research-article

Concentrated isolation for container networks toward application-aware sandbox tailoring

Authors:

Katsuya Matsubara,

Ryosuke MatsumotoAuthors Info & Claims

UCC '21: Proceedings of the 14th IEEE/ACM International Conference on Utility and Cloud Computing

Article No.: 15, Pages 1 - 10

https://doi.org/10.1145/3468737.3494092

Published: 17 December 2021 Publication History

Abstract

Containers provide a lightweight and fine-grained isolation for computational resources such as CPUs, memory, storage, and networks, but their weak isolation raises security concerns. As a result, research and development efforts have focused on redesigning truly sandboxed containers with system call intercept and hardware virtualization techniques such as gVisor and Kata Containers. However, such fully integrated sandboxing could overwhelm the lightweight and scalable nature of the containers. In this work, we propose a partially fortified sandboxing mechanism that concentratedly fortifies the network isolation, focusing on the fact that containerized clouds and the applications running on them require different isolation levels in accordance with their unique characteristics. We describe how to efficiently implement the mechanism to fortify network isolation for containers with a para-passthrough hypervisor and report evaluation results with benchmarks and real applications. Our findings demonstrate that this fortified network isolation has good potential to tailor sandboxes for containerized PaaS/FaaS clouds.

References

[1]

[n. d.]. haconiwa/haconiwa: MRuby on Container / A Linux container runtime using mruby DSL for configuration, control and hooks. https://github.com/haconiwa/haconiwa. (Accessed on 2021/08/06).

[2]

Alexandra Agache, Marc Brooker, Alexandra Iordache, Anthony Liguori, Rolf Neugebauer, Phil Piwonka, and Diana-Maria Popa. 2020. Firecracker: Lightweight Virtualization for Serverless Applications. In 17th USENIX Symposium on Networked Systems Design and Implementation (NSDI 20). USENIX Association, 419--434.

Digital Library

[3]

Sergei Arnautov, Bohdan Trach, Franz Gregor, Thomas Knauth, Andre Martin, Christian Priebe, Joshua Lind, Divya Muthukumaran, Dan O'Keeffe, Mark L. Stillwell, David Goltzsche, Dave Eyers, Rüdiger Kapitza, Peter Pietzuch, and Christof Fetzer. 2016. SCONE: Secure Linux Containers with Intel SGX. In 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16). USENIX Association, 689--703.

Digital Library

[4]

Mohamed Azab, Bassem Mokhtar, Amr S. Abed, and Mohamed Eltoweissy. 2016. Toward Smart Moving Target Defense for Linux Container Resiliency. In 2016 IEEE 41st Conference on Local Computer Networks (LCN). 619--622.

[5]

Enrico Bacis, Simone Mutti, Steven Capelli, and Stefano Paraboschi. 2015. DockerPolicyModules: Mandatory Access Control for Docker containers. In 2015 IEEE Conference on Communications and Network Security (CNS). 749--750.

[6]

J. Chelladhurai, P. R. Chelliah, and S. A. Kumar. 2016. Securing Docker Containers from Denial of Service (DoS) Attacks. In 2016 IEEE International Conference on Services Computing (SCC). 856--859.

[7]

Cilium. [n. d.]. Cilium - Linux Native, API-Aware Networking and Security for Containers. https://cilium.io/ (Accessed on 2021/05/08).

[8]

CoreOS. 2021. flannel-io/flannel: flannel is a network fabric for containers, designed for Kubernetes. https://github.com/flannel-io/flannel. (Accessed on 2021/05/08).

[9]

Microsoft Corporation. [n. d.]. Azure Functions Serverless Compute | Microsoft Azure. https://azure.microsoft.com/en-us/services/functions/. (Accessed on 2021/08/01).

[10]

Open Infrastructure Foundation. [n. d.]. Kata Containers - Open Source Container Runtime Software. https://katacontainers.io/ (Accessed on 2021/05/08).

[11]

Dennis Gannon, Roger Barga, and Neel Sundaresan. 2017. Cloud-Native Applications. IEEE Cloud Computing 4, 5 (2017), 16--21.

[12]

X. Gao, Z. Gu, M. Kayaalp, D. Pendarakis, and H. Wang. 2017. ContainerLeaks: Emerging Security Threats of Information Leakages in Container Clouds. In 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). 237--248.

[13]

The gVisor Authors. 2021. gVisor. https://gvisor.dev/ (Accessed on 2021/05/08).

[14]

Jesse Hertz. 2016. Abusing privileged and unprivileged linux containers. (2016).

