Security Assessment Technique of a Container Runtime Using System Call Weights
2020, 25(9), pp.21-29
Publisher : The Korean Society Of Computer And Information
Research Area : Computer Science
-
In this paper, we propose quantitative evaluation method that enable security comparison between Security Container Runtimes. security container runtime technologies have been developed to address security issues such as Container escape caused by containers sharing the host kernel. However, most literature provides only a analysis of the security of container technologies using rough metrics such as the number of available system calls, making it difficult to compare the secureness of container runtimes quantitatively. While the proposed model uses a new method of combining the degree of exposure of host system calls with various external vulnerability metrics. With the proposed technique, we measure and compare the security of runC (Docker default Runtime) and two representative Security Container Runtimes, gVisor, and Kata container.
-
[confproc] Z. Jian / 2017 / A Defense Method against Docker Escape Attack / Proceedings of the 2017 International Conference on Cryptography, Security and Privacy (ICCSP’17) : 142~146
[journal] Sari Sultan / 2019 / Container Security: Issues, Challenges, and the Road Ahead / IEEE Access / Institute of Electrical and Electronics Engineers (IEEE) 7 : 52976~52996 / 10.1109/ACCESS.2019.2911732
[web] / GVisor / https://gvisor.dev
[web] / Kata container / https://katacontainers.io
[web] / Nabla container / https://nabla-containers.github.io/
[confproc] Ethan G. Young / 2019 / The True Cost of Containing: A gVisor Case Study / Proceedings of the 11th USENIX Conference on Hot Topics in Cloud Computing(HotCloud’19) : 16~
[confproc] Anjali, Tyler Caraza-Harter / 2020 / Blending containers and virtual machines: a study of firecracker and gVisor / Proceedings of the 16th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE’20) : 101~113
[web] / Measuring the Horizontal Attack Profile of Nabla Containers / https://blog.hansenpartnership.com/measuring-the-horizontal-attack-profile-of-nabla-containers/
[web] / CVE / https://cve.mitre.org/
[confproc] D. Williams / 2018 / Unikernels As Processes / Proceedings of the ACM Symposium on Cloud Computing, SoCC ’18 : 199~211
[confproc] A. Kurmus / 2013 / Attack Surface Metrics and Automated Compile-Time OS Kernel Tailoring / Proceedings of the 20th Network and Distributed System Security Symposium(NDSS’13)
[confproc] Y. Li / 2017 / Lock-in-Pop:Securing Privileged Operating System Kernels by Keeping on the Beaten Path / Proceedings of In Annual Technical Conference USENIX ATC’17 : 1~13
[confproc] D. Williams / 2018 / Say goodbye to virtualization for a safer cloud / Proc. of USENIX HotCloud : 20~
[confproc] A. Agache / 2020 / Firecracker: Lightweight virtualization for serverless applications / 17th USENIX Symposium on Networked Systems Design and Implementation (NSDI 20) : 419~434
[web] / ExploitDB / https://www.exploit-db.com/
[web] / CVSS v2 Calculator / https://nvd.nist.gov/vulnmetrics/cvss/v2-calculator
[journal] T.J. McCabe / 1976 / A Complexity Measure / IEEE Transactions on Software Engineering / Institute of Electrical and Electronics Engineers (IEEE) SE-2(4) : 308~320 / 10.1109/TSE.1976.233837
[web] / Objdump man page / https://linux.die.net/man/1/objdump
[web] / LTP Project / https://github.com/linux-test-project/ltp
[web] / Ftrace man page / https://linux.die.net/man/1/ftrace
[web] / Docker Seccomp Profile / https://docs.docker.com/engine/security/seccomp/
[web] / GVisor Seccomp Rule / https://github.com/google/gvisor/blob/master/runsc/boot/filter/config.go
[confproc] A. Randazzo / 2019 / Kata Containers: An Emerging Architecture for Enabling MEC Services in Fast and Secure Way / Proceedings of the 2019 Sixth International Conference on Internet of Things: Systems, Management and Security (IOTSMS 2019) : 209~214
-
KCI Citation (0)
106 Viewed
Print this page
Download PDF