research-article

Can Container Fusion Be Securely Achieved?

Authors:

Canturk IsciAuthors Info & Claims

WOC '19: Proceedings of the 5th International Workshop on Container Technologies and Container Clouds

Pages 31 - 36

https://doi.org/10.1145/3366615.3368356

Published: 09 December 2019 Publication History

Abstract

Linux containers are key enablers for building microservices. The application's microservices fall broadly under two categories, the core-microservices implementing the business logic and the utility-microservices implementing middleware functionalities. Such functionalities include vulnerability scanning, monitoring, telemetry, etc. Segregating the utility-microservices in separate containers from the core-microservice containers may prevent them from achieving their functionality. This is due to the strong isolation between containers. By diffusing the boundaries between containers we can fuse them together and enable close collaboration. However, this raises several security concerns, especially that the utility-microservices may include vulnerabilities that threaten the entire application. In this paper, we analyze the different techniques to enhance the security of container fusion and present an automated solution based on Kubernetes to configure utility-microservices containers to fuse with core-microservices containers.

References

[1]

Sam Newman Building Microservices: Designing Fine-Grained Systems. O'reilly Media, Inc, USA -- 2018

[2]

Erik Wilde, Rest: from research to practice. Springer 2014

[3]

Istio Service Mesh, available at: https://istio.io, accessed on September 2019.

[4]

Shripad Nadgowda, Sahil Suneja and Canturk Isci, "RECap: Run-Escape Capsule for On-demand Managed Service Delivery in the Cloud", in the proceedings of the 10th Workshop on Hot Topics in Cloud Computing. Boston, USA. 2018

[5]

CVE-2014-4701: nagios-plugins: check_dhcp Arbitrary Option File Read. https://access.redhat.com/security/cve/cve-2014-4701.

[6]

CVE-2013-4215: nagios plugins: IPXPING_COMMAND uses fixed location in /tmp. https://bugzilla.redhat.com/show_bug.cgi?id=957482.

[7]

CVE-2018-18245: Advisory: Nagios Core Stored XSS via Plugin Out- put. https://herolab.usd.de/wp-content/uploads/sites/4/2018/12/usd20180026.txt.

[8]

The New Stack. TOOLS AND PROCESSES FOR MONITORING CONTAINERS. https://thenewstack.io/identifying-collecting-container-data/.

[9]

seccomp - operate on Secure Computing state of the process. http://man7.org/linux/man-pages/man2/seccomp.2.html.

[10]

netfilter / iptables. https://www.netfilter.org/.

[11]

Overview of Linux capabilities. http://man7.org/linux/man-pages/man7/capabilities.7.html.

[12]

Overview of Linux namespaces. http://man7.org/linux/man-pages/man7/namespaces.7.html.

[13]

Linux Man Pages. collectd_selinux: Security Enhanced Linux Policy for the collectd processes. https://www.systutorials.com/docs/linux/man/8-collectd_selinux/.

[14]

R. N. Watson, J. Anderson, B. Laurie, and K. Kennaway. Capsicum: Practical capabilities for unix. In USENIX Security Symposium, volume 46, page 2, 2010.

[15]

Offensive Security. Exploit Database. https://www.exploit-db.com/.

[16]

P. Hunt and S. Hansman. A taxonomy of network and computer attack method- ologies. Computers and Security, 24(1):31--43, 2003.

[17]

CVE-2007-5623 nagios-plugins check_snmp possible buffer overflow. https://bugzilla.redhat.com/show_bug.cgi?id=348731.

[18]

Dawid Golunski. Nagios-Exploit-Root-PrivEsc-CVE- 2016-9566. https://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html.

[19]

Metasploit | Penetration Testing Software. https://www.metasploit.com/.

[20]

Metasploitable 2 Exploitability Guide. https://metasploit.help.rapid7.com/docs/metasploitable-2-exploitability-guide.

[21]

Michael C. Long. Attack and Defend: Linux Privilege Escalation Techniques of 2016. https://www.sans.org/reading-room/whitepapers/linux/attack-defend-linux-privilege-escalation-techniques-2016-37562.

[22]

Kubernetes: Production-Grade Container Orchestration, http://kubernetes.io

[23]

Docker - Build, Ship, and Run Any App, Anywhere. https://www.docker.com/.

[24]

D. G. Murray and S. Hand. Privilege separation made easy: trusting small libraries not big processes. In Proceedings of the 1st European Workshop on System Security, pages 40--46. ACM, 2008.

Digital Library

Cited By

Abdelfattah ACerny T(2023)Microservices Security Challenges and ApproachesProceedings of the 30th International Conference on Information Systems Development10.62036/ISD.2022.27Online publication date: 2023
https://doi.org/10.62036/ISD.2022.27
Rahaman MTisha SSong ECerny T(2023)Access Control Design Practice and Solutions in Cloud-Native Architecture: A Systematic Mapping StudySensors10.3390/s2307341323:7(3413)Online publication date: 24-Mar-2023
https://doi.org/10.3390/s23073413
Yang NShen WLi JLiu XGuo XMa JMeng WJensen CCremers CKirda E(2023)Take Over the Whole Cluster: Attacking Kubernetes via Excessive Permissions of Third-party ApplicationsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623121(3048-3062)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623121
Show More Cited By

Recommendations

A Measurement Study on Linux Container Security: Attacks and Countermeasures
ACSAC '18: Proceedings of the 34th Annual Computer Security Applications Conference

Linux container mechanism has attracted a lot of attention and is increasingly utilized to deploy industry applications. Though it is a consensus that the container mechanism is not secure due to the kernel-sharing property, it lacks a concrete and ...
Leveraging Kernel Security Mechanisms to Improve Container Security: a Survey
ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and Security

Containerization is a lightweight virtualization technique reducing virtualization overhead and deployment latency compared to full VM; its popularity is quickly increasing.

However, due to kernel sharing, containers provide less isolation than full VM. ...
Container Hardening Through Automated Seccomp Profiling
WOC'20: Proceedings of the 2020 6th International Workshop on Container Technologies and Container Clouds

Nowadays the use of container technologies is ubiquitous and thus the need to make them secure arises. Container technologies such as Docker provide several options to better improve container security, one of those is the use of a Seccomp profile. A ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WOC '19: Proceedings of the 5th International Workshop on Container Technologies and Container Clouds

December 2019

52 pages

ISBN:9781450370332

DOI:10.1145/3366615

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 December 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

Middleware '19

Sponsor:

ACM

Middleware '19: 20th International Middleware Conference

December 9 - 13, 2019

CA, Davis, USA

Upcoming Conference

MIDDLEWARE '25

26th International Middleware Conference

December 15 - 19, 2025

Nashville , TN , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
322
Total Downloads

Downloads (Last 12 months)15
Downloads (Last 6 weeks)0

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Abdelfattah ACerny T(2023)Microservices Security Challenges and ApproachesProceedings of the 30th International Conference on Information Systems Development10.62036/ISD.2022.27Online publication date: 2023
https://doi.org/10.62036/ISD.2022.27
Rahaman MTisha SSong ECerny T(2023)Access Control Design Practice and Solutions in Cloud-Native Architecture: A Systematic Mapping StudySensors10.3390/s2307341323:7(3413)Online publication date: 24-Mar-2023
https://doi.org/10.3390/s23073413
Yang NShen WLi JLiu XGuo XMa JMeng WJensen CCremers CKirda E(2023)Take Over the Whole Cluster: Attacking Kubernetes via Excessive Permissions of Third-party ApplicationsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623121(3048-3062)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623121
Sethuraman SJadapalli TSudhakaran DMohanty S(2023)Flow based containerized honeypot approach for network traffic analysis: An empirical studyComputer Science Review10.1016/j.cosrev.2023.10060050(100600)Online publication date: Nov-2023
https://doi.org/10.1016/j.cosrev.2023.100600
V S DChakkaravarthy Sethuraman SKhan M(2023)Container Security: Precaution levels, Mitigation Strategies, and Research PerspectivesComputers & Security10.1016/j.cose.2023.103490(103490)Online publication date: Sep-2023
https://doi.org/10.1016/j.cose.2023.103490
Minna FMassacci F(2023)SoKComputers and Security10.1016/j.cose.2023.103119127:COnline publication date: 1-Apr-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103119
Lopes NMartins RCorreia MSerrano SNunes F(2020)Container Hardening Through Automated Seccomp ProfilingProceedings of the 2020 6th International Workshop on Container Technologies and Container Clouds10.1145/3429885.3429966(31-36)Online publication date: 7-Dec-2020
https://dl.acm.org/doi/10.1145/3429885.3429966

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten