Abstract
Container technology provides a lightweight operating system level virtual hosting environment. Its emergence profoundly changes the development and deployment paradigms of multi-tier distributed applications. However, due to the incomplete implementation of system resource isolation mechanisms in the Linux kernel, some security concerns still exist for multiple containers sharing an operating system kernel on a multi-tenancy container-based cloud service. In this paper, we first present the information leakage channels we discovered that are accessible within containers. Such channels expose a spectrum of system-wide host information to containers without proper resource partitioning. By exploiting such leaked host information, it becomes much easier for malicious adversaries (acting as tenants in a container cloud) to launch attacks that might impact the reliability of cloud services. We demonstrate that the information leakage channels could be exploited to infer private data, detect and verify co-residence, build covert channels, and launch more advanced cloud-based attacks. We discuss the root causes of the containers' information leakage and propose a two-stage defense approach. As demonstrated in the evaluation, our defense is effective and incurs trivial performance overhead.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
More From: IEEE Transactions on Dependable and Secure Computing
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.