ABSTRACT
As one of the main technologies to support the virtualization of cloud computing, Docker has the characteristics of fast and lightweight virtualization on operating system-level,and is widely used in a variety of cloud platforms. Docker is faced with the risk of attacks that exploit kernel vulnerability by malicious users, once the exploit program in the container launches an effective escape attack can gain root privilege of the host, which will affect the reliability of other containers and the entire system. This paper discusses the existing security mechanism and security issues of Docker, summarize the methods and characteristics of Docker escape attack. And propose a defense method based on status inspection of namespaces, which is proved to be able to detect anomalous processes and prevent escape behaviors.
- Ann Mary Joy. 2015. Performance comparison between Linux containers and virtual machines.International Conference on Advances in Computer Engineering and Applications(Ghaziabad, India, 19-20 March 2015). 342--346. DOI=http://ieeexplore.ieee.org/document/7164727/Google Scholar
- Jen-Chieh Wang, Wei-Fun Cheng, Han-Chiang Chen and Hung-Li Chien.2015.Benefit of construct information security environment based on lightweight virtualization technology. International Carnahan Conference on Security Technology. (Sept 21-24, 2015).Google ScholarCross Ref
- E. W. Biederman and L. Networx. 2006. Multiple instances of the global linux namespaces. in Proceedings of the Linux Symposium, vol. 1. Citeseer, 101--112.Google Scholar
- P. B. Menage. 2007. Adding generic process containers to the linux kernel. in Proceedings of the Linux Symposium. Ottawa (Ontario) (June 27-30), vol. 2, 45--57, DOI=https://www.kernel.org/doc/ols/2007/ols2007v2-pages-4558.pdfGoogle Scholar
- P. Loscocco and S. Smalley. 2001. Integrating flexible support for security policies into the linux operating system. in Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference (Boston, Massachusetts, USA, June 25-30, 2001). C. Cole, Ed. USENIX, 29--42. Google ScholarDigital Library
- Si-yao Liu, Qiang Liu, Bin Li. 2015. Research on Isolation of Container Based on Docker Technology. SoftWare.Google Scholar
- Jeeva Chelladhurai, Pethuru Raj Chelliah, Sathish Alampalayam Kumar. 2016. Securing Docker Container from Denial of Service (DoS) Attacks. IEEE International Conference on Services Computing (San Francisco, USA, June 27-July 2, 2016). 856--859.Google ScholarCross Ref
- Wen-lin Yang. 2016. The Vulnerability Analysis and Security Enhancement of Docker. Information Security and Technology. Jilin University.Google Scholar
- Theo Combe, Antony Martin and Roberto Di Pietro. 2016. To Docker or not to Docker: A security perspective.IEEE Cloud Computing. 54--62.Google Scholar
- Luigi Catuogno, Clemente Galdi. 2016. On The Evaluation of Security Properties of Containerized Systems. 15th International Conference on Ubiquitou Computing and Communications and 8th International Symposium on Cyberspace and Security.(Dec 14-16, 2016).Google Scholar
Recommendations
Container Escape Detection for Edge Devices
SenSys '21: Proceedings of the 19th ACM Conference on Embedded Networked Sensor SystemsEdge computing is rapidly changing the IoT-Cloud landscape. Various testbeds are now able to run multiple Docker-like containers developed and deployed by end-users on edge devices. However, this capability may allow an attacker to deploy a malicious ...
Evaluation on the Security of Commercial Cloud Container Services
Information SecurityAbstractWith the increasing adoption of the container mechanism in the industrial community, cloud vendors begin to provide cloud container services. Unfortunately, it lacks a concrete method to evaluate the security of cloud containers, whose security ...
An Analysis of a Defence Method against Slow HTTP DoS Attack
2018 International Symposium on Information Theory and Its Applications (ISITA)The threat of Distributed Denial of Service (DDoS) attack, that attempts to make a machine or network resource unavailable by multiple attacker is getting serious.Slow HTTP DoS attack is one of the DoS attack methods that targets HTTP servers. This method ...
Comments