Abstract
In recent years, container technology has been widely used in cloud computing, so the security monitoring technology for containers has also received widespread attention. To enhance the isolation of containers, cloud service providers usually run containers in different virtual machines. In this environment, in-container security tools can be detected or attacked by in-container attackers, and in-VM security tools face the risk of container escape attacks. This paper proposes a container-oriented virtual machine introspection technology to secure containers in cloud computing. It runs in cloud hypervisor and analyzes in-VM containers, so it is more secure and transparent. Even though there is container escaping to the operating system of VM, the security monitors are secure. Firstly, our approach automatically identifies the namespace and container processes in the virtual machine from outside by using virtual machine introspection technology. Secondly, security analysis is performed on processes belonging to different containers in the virtual machine, and our system can perform real-time abnormal response based on the analysis results. Finally, our system can monitor container escape behaviors from outside. Experimental results show that the approach proposed in this paper can automatically perform security analysis for different containers, and can monitor container escape behaviors with acceptable overhead.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Change history
09 July 2021
The original version of this chapter was revised. Shen Su and Zhihong Tian have been added as co-authors, as they made important contributions to the paper.
References
Firecracker container. https://firecracker-microvm.github.io/
gviosr: A container sandbox runtime focused on security, efficiency, and ease ofuse. https://gvisor.dev/
Intel clear containers. https://clearlinux.org/news-blogs/intel-clear-containersnow-part-kata-containers
Baohui, L., Kefu, X., Peng, Z., Li, G.: pTrace: a counter technology of DDoS attack source for controllable cloud computing. J. Comput. Res. Dev. 52(10), 2212 (2015)
Fu, Y., Zeng, J., Lin, Z.: HYPERSHELL: a practical hypervisor layer guest OS shell for automated in-VM management. In: 2014 USENIX Annual Technical Conference (USENIX ATC 2014), pp. 85–96 (2014)
Garfinkel, T., Rosenblum, M., et al.: A virtual machine introspection based architecture for intrusion detection. In: NDSS, vol. 3, pp. 191–206. Citeseer (2003)
Lin, X., Lei, L., Wang, Y., Jing, J., Sun, K., Zhou, Q.: A measurement study on Linux container security: attacks and countermeasures. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 418–429 (2018)
Sultan, S., Ahmad, I., Dimitriou, T.: Container security: issues, challenges, andthe road ahead. IEEE Access 7, 52976–52996 (2019)
Sun, Y., Safford, D., Zohar, M., Pendarakis, D., Gu, Z., Jaeger, T.: Security namespace: making Linux security frameworks available to containers. In: 27th USENIX Security Symposium (USENIX Security 2018), pp. 1423–1439 (2018)
Torkura, K.A., Sukmana, M.I.H., Cheng, F., Meinel, C.: Cavas: neutralizing application and container security vulnerabilities in the cloud native era. In: Beyah, R., Chang, B., Li, Y., Zhu, S. (eds.) SecureComm 2018. LNICSSITE, vol. 254, pp. 471–490. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-01701-9_26
Zhan, D., Ye, L., Fang, B., Du, X., Su, S.: CFWatcher: a novel target-based real-time approach to monitor critical files using VMI. In: 2016 IEEE InternationalConference on Communications (ICC), pp. 1–6. IEEE (2016)
Funding
This paper is supported by National Natural Science Foundation of China under grants No. 61872111.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Ethics declarations
The authors declare that they have no conflicts of interest to report regarding the present study.
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Yu, Z., Ye, L., Zhang, H., Zhan, D., Su, S., Tian, Z. (2021). A Container-Oriented Virtual-Machine-Introspection-Based Security Monitor to Secure Containers in Cloud Computing. In: Sun, X., Zhang, X., Xia, Z., Bertino, E. (eds) Artificial Intelligence and Security. ICAIS 2021. Lecture Notes in Computer Science(), vol 12737. Springer, Cham. https://doi.org/10.1007/978-3-030-78612-0_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-78612-0_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-78611-3
Online ISBN: 978-3-030-78612-0
eBook Packages: Computer ScienceComputer Science (R0)