Skip to main content
SpringerLink
Log in

A Container-Oriented Virtual-Machine-Introspection-Based Security Monitor to Secure Containers in Cloud Computing

  • Conference paper
  • First Online:
Artificial Intelligence and Security (ICAIS 2021)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 12737))

Included in the following conference series:

  • The original version of this chapter was revised: Shen Su and Zhihong Tian have been added as co-authors and their affiliation have been added. The correction to this chapter is available at https://doi.org/10.1007/978-3-030-78612-0_61

Abstract

In recent years, container technology has been widely used in cloud computing, so the security monitoring technology for containers has also received widespread attention. To enhance the isolation of containers, cloud service providers usually run containers in different virtual machines. In this environment, in-container security tools can be detected or attacked by in-container attackers, and in-VM security tools face the risk of container escape attacks. This paper proposes a container-oriented virtual machine introspection technology to secure containers in cloud computing. It runs in cloud hypervisor and analyzes in-VM containers, so it is more secure and transparent. Even though there is container escaping to the operating system of VM, the security monitors are secure. Firstly, our approach automatically identifies the namespace and container processes in the virtual machine from outside by using virtual machine introspection technology. Secondly, security analysis is performed on processes belonging to different containers in the virtual machine, and our system can perform real-time abnormal response based on the analysis results. Finally, our system can monitor container escape behaviors from outside. Experimental results show that the approach proposed in this paper can automatically perform security analysis for different containers, and can monitor container escape behaviors with acceptable overhead.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Change history

  • 09 July 2021

    The original version of this chapter was revised. Shen Su and Zhihong Tian have been added as co-authors, as they made important contributions to the paper.

References

  1. Firecracker container. https://firecracker-microvm.github.io/

  2. gviosr: A container sandbox runtime focused on security, efficiency, and ease ofuse. https://gvisor.dev/

  3. Intel clear containers. https://clearlinux.org/news-blogs/intel-clear-containersnow-part-kata-containers

  4. Baohui, L., Kefu, X., Peng, Z., Li, G.: pTrace: a counter technology of DDoS attack source for controllable cloud computing. J. Comput. Res. Dev. 52(10), 2212 (2015)

    Google Scholar 

  5. Fu, Y., Zeng, J., Lin, Z.: HYPERSHELL: a practical hypervisor layer guest OS shell for automated in-VM management. In: 2014 USENIX Annual Technical Conference (USENIX ATC 2014), pp. 85–96 (2014)

    Google Scholar 

  6. Garfinkel, T., Rosenblum, M., et al.: A virtual machine introspection based architecture for intrusion detection. In: NDSS, vol. 3, pp. 191–206. Citeseer (2003)

    Google Scholar 

  7. Lin, X., Lei, L., Wang, Y., Jing, J., Sun, K., Zhou, Q.: A measurement study on Linux container security: attacks and countermeasures. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 418–429 (2018)

    Google Scholar 

  8. Sultan, S., Ahmad, I., Dimitriou, T.: Container security: issues, challenges, andthe road ahead. IEEE Access 7, 52976–52996 (2019)

    Article  Google Scholar 

  9. Sun, Y., Safford, D., Zohar, M., Pendarakis, D., Gu, Z., Jaeger, T.: Security namespace: making Linux security frameworks available to containers. In: 27th USENIX Security Symposium (USENIX Security 2018), pp. 1423–1439 (2018)

    Google Scholar 

  10. Torkura, K.A., Sukmana, M.I.H., Cheng, F., Meinel, C.: Cavas: neutralizing application and container security vulnerabilities in the cloud native era. In: Beyah, R., Chang, B., Li, Y., Zhu, S. (eds.) SecureComm 2018. LNICSSITE, vol. 254, pp. 471–490. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-01701-9_26

    Chapter  Google Scholar 

  11. Zhan, D., Ye, L., Fang, B., Du, X., Su, S.: CFWatcher: a novel target-based real-time approach to monitor critical files using VMI. In: 2016 IEEE InternationalConference on Communications (ICC), pp. 1–6. IEEE (2016)

    Google Scholar 

Download references

Funding

This paper is supported by National Natural Science Foundation of China under grants No. 61872111.

Author information

Authors and Affiliations

  1. Harbin Institute of Technology, Harbin, 150001, China

    Zhaofeng Yu, Lin Ye, Hongli Zhang & Dongyang Zhan

  2. The Ohio State University, Columbus, 43202, USA

    Dongyang Zhan

  3. Guangzhou University, Guangzhou, 510006, P.R. China

    Shen Su & Zhihong Tian

Authors
  1. Zhaofeng Yu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lin Ye
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hongli Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Dongyang Zhan
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Shen Su
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Zhihong Tian
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Zhaofeng Yu .

Editor information

Editors and Affiliations

  1. Nanjing University of Information Science and Technology, Nanjing, China

    Xingming Sun

  2. Nanjing University of Information Science and Technology, Nanjing, China

    Xiaorui Zhang

  3. Jinan University, Guangzhou, China

    Zhihua Xia

  4. Purdue University, West Lafayette, IN, USA

    Elisa Bertino

Ethics declarations

The authors declare that they have no conflicts of interest to report regarding the present study.

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Yu, Z., Ye, L., Zhang, H., Zhan, D., Su, S., Tian, Z. (2021). A Container-Oriented Virtual-Machine-Introspection-Based Security Monitor to Secure Containers in Cloud Computing. In: Sun, X., Zhang, X., Xia, Z., Bertino, E. (eds) Artificial Intelligence and Security. ICAIS 2021. Lecture Notes in Computer Science(), vol 12737. Springer, Cham. https://doi.org/10.1007/978-3-030-78612-0_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-78612-0_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-78611-3

  • Online ISBN: 978-3-030-78612-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation