Reducing Attack Surface with Container Transplantation for Lightweight Sandboxing
Pages 58 - 64
Abstract
Containers, which have evolved in Linux primarily, have become a significant trend in the cloud due to their lightweight virtualization and growing convenient ecosystem. However, the laxer isolation of containerization also introduces attack surfaces on the underlying Linux kernel. Unfortunately, combining other virtualizations, such as the traditional VM and interposition by application kernel, for sandboxing could spoil the lightweight and scalable nature of the containers. In this study, we propose another approach to lightweight sandboxing that focuses on the fact that such attackers have mostly assumed containers rely on Linux. It can avert major vulnerability exploits derived from Linux by transplanting Linux containers onto the FreeBSD kernel. Furthermore, it can fortify the isolation by transparently applying "Capsicum," a unique sandbox mechanism that is nonstandard in Linux, to the transplanted containers. This paper analyzes vulnerabilities faced by Linux containers, identifies technical issues in transplanting Linux containers onto FreeBSD, and designs a mechanism to transparently apply the Capsicum sandbox to Linux applications to explore the feasibility of our approach.
References
[1]
Jonathan Anderson, Stanley Godfrey, and Robert NM Watson. 2017. Towards oblivious sandboxing with Capsicum. FreeBSD Journal (2017).
[2]
Guillaume Everarts de Velp, Etienne Rivière, and Ramin Sadre. 2021. Understanding the Performance of Container Execution Environments. In Proceedings of the 2020 6th International Workshop on Container Technologies and Container Clouds (Delft, Netherlands) (WOC'20). Association for Computing Machinery, New York, NY, USA, 37--42. https://doi.org/10.1145/3429885.3429967
[3]
Open Infrastructure Foundation. [n. d.]. Kata Containers - Open Source Container Runtime Software. https://katacontainers.io/ (Accessed on 2023/07/16).
[4]
X. Gao, Z. Gu, M. Kayaalp, D. Pendarakis, and H. Wang. 2017. ContainerLeaks: Emerging Security Threats of Information Leakages in Container Clouds. In 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). 237--248. https://doi.org/10.1109/DSN.2017.49
[5]
The gVisor Authors. 2021. gVisor. https://gvisor.dev/ (Accessed on 2023/07/16).
[6]
Simon Kuenzer, Vlad-Andrei Bădoiu, Hugo Lefeuvre, Sharan Santhanam, Alexander Jung, Gaulthier Gain, Cyril Soldani, Costin Lupu, Ştefan Teodorescu, Costi Răducanu, Cristian Banu, Laurent Mathy, Răzvan Deaconescu, Costin Raiciu, and Felipe Huici. 2021. Unikraft: Fast, Specialized Unikernels the Easy Way. In Proceedings of the Sixteenth European Conference on Computer Systems (Online Event, United Kingdom) (EuroSys '21). Association for Computing Machinery, New York, NY, USA, 376--394. https://doi.org/10.1145/3447786.3456248
[7]
Henry M. Levy. 1984. Capability-Based Computer Systems. Butterworth-Heinemann, USA.
[8]
Xin Lin, Lingguang Lei, Yuewu Wang, Jiwu Jing, Kun Sun, and Quan Zhou. 2018. A Measurement Study on Linux Container Security: Attacks and Countermeasures. In Proceedings of the 34th Annual Computer Security Applications Conference (San Juan, PR, USA) (ACSAC '18). Association for Computing Machinery, New York, NY, USA, 418--429. https://doi.org/10.1145/3274694.3274720
[9]
Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown: Reading Kernel Memory from User Space. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, MD, 973--990. https://www.usenix.org/conference/usenixsecurity18/presentation/lipp
[10]
Google LLC. [n. d.]. Cloud Functions --- Google Cloud. https://cloud.google.com/functions (Accessed on 2023/07/16).
[11]
Katsuya Matsubara and Yuhei Takagawa. 2020. Adaptive OS Switching for Improving Availability During Web Traffic Surges: A Feasibility Study. In 2020 IEEE 44th Annual Computers, Software, and Applications Conference (COMPSAC). 1176--1182. https://doi.org/10.1109/COMPSAC48688.2020.00-97
[12]
Dirk Merkel. 2014. Docker: Lightweight Linux Containers for Consistent Development and Deployment. Linux J. 2014, 239, Article 2 (March 2014).
[13]
Tu Dinh Ngoc, Boris Teabe, Alain Tchana, Gilles Muller, and Daniel Hagimont. 2021. Mitigating Vulnerability Windows with Hypervisor Transplant. In Proceedings of the Sixteenth European Conference on Computer Systems (Online Event, United Kingdom) (EuroSys '21). Association for Computing Machinery, New York, NY, USA, 162--177. https://doi.org/10.1145/3447786.3456235
[14]
Octavian Purdila, Lucian Adrian Grijincu, and Nicolae Tapus. 2010. LKL: The Linux kernel library. In 9th RoEduNet IEEE International Conference. 328--333.