[15]

Avi Kivity, Yaniv Kamay, Dor Laor, Uri Lublin, and Anthony Liguori. 2007. KVM: the Linux Virtual Machine Monitor. In In Proceedings of the 2007 Ottawa Linux Symposium (OLS'-07).

[16]

Xin Lin, Lingguang Lei, Yuewu Wang, Jiwu Jing, Kun Sun, and Quan Zhou. 2018. A Measurement Study on Linux Container Security: Attacks and Countermeasures. In Proceedings of the 34th Annual Computer Security Applications Conference (ACSAC '18). Association for Computing Machinery, New York, NY, USA, 418--429.

Digital Library

[17]

Google LLC. [n. d.]. App Engine Application Platform | Google Cloud. https://cloud.google.com/appengine. (Accessed on 2021/08/01).

[18]

Google LLC. [n. d.]. What are Containers and their benefits | Google Cloud. https://cloud.google.com/containers (Accessed on 2021/05/08).

[19]

Ryosuke Matsumoto, Uchio Kondo, and Kentaro Kuribayashi. 2019. FastContainer: A Homeostatic System Architecture High-Speed Adapting Execution Environment Changes. In 2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC), Vol. 1. 270--275.

[20]

Jaehyun Nam, Seungsoo Lee, Hyunmin Seo, Phil Porras, Vinod Yegneswaran, and Seungwon Shin. 2020. BASTION: A Security Enforcement Network Stack for Container Networks. In 2020 USENIX Annual Technical Conference (USENIX ATC 20). USENIX Association, 81--95.

Digital Library

[21]

Ben Pfaff, Justin Pettit, Teemu Koponen, Ethan Jackson, Andy Zhou, Jarno Rajahalme, Jesse Gross, Alex Wang, Joe Stringer, Pravin Shelar, Keith Amidon, and Martin Casado. 2015. The Design and Implementation of Open vSwitch. In 12th USENIX Symposium on Networked Systems Design and Implementation (NSDI 15). USENIX Association, 117--130.

Digital Library

[22]

Salesforce.com, Inc. [n. d.]. Cloud Application Platform I Heroku. https://www.heroku.com/. (Accessed on 2021/08/01).

[23]

Mohammad Shahrad, Rodrigo Fonseca, Inigo Goiri, Gohar Chaudhry, Paul Batum, Jason Cooke, Eduardo Laureano, Colby Tresness, Mark Russinovich, and Ricardo Bianchini. 2020. Serverless in the Wild: Characterizing and Optimizing the Serverless Workload at a Large Cloud Provider. In 2020 USENIX Annual Technical Conference (USENIX ATC 20). USENIX Association, 205--218.

Digital Library

[24]

Zhiming Shen, Zhen Sun, Gur-Eyal Sela, Eugene Bagdasaryan, Christina Delimitrou, Robbert Van Renesse, and Hakim Weatherspoon. 2019. X-Containers: Breaking Down Barriers to Improve Performance and Isolation of Cloud-Native Containers. In Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS '19). Association for Computing Machinery, 121--135.

Digital Library

[25]

Simon Shillaker and Peter Pietzuch. 2020. Faasm: Lightweight Isolation for Efficient Stateful Serverless Computing. In 2020 USENIX Annual Technical Conference (USENIX ATC 20). USENIX Association, 419--433.

Digital Library

[26]

Takahiro Shinagawa, Hideki Eiraku, Kouichi Tanimoto, Kazumasa Omote, Shoichi Hasegawa, Takashi Horie, Manabu Hirano, Kenichi Kourai, Yoshihiro Oyama, Eiji Kawai, Kenji Kono, Shigeru Chiba, Yasushi Shinjo, and Kazuhiko Kato. 2009. BitVisor: A Thin Hypervisor for Enforcing i/o Device Security. In Proceedings of the 2009 ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE '09). Association for Computing Machinery, 121--130.

Digital Library

[27]

Vindeep Singh and Sateesh K Peddoju. 2017. Container-based microservice architecture for cloud applications. In 2017 International Conference on Computing, Communication and Automation (ICCCA). 847--852.

[28]

Sari Sultan, Imtiaz Ahmad, and Tassos Dimitriou. 2019. Container Security: Issues, Challenges, and the Road Ahead. IEEE Access 7 (2019), 52976--52996.

[29]

Tigera, Inc. 2021. Project Calico - Secure Networking for the Cloud Native Era. https://www.projectcalico.org/. (Accessed on 2021/05/08).

[30]

Aparna Tomar, Diksha Jeena, Preeti Mishra, and Rahul Bisht. 2020. Docker Security: A Threat Model, Attack Taxonomy and Real-Time Attack Scenario of DoS. In 2020 10th International Conference on Cloud Computing, Data Science Engineering (Confluence). 150--155.

