Secure Namespaced Kernel Audit for Containers

Lim, Soo Yee; Stelea, Bogdan; Han, Xueyuan; Pasquier, Thomas

doi:10.1145/3472883.3486976

Cited by 8 publications

(1 citation statement)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…C ONTAINERS, also known as operating system (OS)level virtualization, are increasingly adopted in data center management due to their high performance compared to hypervisor-based virtualization, i.e., virtual machines (VMs) [1]. While OS-level virtualization offers nearnative performance, it does not provide adequate isolation between containers since all on one host share the same OS kernel [2]. The weak isolation has been shown to affect both the security and performance of containers in shared environments [3].…”

Section: Introductionmentioning

confidence: 99%

vKernel: Enhancing Container Isolation via Private Code and Data

Huang,

Wang,

Rao

et al. 2024

IEEE Trans. Comput.

View full text Add to dashboard Cite

Container technology is increasingly adopted in cloud environments. However, the lack of isolation in the shared kernel becomes a significant barrier to the wide adoption of containers. The challenges lie in how to simultaneously attain high performance and isolation. On the one hand, kernel-level isolation mechanisms, such as seccomp, capabilities, and apparmor, achieve good performance without much overhead, but lack the support for per-container customization. On the other hand, user-level and VM-based isolation offer superior security guarantees and allow for customization since a container is assigned a dedicated kernel, however, at the cost of high overhead. We present vKernel, a kernel isolation framework. It maintains a minimal set of code and data that are either sensitive or are prone to interference in a virtual kernel instance (vKI). vKernel relies on inline hooks to intercept and redirect requests sent to the host kernel to a vKI, where container-specific security rules, functions, and data are implemented. Through case studies, we demonstrate that under vKernel user-defined data isolation and kernel customization can be supported with a reasonable engineering effort. An evaluation of vKernel with micro-benchmarks, cloud services, real-world applications show that vKernel achieves good security guarantees, but with much less overhead.

show abstract

Section: Introductionmentioning

confidence: 99%