Skip to main content
SpringerLink
Log in

Analysis of Security in Modern Container Platforms

  • Chapter
  • First Online:
Research Advances in Cloud Computing

Abstract

Containers have quickly become a popular alternative to more traditional virtualization methods such as hypervisor-based virtualization. Residing at operating system level, containers offer a solution that is cheap in terms of resource usage and flexible in the way it can be applied. The purpose of this chapter is two-fold: first, we provide a brief overview of available container security solutions and how they operate, and second, we try to further elaborate and asses the security requirements for containers as proposed by Reshetova et al. We take a look at the current and past security threats and Common Vulnerabilities and Exposures (CVE) faced by container systems and see how attacks that exploit them violate the aforementioned requirements. Based on our analysis, we contribute by identifying more security requirements for container systems.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

References

  1. Morabito, R., Kjallman, J., & Komu, M. (2015). Hypervisors vs. lightweight virtualization: a performance comparison. In 2015 IEEE International Conference on Cloud Engineering (IC2E) (pp 386–393). IEEE.

    Google Scholar 

  2. Uhlig, R., Neiger, G., Rodgers, D., Santoni, A., Martins, F., Anderson, A., et al. (2005). Intel virtualization technology. Computer, 38(5), 48–56.

    Article  Google Scholar 

  3. Wang, X., Lazar, D., Zeldovich, N., Chlipala, A., & Tatlock, Z. (2014). Jitk: A trustworthy in-kernel interpreter infrastructure. In 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 14), USENIX Association, Broomfield, CO (pp. 33–47). Retrieved from https://www.usenix.org/conference/osdi14/technical-sessions/presentation/wang_xi.

  4. Reshetova, E., Karhunen, J., Nyman, T., & Asokan, N. (2014). Security of OS-level virtualization technologies. In Secure IT Systems (pp. 77–93). Springer.

    Google Scholar 

  5. Grattafiori, A. (2016). Understanding and hardening linux containers. NCC Group: Whitepaper.

    Google Scholar 

  6. (2016) namespaces(7)—linux manual page. Retrieved from http://man7.org/linux/man-pages/man7/namespaces.7.html.

  7. (2016) unshare(2)—linux manual page. Retrieved from http://man7.org/linux/man-pages/man2/unshare.2.html.

  8. (2016) clone(2)—linux manual page. Retrieved from http://man7.org/linux/man-pages/man2/clone.2.html.

  9. (2016) setns(2)—linux manual page. Retrieved from http://man7.org/linux/man-pages/man2/setns.2.html.

  10. Potter, S., & Nieh, J. (2010). Apiary: Easy-to-use desktop application fault containment on commodity operating systems. In ATC 2010: USENIX Annual Technical Conference.

    Google Scholar 

  11. (2016) cgroups(7)—linux manual page. Retrieved from http://man7.org/linux/man-pages/man7/cgroups.7.html.

  12. (2016) capabilities(7)—linux manual page. Retrieved from http://man7.org/linux/man-pages/man7/capabilities.7.html.

  13. (2016b) Linux containers - lxc - security. Retrieved from https://linuxcontainers.org/lxc/security/.

  14. (2016a) Docker—build, ship, and run any app, anywhere. Retrieved from https://www.docker.com.

  15. (2016c) docker/defaults_linux.go at master docker/docker github. Retrieved from https://github.com/docker/docker/blob/master/oci/defaults_linux.go#L62-L77.

  16. (2016d) Seccomp security profiles for docker-docker. Retrieved from https://docs.docker.com/engine/security/seccomp/.

  17. (2016b) Docker security. Retrieved from https://docs.docker.com/engine/security/security/.

  18. (2016) Open container project. Retrieved from https://runc.io.

  19. (2016a) Linux containers. Retrieved from https://linuxcontainers.org.

  20. (2016) rkt, a security-minded, standards-based container engine. Retrieved from https://coreos.com/rkt/.

  21. (2009a) CVE-2009-1338. Available from MITRE, CVE-ID CVE-2009-1338. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1338.

  22. (2009b) CVE-2009-1360. Available from MITRE, CVE-ID CVE-2009-1360. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1360.

  23. (2011) CVE-2011-2189. Available from MITRE, CVE-ID CVE-2011-2189. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2189.

  24. (2013) CVE-2013-1957. Available from MITRE, CVE-ID CVE-2013-1957. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1957.

  25. (2014a) CVE-2014-0048. Available from MITRE, CVE-ID CVE-2014-0048. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0048.

  26. (2014b) CVE-2014-3499. Available from MITRE, CVE-ID CVE-2014-3499. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3499.

  27. (2014c) CVE-2014-5206. Available from MITRE, CVE-ID CVE-2014-5206. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5206.

  28. (2014d) CVE-2014-5277. Available from MITRE, CVE-ID CVE-2014-5277. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5277.

  29. (2014e) CVE-2014-7970. Available from MITRE, CVE-ID CVE-2014-7970. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7970.

  30. (2014f) CVE-2014-7975. Available from MITRE, CVE-ID CVE-2014-7975. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7975.

  31. (2014g) CVE-2014-9717. Available from MITRE, CVE-ID CVE-2014-9717. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9717.

  32. (2015a) CVE-2015-1328. Available from MITRE, CVE-ID CVE-2015-1328. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1328.

  33. (2015b) CVE-2015-2925. Available from MITRE, CVE-ID CVE-2015-2925. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2925.

  34. (2015c) CVE-2015-4176. Available from MITRE, CVE-ID CVE-2015-4176. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4176.

  35. (2015d) CVE-2015-4177. Available from MITRE, CVE-ID CVE-2015-4177. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4177.

  36. (2015e) CVE-2015-4178. Available from MITRE, CVE-ID CVE-2015-4178. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4178.

  37. (2015f) CVE-2015-8543. Available from MITRE, CVE-ID CVE-2015-8543. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8543.

  38. (2016a) CVE-2016-1576. Available from MITRE, CVE-ID CVE-2016-1576. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1576.

  39. (2016b) CVE-2016-2853. Available from MITRE, CVE-ID CVE-2016-2853. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2853.

  40. (2016e) Understand docker container networks. Retrieved from https://docs.docker.com/v1.10/engine/userguide/networking/dockernetworks/.

Download references

Author information

Authors and Affiliations

  1. Department of Information Technology, University of Turku, Turku, Finland

    Samuel Laurén, M. Reza Memarian & Ville Leppänen

  2. Department of Mathematics, University of Padua, Padua, Italy

    Mauro Conti

Authors
  1. Samuel Laurén
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. M. Reza Memarian
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mauro Conti
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ville Leppänen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to M. Reza Memarian .

Editor information

Editors and Affiliations

  1. School of Engineering and Applied Science, Ahmedabad University, Ahmedabad, Gujarat, India

    Sanjay Chaudhary

  2. Department of Computer Science and Engineering, Central University of Rajasthan, Ajmer, Rajasthan, India

    Gaurav Somani

  3. School of Computing and Information Systems, The University of Melbourne, Melbourne, Victoria, Australia

    Rajkumar Buyya

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer Nature Singapore Pte Ltd.

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Laurén, S., Reza Memarian, M., Conti, M., Leppänen, V. (2017). Analysis of Security in Modern Container Platforms. In: Chaudhary, S., Somani, G., Buyya, R. (eds) Research Advances in Cloud Computing. Springer, Singapore. https://doi.org/10.1007/978-981-10-5026-8_14

Download citation

  • DOI: https://doi.org/10.1007/978-981-10-5026-8_14

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-10-5025-1

  • Online ISBN: 978-981-10-5026-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation