and flexibility. Nowadays, containers have become popular for application deployment due to smaller footprints than the VMs, their ability to start and stop more quickly, and their capability to pack the application binaries and their dependencies/libraries in standalone units for seamless portability. A typical container ecosystem includes a code repository (e.g., GitHub) where the container images are built from the codes and libraries and then pushed to the image registry (e.g., Docker Hub) for subsequent deployment as application containers. However, the pervasive use of containers also leads to a wide-range of security breaches such as attackers stealing credentials, source codes and sensitive data from image registry and code repository, carrying out DoS attacks on application containers, and gaining root access to misuse the underlying host resources, among others. In this paper, we first perform threat modeling on the containers ecosystem using the popular threat modeling framework, called STRIDE. Using STRIDE, we identify the vulnerabilities in each system component, and investigate potential security threats and their consequences. Then, we conduct a comprehensive survey on the existing countermeasures designed against the identified threats and vulnerabilities in containers. In particular, we assess the strengths and weaknesses of the existing mitigation strategies designed against such threats. We believe that this work will help researchers and practitioners to gain a deeper understanding of the threat landscape in containers and the state-of-the-art countermeasures. We also discuss open research problems, the research gaps and future research directions in containers security, which may ignite further research to be done in this area.

show abstract

A review of native container security for running applications

Cited by 22 publications

References 11 publications

Microservice Security Framework for IoT by Mimic Defense Mechanism

Microservice Security Framework for IoT by Mimic Defense Mechanism

An Overview of the Security Landscape of Virtual Mobile Networks

Threat Modeling and Security Analysis of Containers: A Survey

Contact Info

Product

Resources

About