Abstract
Containers have quickly become a popular alternative to more traditional virtualization methods such as hypervisor-based virtualization. Residing at operating system level, containers offer a solution that is cheap in terms of resource usage and flexible in the way it can be applied. The purpose of this chapter is two-fold: first, we provide a brief overview of available container security solutions and how they operate, and second, we try to further elaborate and asses the security requirements for containers as proposed by Reshetova et al. We take a look at the current and past security threats and Common Vulnerabilities and Exposures (CVE) faced by container systems and see how attacks that exploit them violate the aforementioned requirements. Based on our analysis, we contribute by identifying more security requirements for container systems.
References
Morabito, R., Kjallman, J., & Komu, M. (2015). Hypervisors vs. lightweight virtualization: a performance comparison. In 2015 IEEE International Conference on Cloud Engineering (IC2E) (pp 386–393). IEEE.
Uhlig, R., Neiger, G., Rodgers, D., Santoni, A., Martins, F., Anderson, A., et al. (2005). Intel virtualization technology. Computer, 38(5), 48–56.
Wang, X., Lazar, D., Zeldovich, N., Chlipala, A., & Tatlock, Z. (2014). Jitk: A trustworthy in-kernel interpreter infrastructure. In 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 14), USENIX Association, Broomfield, CO (pp. 33–47). Retrieved from https://www.usenix.org/conference/osdi14/technical-sessions/presentation/wang_xi.
Reshetova, E., Karhunen, J., Nyman, T., & Asokan, N. (2014). Security of OS-level virtualization technologies. In Secure IT Systems (pp. 77–93). Springer.
Grattafiori, A. (2016). Understanding and hardening linux containers. NCC Group: Whitepaper.
(2016) namespaces(7)—linux manual page. Retrieved from http://man7.org/linux/man-pages/man7/namespaces.7.html.
(2016) unshare(2)—linux manual page. Retrieved from http://man7.org/linux/man-pages/man2/unshare.2.html.
(2016) clone(2)—linux manual page. Retrieved from http://man7.org/linux/man-pages/man2/clone.2.html.
(2016) setns(2)—linux manual page. Retrieved from http://man7.org/linux/man-pages/man2/setns.2.html.
Potter, S., & Nieh, J. (2010). Apiary: Easy-to-use desktop application fault containment on commodity operating systems. In ATC 2010: USENIX Annual Technical Conference.
(2016) cgroups(7)—linux manual page. Retrieved from http://man7.org/linux/man-pages/man7/cgroups.7.html.
(2016) capabilities(7)—linux manual page. Retrieved from http://man7.org/linux/man-pages/man7/capabilities.7.html.
(2016b) Linux containers - lxc - security. Retrieved from https://linuxcontainers.org/lxc/security/.
(2016a) Docker—build, ship, and run any app, anywhere. Retrieved from https://www.docker.com.
(2016c) docker/defaults_linux.go at master docker/docker github. Retrieved from https://github.com/docker/docker/blob/master/oci/defaults_linux.go#L62-L77.
(2016d) Seccomp security profiles for docker-docker. Retrieved from https://docs.docker.com/engine/security/seccomp/.
(2016b) Docker security. Retrieved from https://docs.docker.com/engine/security/security/.
(2016) Open container project. Retrieved from https://runc.io.
(2016a) Linux containers. Retrieved from https://linuxcontainers.org.
(2016) rkt, a security-minded, standards-based container engine. Retrieved from https://coreos.com/rkt/.
(2009a) CVE-2009-1338. Available from MITRE, CVE-ID CVE-2009-1338. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1338.
(2009b) CVE-2009-1360. Available from MITRE, CVE-ID CVE-2009-1360. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1360.
(2011) CVE-2011-2189. Available from MITRE, CVE-ID CVE-2011-2189. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2189.
(2013) CVE-2013-1957. Available from MITRE, CVE-ID CVE-2013-1957. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1957.
(2014a) CVE-2014-0048. Available from MITRE, CVE-ID CVE-2014-0048. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0048.
(2014b) CVE-2014-3499. Available from MITRE, CVE-ID CVE-2014-3499. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3499.
(2014c) CVE-2014-5206. Available from MITRE, CVE-ID CVE-2014-5206. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5206.
(2014d) CVE-2014-5277. Available from MITRE, CVE-ID CVE-2014-5277. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5277.
(2014e) CVE-2014-7970. Available from MITRE, CVE-ID CVE-2014-7970. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7970.
(2014f) CVE-2014-7975. Available from MITRE, CVE-ID CVE-2014-7975. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7975.
(2014g) CVE-2014-9717. Available from MITRE, CVE-ID CVE-2014-9717. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9717.
(2015a) CVE-2015-1328. Available from MITRE, CVE-ID CVE-2015-1328. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1328.
(2015b) CVE-2015-2925. Available from MITRE, CVE-ID CVE-2015-2925. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2925.
(2015c) CVE-2015-4176. Available from MITRE, CVE-ID CVE-2015-4176. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4176.
(2015d) CVE-2015-4177. Available from MITRE, CVE-ID CVE-2015-4177. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4177.
(2015e) CVE-2015-4178. Available from MITRE, CVE-ID CVE-2015-4178. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4178.
(2015f) CVE-2015-8543. Available from MITRE, CVE-ID CVE-2015-8543. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8543.
(2016a) CVE-2016-1576. Available from MITRE, CVE-ID CVE-2016-1576. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1576.
(2016b) CVE-2016-2853. Available from MITRE, CVE-ID CVE-2016-2853. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2853.
(2016e) Understand docker container networks. Retrieved from https://docs.docker.com/v1.10/engine/userguide/networking/dockernetworks/.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer Nature Singapore Pte Ltd.
About this chapter
Cite this chapter
Laurén, S., Reza Memarian, M., Conti, M., Leppänen, V. (2017). Analysis of Security in Modern Container Platforms. In: Chaudhary, S., Somani, G., Buyya, R. (eds) Research Advances in Cloud Computing. Springer, Singapore. https://doi.org/10.1007/978-981-10-5026-8_14
Download citation
DOI: https://doi.org/10.1007/978-981-10-5026-8_14
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-10-5025-1
Online ISBN: 978-981-10-5026-8
eBook Packages: Computer ScienceComputer Science (R0)