Abstract
Containerization solutions have spread widely in the industry due to their ease of deployment, agility, and portability. However, its adoption is not without challenges and difficulties in the field of security. This paper presents an overview of the vulnerabilities present in the application containerization solutions, paying special attention to the security aspects related to them. Applying the conclusions of the above analysis, a containerization system focused on offering AI and robotics services in the cloud is also proposed.
The research described in this article has been partially funded by addendum 4 to the framework convention between the University of León and Instituto Nacional de Ciberseguridad (INCIBE).
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Chapter 8. Linux Capabilities and Seccomp Red Hat Enterprise Linux Atomic Host 7 | Red Hat Customer Portal. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html/container_security_guide/linux_capabilities_and_seccomp
Introducción a AppArmor. https://debian-handbook.info/browse/es-ES/stable/sect.apparmor.html
Linux Capabilities. http://man7.org/linux/man-pages/man7/capabilities.7.html
SELinux y control de acceso obligatorio | INCIBE-CERT. https://www.incibe-cert.es/blog/selinux-y-control-de-acceso-obligatorio
Espacios de nombres. https://lwn.net/Articles/531114/(2013). Accessed 30 Nov 2019
Grupos de control. http://man7.org/linux/man-pages/man7/cgroups.7.html(2013). Accessed 09 Dec 2019
Arnautov, S., Trach, B., Gregor, F., Knauth, T., Martin, A., Priebe, C., Lind, J., Muthukumaran, D., O’keeffe, D., Stillwell, M.L., Goltzsche, D., Eyers, D., Kapitza, R., Pietzuch, P., Fetzer, C.: This paper is included in the Proceedings of the 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2016). Open access to the Proceedings of the 12th USENIX Symposium on Operating Systems Design and Implementation is sponsored by USENIX. SCONE: Secure Linux Containers with Intel SGX SCONE: Secure Linux Containers with Intel SGX (2016). https://www.usenix.org/conference/osdi16/technical-sessions/presentation/arnautov
Babar, M.A.: Understanding container isolation mechanisms for building security-sensitive private cloud data exfiltration incident analysis view project (2017). https://doi.org/10.13140/RG.2.2.34040.85769. https://www.researchgate.net/publication/316602321
Bui, T.: Analysis of docker security. Tech. rep., Aalto University (2015). https://arxiv.org/pdf/1501.02967.pdf
Chelladhurai, J., Chelliah, P.R., Kumar, S.A.: Securing docker containers from denial of service (DoS) attacks. In: 2016 IEEE International Conference on Services Computing (SCC), pp. 856–859. IEEE (June 2016). https://doi.org/10.1109/SCC.2016.123. http://ieeexplore.ieee.org/document/7557545/
Combe, T., Martin, A., Di Pietro, R.: To docker or not to docker: a security perspective. IEEE Cloud Comput. 3(5), 54–62 (2016). https://doi.org/10.1109/MCC.2016.100. http://ieeexplore.ieee.org/document/7742298/
Corbi, A., Burgos, D.: OERaaS: open educational resources as a service with the help of virtual containers. IEEE Lat. Am. Trans. 14(6), 2927–2933 (2016). https://doi.org/10.1109/TLA.2016.7555277
Felter, W., Ferreira, A., Rajamony, R., Rubio, J.: An updated performance comparison of virtual machines and Linux containers. In: 2015 IEEE International Symposium on Performance Analysis of Systems and Software (ISPASS), pp. 171–172. IEEE (March 2015). https://doi.org/10.1109/ISPASS.2015.7095802. http://ieeexplore.ieee.org/document/7095802/
Gao, X., Gu, Z., Kayaalp, M., Pendarakis, D., Wang, H.: ContainerLeaks: emerging security threats of information leakages in container clouds. In: 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 237–248. IEEE (June 2017). https://doi.org/10.1109/DSN.2017.49. http://ieeexplore.ieee.org/document/8023126/
Godlove, D.: Singularity. In: ACM International Conference Proceeding Series. Association for Computing Machinery (July 2019). https://doi.org/10.1145/3332186.3332192
Grattafiori, A.: Understanding and hardening Linux containers. NCC Group (2016). https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2016/april/ncc_group_understanding_hardening_linux_containers-1-1.pdf
Hertz, J.: Abusing privileged and unprivileged Linux containers (2016). https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2016/june/abusing-privileged-and-unprivileged-linux-containers.pdf
