skip to main content
10.1145/3468737.3494092acmconferencesArticle/Chapter ViewAbstractPublication PagesuccConference Proceedingsconference-collections
research-article

Concentrated isolation for container networks toward application-aware sandbox tailoring

Published: 17 December 2021 Publication History

Abstract

Containers provide a lightweight and fine-grained isolation for computational resources such as CPUs, memory, storage, and networks, but their weak isolation raises security concerns. As a result, research and development efforts have focused on redesigning truly sandboxed containers with system call intercept and hardware virtualization techniques such as gVisor and Kata Containers. However, such fully integrated sandboxing could overwhelm the lightweight and scalable nature of the containers. In this work, we propose a partially fortified sandboxing mechanism that concentratedly fortifies the network isolation, focusing on the fact that containerized clouds and the applications running on them require different isolation levels in accordance with their unique characteristics. We describe how to efficiently implement the mechanism to fortify network isolation for containers with a para-passthrough hypervisor and report evaluation results with benchmarks and real applications. Our findings demonstrate that this fortified network isolation has good potential to tailor sandboxes for containerized PaaS/FaaS clouds.

References

[1]
[n. d.]. haconiwa/haconiwa: MRuby on Container / A Linux container runtime using mruby DSL for configuration, control and hooks. https://github.com/haconiwa/haconiwa. (Accessed on 2021/08/06).
[2]
Alexandra Agache, Marc Brooker, Alexandra Iordache, Anthony Liguori, Rolf Neugebauer, Phil Piwonka, and Diana-Maria Popa. 2020. Firecracker: Lightweight Virtualization for Serverless Applications. In 17th USENIX Symposium on Networked Systems Design and Implementation (NSDI 20). USENIX Association, 419--434.
[3]
Sergei Arnautov, Bohdan Trach, Franz Gregor, Thomas Knauth, Andre Martin, Christian Priebe, Joshua Lind, Divya Muthukumaran, Dan O'Keeffe, Mark L. Stillwell, David Goltzsche, Dave Eyers, Rüdiger Kapitza, Peter Pietzuch, and Christof Fetzer. 2016. SCONE: Secure Linux Containers with Intel SGX. In 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16). USENIX Association, 689--703.
[4]
Mohamed Azab, Bassem Mokhtar, Amr S. Abed, and Mohamed Eltoweissy. 2016. Toward Smart Moving Target Defense for Linux Container Resiliency. In 2016 IEEE 41st Conference on Local Computer Networks (LCN). 619--622.
[5]
Enrico Bacis, Simone Mutti, Steven Capelli, and Stefano Paraboschi. 2015. DockerPolicyModules: Mandatory Access Control for Docker containers. In 2015 IEEE Conference on Communications and Network Security (CNS). 749--750.
[6]
J. Chelladhurai, P. R. Chelliah, and S. A. Kumar. 2016. Securing Docker Containers from Denial of Service (DoS) Attacks. In 2016 IEEE International Conference on Services Computing (SCC). 856--859.
[7]
Cilium. [n. d.]. Cilium - Linux Native, API-Aware Networking and Security for Containers. https://cilium.io/ (Accessed on 2021/05/08).
[8]
CoreOS. 2021. flannel-io/flannel: flannel is a network fabric for containers, designed for Kubernetes. https://github.com/flannel-io/flannel. (Accessed on 2021/05/08).
[9]
Microsoft Corporation. [n. d.]. Azure Functions Serverless Compute | Microsoft Azure. https://azure.microsoft.com/en-us/services/functions/. (Accessed on 2021/08/01).
[10]
Open Infrastructure Foundation. [n. d.]. Kata Containers - Open Source Container Runtime Software. https://katacontainers.io/ (Accessed on 2021/05/08).
[11]
Dennis Gannon, Roger Barga, and Neel Sundaresan. 2017. Cloud-Native Applications. IEEE Cloud Computing 4, 5 (2017), 16--21.
[12]
X. Gao, Z. Gu, M. Kayaalp, D. Pendarakis, and H. Wang. 2017. ContainerLeaks: Emerging Security Threats of Information Leakages in Container Clouds. In 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). 237--248.
[13]
The gVisor Authors. 2021. gVisor. https://gvisor.dev/ (Accessed on 2021/05/08).
[14]
Jesse Hertz. 2016. Abusing privileged and unprivileged linux containers. (2016).
[15]
Avi Kivity, Yaniv Kamay, Dor Laor, Uri Lublin, and Anthony Liguori. 2007. KVM: the Linux Virtual Machine Monitor. In In Proceedings of the 2007 Ottawa Linux Symposium (OLS'-07).
[16]
Xin Lin, Lingguang Lei, Yuewu Wang, Jiwu Jing, Kun Sun, and Quan Zhou. 2018. A Measurement Study on Linux Container Security: Attacks and Countermeasures. In Proceedings of the 34th Annual Computer Security Applications Conference (ACSAC '18). Association for Computing Machinery, New York, NY, USA, 418--429.
[17]
Google LLC. [n. d.]. App Engine Application Platform | Google Cloud. https://cloud.google.com/appengine. (Accessed on 2021/08/01).
[18]
Google LLC. [n. d.]. What are Containers and their benefits | Google Cloud. https://cloud.google.com/containers (Accessed on 2021/05/08).
[19]
Ryosuke Matsumoto, Uchio Kondo, and Kentaro Kuribayashi. 2019. FastContainer: A Homeostatic System Architecture High-Speed Adapting Execution Environment Changes. In 2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC), Vol. 1. 270--275.
[20]
Jaehyun Nam, Seungsoo Lee, Hyunmin Seo, Phil Porras, Vinod Yegneswaran, and Seungwon Shin. 2020. BASTION: A Security Enforcement Network Stack for Container Networks. In 2020 USENIX Annual Technical Conference (USENIX ATC 20). USENIX Association, 81--95.
[21]
Ben Pfaff, Justin Pettit, Teemu Koponen, Ethan Jackson, Andy Zhou, Jarno Rajahalme, Jesse Gross, Alex Wang, Joe Stringer, Pravin Shelar, Keith Amidon, and Martin Casado. 2015. The Design and Implementation of Open vSwitch. In 12th USENIX Symposium on Networked Systems Design and Implementation (NSDI 15). USENIX Association, 117--130.
[22]
Salesforce.com, Inc. [n. d.]. Cloud Application Platform I Heroku. https://www.heroku.com/. (Accessed on 2021/08/01).
[23]
Mohammad Shahrad, Rodrigo Fonseca, Inigo Goiri, Gohar Chaudhry, Paul Batum, Jason Cooke, Eduardo Laureano, Colby Tresness, Mark Russinovich, and Ricardo Bianchini. 2020. Serverless in the Wild: Characterizing and Optimizing the Serverless Workload at a Large Cloud Provider. In 2020 USENIX Annual Technical Conference (USENIX ATC 20). USENIX Association, 205--218.
[24]
Zhiming Shen, Zhen Sun, Gur-Eyal Sela, Eugene Bagdasaryan, Christina Delimitrou, Robbert Van Renesse, and Hakim Weatherspoon. 2019. X-Containers: Breaking Down Barriers to Improve Performance and Isolation of Cloud-Native Containers. In Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS '19). Association for Computing Machinery, 121--135.
[25]
Simon Shillaker and Peter Pietzuch. 2020. Faasm: Lightweight Isolation for Efficient Stateful Serverless Computing. In 2020 USENIX Annual Technical Conference (USENIX ATC 20). USENIX Association, 419--433.
[26]
Takahiro Shinagawa, Hideki Eiraku, Kouichi Tanimoto, Kazumasa Omote, Shoichi Hasegawa, Takashi Horie, Manabu Hirano, Kenichi Kourai, Yoshihiro Oyama, Eiji Kawai, Kenji Kono, Shigeru Chiba, Yasushi Shinjo, and Kazuhiko Kato. 2009. BitVisor: A Thin Hypervisor for Enforcing i/o Device Security. In Proceedings of the 2009 ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE '09). Association for Computing Machinery, 121--130.
[27]
Vindeep Singh and Sateesh K Peddoju. 2017. Container-based microservice architecture for cloud applications. In 2017 International Conference on Computing, Communication and Automation (ICCCA). 847--852.
[28]
Sari Sultan, Imtiaz Ahmad, and Tassos Dimitriou. 2019. Container Security: Issues, Challenges, and the Road Ahead. IEEE Access 7 (2019), 52976--52996.
[29]
Tigera, Inc. 2021. Project Calico - Secure Networking for the Cloud Native Era. https://www.projectcalico.org/. (Accessed on 2021/05/08).
[30]
Aparna Tomar, Diksha Jeena, Preeti Mishra, and Rahul Bisht. 2020. Docker Security: A Threat Model, Attack Taxonomy and Real-Time Attack Scenario of DoS. In 2020 10th International Conference on Cloud Computing, Data Science Engineering (Confluence). 150--155.
[31]
R. Uhlig, G. Neiger, D. Rodgers, A.L. Santoni, F.C.M. Martins, A.V. Anderson, S.M. Bennett, A. Kagi, F.H. Leung, and L. Smith. 2005. Intel virtualization technology. Computer 38, 5 (2005), 48--56.
[32]
Ashton Webster, Ryan Eckenrod, and James Purtilo. 2018. Fast and Service-preserving Recovery from Malware Infections Using CRIU. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, 1199--1211.
[33]
Xu Wang, Fupan Li. 2018. Kata Containers and gVisor: a Quantitative Comparison. https://www.openstack.org/videos/summits/berlin-2018/kata-containers-and-gvisor-a-quantitative-comparison (Accessed on 2021/05/11).
[34]
Ethan G. Young, Pengfei Zhu, Tyler Caraza-Harter, Andrea C. Arpaci-Dusseau, and Remzi H. Arpaci-Dusseau. 2019. The True Cost of Containing: A gVisor Case Study. In 11th USENIX Workshop on Hot Topics in Cloud Computing (HotCloud 19). USENIX Association.
[35]
Dongjin Yu, Yike Jin, Yuqun Zhang, and Xi Zheng. 2019. A survey on security issues in services communication of Microservices-enabled fog applications. Concurrency and Computation: Practice and Experience 31, 22 (2019), e4436.
[36]
Tianyi Yu, Qingyuan Liu, Dong Du, Yubin Xia, Binyu Zang, Ziqian Lu, Pingchao Yang, Chenggang Qin, and Haibo Chen. 2020. Characterizing Serverless Platforms with Serverlessbench. In Proceedings of the 11th ACM Symposium on Cloud Computing (SoCC '20). Association for Computing Machinery, 30--44.

Cited By

View all
  • (2022)Operating Systems and Hypervisors for Network Functions: A Survey of Enabling Technologies and Research StudiesIEEE Access10.1109/ACCESS.2022.319491310(79825-79873)Online publication date: 2022

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
UCC '21: Proceedings of the 14th IEEE/ACM International Conference on Utility and Cloud Computing
December 2021
214 pages
ISBN:9781450385640
DOI:10.1145/3468737
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

In-Cooperation

  • CIMPA: International Center for Pure and Applied Mathematics

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 December 2021

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. packet filtering and routing
  2. security
  3. traffic control

Qualifiers

  • Research-article

Conference

UCC '21
Sponsor:

Acceptance Rates

UCC '21 Paper Acceptance Rate 21 of 62 submissions, 34%;
Overall Acceptance Rate 38 of 125 submissions, 30%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)30
  • Downloads (Last 6 weeks)5
Reflects downloads up to 25 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2022)Operating Systems and Hypervisors for Network Functions: A Survey of Enabling Technologies and Research StudiesIEEE Access10.1109/ACCESS.2022.319491310(79825-79873)Online publication date: 2022

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media