[15]
Inc. Salesforce.com. [n. d.]. Cloud Application Platform --- Heroku. https://www.heroku.com/ (Accessed on 2023/07/16).
[16]
Computer security research at Memorial University. [n. d.]. musec/libpreopen: Library for wrapping libc functions that require ambient authority. https://github.com/musec/libpreopen (Accessed on 2023/07/16).
[17]
Zhiming Shen, Zhen Sun, Gur-Eyal Sela, Eugene Bagdasaryan, Christina Delimitrou, Robbert Van Renesse, and Hakim Weatherspoon. 2019. X-Containers: Breaking Down Barriers to Improve Performance and Isolation of Cloud-Native Containers. In Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems (Providence, RI, USA) (ASPLOS '19). Association for Computing Machinery, New York, NY, USA, 121--135. https://doi.org/10.1145/3297858.3304016
[18]
Sari Sultan, Imtiaz Ahmad, and Tassos Dimitriou. 2019. Container Security: Issues, Challenges, and the Road Ahead. IEEE Access 7 (2019), 52976--52996. https://doi.org/10.1109/ACCESS.2019.2911732
[19]
Yuhei Takagawa and Katsuya Matsubara. 2019. Yet another container migration on FreeBSD. AsiaBSDCon 2019 Proceedings (2019), 97--102.
[20]
Hajime Tazaki, Akira Moroo, Yohei Kuga, and Ryo Nakamura. 2021. How to Design a Library OS for Practical Containers?. In Proceedings of the 17th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (Virtual, USA) (VEE 2021). Association for Computing Machinery, New York, NY, USA, 15--28. https://doi.org/10.1145/3453933.3454011
[21]
William Viktorsson, Cristian Klein, and Johan Tordsson. 2020. Security-Performance Trade-offs of Kubernetes Container Runtimes. In 2020 28th International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems (MASCOTS). 1--4. https://doi.org/10.1109/MASCOTS50786.2020.9285946
[22]
Robert N. M. Watson, Jonathan Anderson, Ben Laurie, and Kris Kennaway. 2010. Capsicum: practical capabilities for UNIX. In Proceedings of the 19th USENIX Security Symposium. http://www.cl.cam.ac.uk/research/security/capsicum/papers/2010usenix-security-capsicum-website.pdf
[23]
Ethan G. Young, Pengfei Zhu, Tyler Caraza-Harter, Andrea C. Arpaci-Dusseau, and Remzi H. Arpaci-Dusseau. 2019. The True Cost of Containing: A gVisor Case Study. In 11th USENIX Workshop on Hot Topics in Cloud Computing (Hot-Cloud 19). USENIX Association, Renton, WA.
Index Terms
- Reducing Attack Surface with Container Transplantation for Lightweight Sandboxing
Recommendations
ConMonitor: Lightweight Container Protection with Virtualization and VM Functions
SoCC '24: Proceedings of the 2024 ACM Symposium on Cloud ComputingContainers are widely used in multi-tenant cloud computing for their ease of deployment, minimal overhead, and fast start-up. However, the intrinsic shared kernel model of containers poses significant security threats, risking confidentiality and ...
Union Buster: A Cross-Container Covert-Channel Exploiting Union Mounting
Cyber Security, Cryptology, and Machine LearningAbstractSoftware containers provide a light-weight counterpart to virtual machines, utilizing the native host operating system to efficiently manage virtualization. Though efficient, this sharing of resources opens a potentially exploitable communication ...
Eliminating the hypervisor attack surface for a more secure cloud
CCS '11: Proceedings of the 18th ACM conference on Computer and communications securityCloud computing is quickly becoming the platform of choice for many web services. Virtualization is the key underlying technology enabling cloud providers to host services for a large number of customers. Unfortunately, virtualization software is large, ...
Comments
Information & Contributors
Information
Published In
August 2023
98 pages
ISBN:9798400703058
DOI:10.1145/3609510
Copyright © 2023 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 24 August 2023
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Funding Sources
Conference
APSys '23
Sponsor:
APSys '23: 14th ACM SIGOPS Asia-Pacific Workshop on Systems
August 24 - 25, 2023
Seoul, Republic of Korea
Acceptance Rates
APSys '23 Paper Acceptance Rate 13 of 32 submissions, 41%;
Overall Acceptance Rate 169 of 430 submissions, 39%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 154Total Downloads
- Downloads (Last 12 months)79
- Downloads (Last 6 weeks)5
Reflects downloads up to 02 Mar 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in