Hofmann, S.: Docker container images with “headless” VNC session (2019). https://github.com/ConSol/docker-headless-vnc-container
Jian, Z., Chen, L.: A defense method against docker escape attack. In: Proceedings of the 2017 International Conference on Cryptography, Security and Privacy - ICCSP 2017, pp. 142–146. ACM Press, New York (2017). https://doi.org/10.1145/3058060.3058085. http://dl.acm.org/citation.cfm?doid=3058060.3058085
Kang, H., Le, M., Tao, S.: Container and microservice driven design for cloud infrastructure DevOps. In: Proceedings - 2016 IEEE International Conference on Cloud Engineering, IC2E 2016: Co-Located with the 1st IEEE International Conference on Internet-of-Things Design and Implementation, IoTDI 2016, pp. 202–211. Institute of Electrical and Electronics Engineers Inc. (June 2016). https://doi.org/10.1109/IC2E.2016.26
Lin, X., Lei, L., Wang, Y., Jing, J., Sun, K., Zhou, Q.: A measurement study on Linux container security: attacks and countermeasures. In: Proceedings of the 34th Annual Computer Security Applications Conference on - ACSAC 2018, pp. 418–429. ACM Press, New York (2018). https://doi.org/10.1145/3274694.3274720. http://dl.acm.org/citation.cfm?doid=3274694.3274720
Martin, A., Raponi, S., Combe, T., Di Pietro, R.: Docker ecosystem-vulnerability analysis. Comput. Commun. 122, 30–43 (2018). https://doi.org/10.1016/j.comcom.2018.03.011
Martin, J.P., Kandasamy, A., Chandrasekaran, K.: Exploring the support for high performance applications in the container runtime environment. Hum.-Centric Comput. Inf. Sci. (2018). https://doi.org/10.1186/s13673-017-0124-3
Morabito, R., Kjällman, J., Komu, M.: Hypervisors vs. lightweight virtualization: a performance comparison. In: Proceedings - 2015 IEEE International Conference on Cloud Engineering, IC2E 2015, pp. 386–393. Institute of Electrical and Electronics Engineers Inc. (2015). https://doi.org/10.1109/IC2E.2015.74
Mouat, A.: Docker Security. O’Reilly Media Inc., Sebastopol (2015)
Quigley, M., Conley, K., Gerkey, B., Faust, J., Foote, T., Leibs, J., Wheeler, R., Ng, A.Y.: ROS: an open-source robot operating system. In: ICRA Workshop on Open Source Software, vol. 3, p. 5, Kobe, Japan (2009)
Reshetova, E., Karhunen, J., Nyman, T., Asokan, N.: Security of OS-level virtualization technologies. Technical report (July 2014). http://arxiv.org/abs/1407.4245
Shu, R., Gu, X., Enck, W.: A study of security vulnerabilities on docker hub. In: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy - CODASPY 2017, pp. 269–280. ACM Press, New York (2017). https://doi.org/10.1145/3029806.3029832. http://dl.acm.org/citation.cfm?doid=3029806.3029832
Wetter, D.: Docker threat modeling and top 10 (2018). https://owasp.org/www-chapter-belgium/assets/2018/2018-09-07/Dirk_Wetter_-_Docker_Security_Brussels.pdf. Accessed 12 Feb 2020
Younge, A.J., Pedretti, K., Grant, R.E., Brightwell, R.: A tale of two systems: using containers to deploy HPC applications on supercomputers and clouds. In: 2017 IEEE International Conference on Cloud Computing Technology and Science (CloudCom), pp. 74–81. IEEE (December 2017). https://doi.org/10.1109/CloudCom.2017.40. http://ieeexplore.ieee.org/document/8241093/
Zerouali, A., Mens, T., Robles, G., Gonzalez-Barahona, J.M.: On the relation between outdated docker containers, severity vulnerabilities, and bugs. In: SANER 2019 - Proceedings of the 2019 IEEE 26th International Conference on Software Analysis, Evolution, and Reengineering, pp. 491–501. Institute of Electrical and Electronics Engineers Inc. (March 2019). https://doi.org/10.1109/SANER.2019.8668013
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Fernández-Becerra, L., Fernández González, D., Guerrero-Higueras, Á.M., Rodríguez Lera, F.J., Fernández-Llamas, C. (2021). Cybersecurity Overview of a Robot as a Service Platform. In: Herrero, Á., Cambra, C., Urda, D., Sedano, J., Quintián, H., Corchado, E. (eds) 13th International Conference on Computational Intelligence in Security for Information Systems (CISIS 2020). CISIS 2019. Advances in Intelligent Systems and Computing, vol 1267. Springer, Cham. https://doi.org/10.1007/978-3-030-57805-3_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-57805-3_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-57804-6
Online ISBN: 978-3-030-57805-3
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)