[31]

R. Uhlig, G. Neiger, D. Rodgers, A.L. Santoni, F.C.M. Martins, A.V. Anderson, S.M. Bennett, A. Kagi, F.H. Leung, and L. Smith. 2005. Intel virtualization technology. Computer 38, 5 (2005), 48--56.

Digital Library

[32]

Ashton Webster, Ryan Eckenrod, and James Purtilo. 2018. Fast and Service-preserving Recovery from Malware Infections Using CRIU. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, 1199--1211.

Digital Library

[33]

Xu Wang, Fupan Li. 2018. Kata Containers and gVisor: a Quantitative Comparison. https://www.openstack.org/videos/summits/berlin-2018/kata-containers-and-gvisor-a-quantitative-comparison (Accessed on 2021/05/11).

[34]

Ethan G. Young, Pengfei Zhu, Tyler Caraza-Harter, Andrea C. Arpaci-Dusseau, and Remzi H. Arpaci-Dusseau. 2019. The True Cost of Containing: A gVisor Case Study. In 11th USENIX Workshop on Hot Topics in Cloud Computing (HotCloud 19). USENIX Association.

Digital Library

[35]

Dongjin Yu, Yike Jin, Yuqun Zhang, and Xi Zheng. 2019. A survey on security issues in services communication of Microservices-enabled fog applications. Concurrency and Computation: Practice and Experience 31, 22 (2019), e4436.

[36]

Tianyi Yu, Qingyuan Liu, Dong Du, Yubin Xia, Binyu Zang, Ziqian Lu, Pingchao Yang, Chenggang Qin, and Haibo Chen. 2020. Characterizing Serverless Platforms with Serverlessbench. In Proceedings of the 11th ACM Symposium on Cloud Computing (SoCC '20). Association for Computing Machinery, 30--44.

Digital Library

Cited By

Thyagaturu AShantharama PNasrallah AReisslein M(2022)Operating Systems and Hypervisors for Network Functions: A Survey of Enabling Technologies and Research StudiesIEEE Access10.1109/ACCESS.2022.319491310(79825-79873)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3194913

Index Terms

Concentrated isolation for container networks toward application-aware sandbox tailoring
1. Computer systems organization
  1. Architectures
    1. Distributed architectures
      1. Cloud computing
2. Security and privacy
  1. Systems security
    1. Operating systems security
      1. Virtualization and security

Recommendations

Analysis of Container Based vs. Jailed Sandbox Autograding Systems: (Abstract Only)
SIGCSE '18: Proceedings of the 49th ACM Technical Symposium on Computer Science Education

Traditionally, automated testing and grading of student programming assignments has been done in either a jailed sandbox environment or within a virtual machine (VM). For a VM, each submission is given its own instantiation of a guest operating system (...
The secure software container pattern
PLoP '17: Proceedings of the 24th Conference on Pattern Languages of Programs

Software containers have gained large popularity as portable lightweight virtualization components. They have enabled development approaches like DevOps by facilitating application deployment and distribution across computing environments. Containers ...
CNTC: A Container Aware Network Traffic Control Framework
Green, Pervasive, and Cloud Computing
Abstract
As a lightweight virtualization technology, containers are attracting much attention and widely deployed in the cloud data centers. To provide consistent and reliable performance, cloud providers should ensure resource isolation since each host ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

UCC '21: Proceedings of the 14th IEEE/ACM International Conference on Utility and Cloud Computing

December 2021

214 pages

ISBN:9781450385640

DOI:10.1145/3468737

Conference Chairs:
Ivona Brandic
Vienna University of Technology, Austria
,
Rizos Sakellariou
University of Manchester, UK
,
Josef Spillner
Zurich University of Applied Sciences, Switzerland

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGARCH: ACM Special Interest Group on Computer Architecture

In-Cooperation

CIMPA: International Center for Pure and Applied Mathematics

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 December 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

UCC '21

Sponsor:

SIGARCH

UCC '21: 2021 IEEE/ACM 14th International Conference on Utility and Cloud Computing

December 6 - 9, 2021

Leicester, United Kingdom

Acceptance Rates

UCC '21 Paper Acceptance Rate 21 of 62 submissions, 34%;

Overall Acceptance Rate 38 of 125 submissions, 30%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
216
Total Downloads

Downloads (Last 12 months)30
Downloads (Last 6 weeks)5

Reflects downloads up to 25 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Thyagaturu AShantharama PNasrallah AReisslein M(2022)Operating Systems and Hypervisors for Network Functions: A Survey of Enabling Technologies and Research StudiesIEEE Access10.1109/ACCESS.2022.319491310(79825-79873)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3194913

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten