Container-Based Module Isolation for Cloud Services

Kehrer, Stefan; Riebandt, Florian; Blochinger, Wolfgang

doi:10.1109/sose.2019.00032

Cited by 13 publications

(5 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The access control policies are composed of user ID, container ID, and container based image layer directory. Finally, user access control handling rejects unauthorized access towards the container image layer by examining the I/O of the user's file [20]. The event over the container image accessing is performed using the container platform, and another kind of access is rejected.…”

Section: Security Threat Towards the Container Imagementioning

confidence: 99%

Container Security: An Extensive Roadmap

Subramanian¹,

Honnavalli²,

Shylaja³

2021

Atlantis Highlights in Computer Sciences

View full text Add to dashboard Cite

The containers play a crucial role in the cloud environment during application deployment as it shares same OS kernel. It reduces resource requirements and start-up time for deploying applications by an individual organizations or users. Even though containers provide light-weight virtualization, it generates a security bottleneck for the number of dedicated resources, libraries, and applications since the container isolation is comparatively weak to the legacy VMs. In the general architec ture of container, attackers can perform privilege escalation by exploiting the kernel vulnerabilities to gain the root privilege and leaks the critical information of a system. To address the present security concerns in the container, a better security based solution is essential. In this work, an extensive analysis is performed to predict the various existing access control mechanisms used for security purposes and the challenges encountered during the architecture modeling. Some use cases are considered to ensure the fulfilment of security requirements such as container protection, inter-container protection, and host protection, and it needs to provide both software and hardware solutions. This work also includes the research problems, research gaps, and further research extensions to provide security to the containers.

show abstract

Section: Security Threat Towards the Container Imagementioning

confidence: 99%

Container Security: An Extensive Roadmap

Subramanian¹,

Honnavalli²,

Shylaja³

2021

Atlantis Highlights in Computer Sciences

View full text Add to dashboard Cite

show abstract

“…As is well known, the container engine protects the execution environment of the container. A container engine uses namespaces and cgroups to individually apply environmental variables, resources, and process management for application during a container operation to ensure an independent operating environment [26].…”

Section: Security Environment Analysis Of Container Platform a mentioning

confidence: 99%

Container Image Access Control Architecture to Protect Applications

Han

Lee

et al. 2020

IEEE Access

View full text Add to dashboard Cite

A container platform allows various applications to be deployed or run after installation. A user can download or execute a container image with the required application. To apply the configuration management system, a container image uses a union filesystem composed of multiple layers. To provide stability, important application files must be protected from unauthorized access. However, the container image used for distributing an application does not have its own protection function, and it is not protected by the container platform. The access control function provided by the operating system cannot protect the applications because the container environment is not considered. In this study, a container image access control architecture is proposed that can ensure a safe application operating environment by denying unauthorized direct access to container images. The proposed architecture enforces the access control function after the container image is downloaded, denying unauthorized access to the container image layer directory. Because the access control function is provided at the kernel level, there is a security advantage that users cannot bypass. To verify this approach, the functions and performance were determined empirically according to the proposed architecture. Functional verification confirmed that the proposed architecture denies unauthorized access to the container base image and allows access only to authorized users. It was also confirmed that the proposed architecture ensures the performance of the container platform in the same way as before, and that the proposed container image access control architecture is sufficiently effective.

show abstract

“…Despite its advantages, container-based virtualization possesses a major drawback: if a container image (We used image, container image, and Docker image inter-changeably in this article) contains security vulnerabilities, all mircoservice components related to this image are in a high risk state [ 4 ]. Malicious parties now frequently exploit vulnerable images to gain control of the entire microservice architecture [ 5 ].…”

Section: Introductionmentioning

confidence: 99%

Microservice Security Framework for IoT by Mimic Defense Mechanism

Ying

Zhao

Deng

2022

Sensors

View full text Add to dashboard Cite

Containers and microservices have become the most popular method for hosting IoT applications in cloud servers. However, one major security issue of this method is that if a container image contains software with security vulnerabilities, the associated microservices also become vulnerable at run-time. Existing works attempted to reduce this risk with vulnerability-scanning tools. They, however, demand an up-to-date database and may not work with unpublished vulnerabilities. In this paper, we propose a novel system to strengthen container security from unknown attack using the mimic defense framework. Specifically, we constructed a resource pool with variant images and observe the inconsistency in execution results, from which we can identify potential vulnerabilities. To avoid continuous attack, we created a graph-based scheduling strategy to maximize the randomness and heterogeneity of the images used to replace the current images. We implemented a prototype using Kubernetes. Experimental results show that our framework makes hackers have to send 54.9% more random requests to complete the attack and increases the defence success rate by around 8.16% over the baseline framework to avoid the continuous unknown attacks.

show abstract

Container-Based Module Isolation for Cloud Services

Cited by 13 publications

References 21 publications

Container Security: An Extensive Roadmap

Container Security: An Extensive Roadmap

Container Image Access Control Architecture to Protect Applications

Microservice Security Framework for IoT by Mimic Defense Mechanism

Contact Info

Product

Resources

About