DATS - Data Containers for Web Applications

Hunger, Casen; Vilanova, Lluís; Papamanthou, Charalampos; Etsion, Yoav; Tiwari, Mohit

doi:10.1145/3296957.3173213

Cited by 4 publications

(3 citation statements)

References 45 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…• Inside container: We tested 4 exploits. Among these, 3 of them (CVE-2017-7308 15 , CVE-2017-6074 16 and CVE-2017-1000112 17 require capability SYS ADMIN to launch and 1 (CVE-2016-9793 18 ) requires capability NET ADMIN. If none of these capabilities are given to the container, all of these attacks fail.…”

Section: Analysis Of Privilege Escalation Attacksmentioning

confidence: 99%

“…There are some researches proposing security countermeasure or algorithm against a particular attack category of container. This includes special investigations on DoS attacks [12], container escape attacks [19], attacks from the underlying compromised higher-privileged system software such as the OS kernel and the hypervisor [2], covert channels attacks [24] and the application level attacks [18]. In [12], Chelladhurai et.…”

Section: Performancementioning

confidence: 99%

“…They also stress that the deployment of a full-fledged SELinux or AppArmor security policy is a key condition to protect the security perimeters of containers. Study about increase the application level isolation for containers is presented in the work of Hunger et al [18]. The authors propose DATS which is a system to run web applications that heavily access data in shared folders and that are deployed with containers.…”

Section: Performancementioning

confidence: 99%

See 2 more Smart Citations

Lic-Sec: an enhanced AppArmor Docker security profile generator

Zhu

Gehrmann

2020

Preprint

View full text Add to dashboard Cite

Along with the rapid development of cloud computing technology, containerization technology has drawn much attention from both industry and academia. In this paper, we perform a comparative measurement analysis of Docker-sec, which is a Linux Security Module proposed in 2018, and a new AppArmor profile generator called Lic-Sec, which combines Docker-sec with a modified version of LiCShield, which is also a Linux Security Module proposed in 2015. Docker-sec and LiCShield can be used to enhance Docker container security based on mandatory access control and allows protection of the container without manually configurations. Lic-Sec brings together their strengths and provides stronger protection. We evaluate the effectiveness and performance of Docker-sec and Lic-Sec by testing them with real-world attacks. We generate an exploit database with 42 exploits effective on Docker containers selected from the latest 400 exploits on Exploit-db. We launch these exploits on containers spawned with Docker-sec and Lic-Sec separately. Our evaluations show that for demanding images, Lic-Sec gives protection for all privilege escalation attacks for which Docker-sec failed to give protection.

show abstract

Section: Analysis Of Privilege Escalation Attacksmentioning

confidence: 99%

Section: Performancementioning

confidence: 99%

Section: Performancementioning

confidence: 99%

See 1 more Smart Citation

Lic-Sec: an enhanced AppArmor Docker security profile generator

Zhu

Gehrmann

2020

Preprint

View full text Add to dashboard Cite

show abstract

The state‐of‐the‐art in container technologies: Application, orchestration and security

Casalicchio

Iannucci

2020

Concurrency and Computation

View full text Add to dashboard Cite

SummaryContainerization is a lightweight virtualization technology enabling the deployment and execution of distributed applications on cloud, edge/fog, and Internet‐of‐Things platforms. Container technologies are evolving at the speed of light, and there are many open research challenges. In this paper, an extensive literature review is presented that identifies the challenges related to the adoption of container technologies in High Performance Computing, Big Data analytics, and geo‐distributed (Edge, Fog, Internet‐of‐Things) applications. From our study, it emerges that performance, orchestration, and cyber‐security are the main issues. For each challenge, the state‐of‐the‐art solutions are then analyzed. Performance is related to the assessment of the performance footprint of containers and comparison with the footprint of virtual machines and bare metal deployments, the monitoring, the performance prediction, the I/O throughput improvement. Orchestration is related to the selection, the deployment, and the dynamic control of the configuration of multi‐container packaged applications on distributed platforms. The focus of this work is on run‐time adaptation. Cyber‐security is about container isolation, confidentiality of containerized data, and network security. From the analysis of 97 papers, it came out that the state‐of‐the‐art is more mature in the area of performance evaluation and run‐time adaptation rather than in security solutions. However, the main unsolved challenges are I/O throughput optimization, performance prediction, multilayer monitoring, isolation, and data confidentiality (at rest and in transit).

show abstract

Access Security Policy Generation for Containers as a Cloud Service

Zhu,

Gehrmann,

Roth

2023

SN COMPUT. SCI.

View full text Add to dashboard Cite

The rapid development of containerization technology comes with remarkable benefits for developers and operation teams. Container solutions allow building very flexible software infrastructures. Although lots of efforts have been devoted to enhancing containerization security, containerized environments still have a huge attack surface. Completely avoiding severe security issues have so far not been possible to achieve. However, the security problems due to vulnerabilities in for instance kernels, can be largely reduced if the container privileges are as restricted as possible. Mandatory access control is an efficient way to achieve this using for instance AppArmor. As manual AppArmor generation is tedious and error prone, automatic generation of protection profile is necessary. In previous research, a new tool for tight AppArmor profile generation was presented. In this paper we show how, in a system setting, such tool can be combined with container service testing, to provide a cloud based container service for automatic AppArmore profile generation. We present solutions for profile generation both for centrally collected and generated container logs and for log collection through a local agent. To evaluate the effectiveness of the profile generation service, we enable it on a widely used containerized web service to generate profiles and test them with real-world attacks. We generate an exploit database with 11 exploits harmful to the tested web service. These exploits are sifted from the 56 exploits of Exploit-db targeting the tested web service’s software. We launch these exploits on the web service protected by the profile. The results show that the proposed profile generation service improves the test web service’s overall security a lot compared to using the default Docker security profile. This together with the very user friendly and robust principle for setting up and running the service, clearly indicates that the approach is an important step for improving container security in real deployments.

show abstract

DATS - Data Containers for Web Applications

Cited by 4 publications

References 45 publications

Lic-Sec: an enhanced AppArmor Docker security profile generator

Lic-Sec: an enhanced AppArmor Docker security profile generator

The state‐of‐the‐art in container technologies: Application, orchestration and security

Access Security Policy Generation for Containers as a Cloud Service

Contact Info

Product

Resources

About