Security Assessment Technique of a Container Runtime Using System Call Weights (컨테이너 런타임의 보안성 측정 기법)

Jihyeok Yang (양지혁); Byungchul Tak (탁병철)

doi:10.9708/jksci.2020.25.09.021

Security Assessment Technique of a Container Runtime Using System Call Weights

Journal of The Korea Society of Computer and Information
Abbr : JKSCI
2020, 25(9), pp.21-29
DOI : 10.9708/jksci.2020.25.09.021
Publisher : The Korean Society Of Computer And Information
Research Area : Engineering > Computer Science
Received : August 13, 2020
Accepted : September 3, 2020
Published : September 29, 2020

Jihyeok Yang ¹, Byungchul Tak ¹

¹경북대학교

Accredited

ABSTRACT

In this paper, we propose quantitative evaluation method that enable security comparison between Security Container Runtimes. security container runtime technologies have been developed to address security issues such as Container escape caused by containers sharing the host kernel. However, most literature provides only a analysis of the security of container technologies using rough metrics such as the number of available system calls, making it difficult to compare the secureness of container runtimes quantitatively. While the proposed model uses a new method of combining the degree of exposure of host system calls with various external vulnerability metrics. With the proposed technique, we measure and compare the security of runC (Docker default Runtime) and two representative Security Container Runtimes, gVisor, and Kata container.

KEYWORDS

Container Security, Container Runtime, Vulnerability, System call, Exploit

Citation status

* References for papers published after 2023 are currently being built.

[confproc] Z. Jian / 2017 / A Defense Method against Docker Escape Attack / Proceedings of the 2017 International Conference on Cryptography, Security and Privacy (ICCSP’17) : 142~146

[journal] Sari Sultan / 2019 / Container Security: Issues, Challenges, and the Road Ahead / IEEE Access / Institute of Electrical and Electronics Engineers (IEEE) 7 : 52976~52996

[web] / GVisor / https://gvisor.dev

[web] / Kata container / https://katacontainers.io

[web] / Nabla container / https://nabla-containers.github.io/

[confproc] Ethan G. Young / 2019 / The True Cost of Containing: A gVisor Case Study / Proceedings of the 11th USENIX Conference on Hot Topics in Cloud Computing(HotCloud’19) : 16~

[confproc] Anjali, Tyler Caraza-Harter / 2020 / Blending containers and virtual machines: a study of firecracker and gVisor / Proceedings of the 16th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE’20) : 101~113

[web] / Measuring the Horizontal Attack Profile of Nabla Containers / https://blog.hansenpartnership.com/measuring-the-horizontal-attack-profile-of-nabla-containers/

[web] / CVE / https://cve.mitre.org/

[confproc] D. Williams / 2018 / Unikernels As Processes / Proceedings of the ACM Symposium on Cloud Computing, SoCC ’18 : 199~211

[confproc] A. Kurmus / 2013 / Attack Surface Metrics and Automated Compile-Time OS Kernel Tailoring / Proceedings of the 20th Network and Distributed System Security Symposium(NDSS’13)

[confproc] Y. Li / 2017 / Lock-in-Pop:Securing Privileged Operating System Kernels by Keeping on the Beaten Path / Proceedings of In Annual Technical Conference USENIX ATC’17 : 1~13

[confproc] D. Williams / 2018 / Say goodbye to virtualization for a safer cloud / Proc. of USENIX HotCloud : 20~

[confproc] A. Agache / 2020 / Firecracker: Lightweight virtualization for serverless applications / 17th USENIX Symposium on Networked Systems Design and Implementation (NSDI 20) : 419~434

[web] / ExploitDB / https://www.exploit-db.com/

[web] / CVSS v2 Calculator / https://nvd.nist.gov/vulnmetrics/cvss/v2-calculator

[journal] T.J. McCabe / 1976 / A Complexity Measure / IEEE Transactions on Software Engineering / Institute of Electrical and Electronics Engineers (IEEE) SE-2(4) : 308~320

[web] / Objdump man page / https://linux.die.net/man/1/objdump

[web] / LTP Project / https://github.com/linux-test-project/ltp

[web] / Ftrace man page / https://linux.die.net/man/1/ftrace

[web] / Docker Seccomp Profile / https://docs.docker.com/engine/security/seccomp/

[web] / GVisor Seccomp Rule / https://github.com/google/gvisor/blob/master/runsc/boot/filter/config.go

[confproc] A. Randazzo / 2019 / Kata Containers: An Emerging Architecture for Enabling MEC Services in Fast and Secure Way / Proceedings of the 2019 Sixth International Conference on Internet of Things: Systems, Management and Security (IOTSMS 2019) : 209~214

This paper was written with support from the National Research Foundation of Korea.

KJCKorea
Journal Central

Journal of The Korea Society of Computer and Information 2023 KCI Impact Factor : 0.65

Security Assessment Technique of a Container Runtime Using System Call Weights

ABSTRACT

KEYWORDS

Citation status

* References for papers published after 2023 are currently being built.

Journal of The Korea Society of Computer and Information 2023 KCI Impact Factor : 0.65

Security Assessment Technique of a Container Runtime Using System Call Weights

ABSTRACT

KEYWORDS

Statistics

Tools

Issue List

Citation status

KCI Citation Counts (0)

REFERENCES (23) * References for papers published after 2023 are currently being built.

Search PDF

Citation

* References for papers published after 2023 are currently being built.