Convergence Security Journal (융합보안논문지)

Korea convergence Security Association (한국융합보안학회)
권호 표지
DOI QR코드

DOI QR Code

A Study on Vulnerability for Isolation Guarantee in Container-based Virtualization

컨테이너 기반 가상화에서 격리성 보장을 위한 취약성 고찰

  • 염다연 (중앙대학교 융합보안학과) ;
  • 신동천 (중앙대학교 산업보안학과)
  • Received : 2023.08.20
  • Accepted : 2023.10.19
  • Published : 2023.10.31
Download PDF
⟨ Previous Next ⟩

Abstract

Container-based virtualization has attracted many attentions as an alternative to virtual machine technology because it can be used more lightly by sharing the host operating system instead of individual guest operating systems. However, this advantage may owe some vulnerabilities. In particular, excessive resource use of some containers can affect other containers, which is known as the noisy neighbor problem, so that the important property of isolation may not be guaranteed. The noisy neighbor problem can threat the availability of containers, so we need to consider the noisy neighbor problem as a security problem. In this paper, we investigate vulnerabilities on guarantee of isolation incurred by the noisy neighbor problem in container-based virtualization. For this we first analyze the structure of container-based virtualization environments. Then we present vulnerabilities in 3 functional layers and general directions for solutions with limitations.

클라우드 컴퓨팅 환경에서 컨테이너 기반 가상화는 게스트 운영체제 대신에 호스트 운영체제를 공유함으로써 가벼운 사용감으로 가상머신 기반 가상화 기술의 대안으로 많은 관심을 받고 있다. 그러나 호스트 운영체제를 공유함으로써 발생하는 문제점이 컨테이너 기반 가상화의 취약성을 높일 수 있다. 특히 컨테이너들이 자원들을 과도하게 사용함으로 인해 컨테이너들의 격리성을 침해할 수 있는 noisy neighbor problem은 사용자들의 가용성을 위협하게 되므로 보안 문제로 인식할 필요가 있다. 본 논문에서는 컨테이너 기반 가상화 환경에서 noisy neighbor problem이 격리성 보장을 위협할 수 있는 취약성을 고찰한다. 이를 위해 컨테이너 기반의 가상화 구조를 분석하여 기능별 계층에 대한 격리성 보장에 위협이 될 수 있는 취약점을 도출하고 해결 방향과 한계점을 제시한다.

Keywords

Acknowledgement

이 논문은 2021년도 중앙대학교 연구장학기금 지원에 의한 것임.

References

  1. F. Sabahi, "Virtualization-level security in cloud computing," 2011 IEEE 3rd International Conference on Communication Software and Networks, Xi'an, China, pp. 250-254, 2011.
  2. P. Mell and T. Grance, "The NIST Definition of Cloud Computing: Recommendations of the National Institute of Standards and Technology," NIST Special Publication, 2011.
  3. K. Brady, S. Moon, T. Nguyen and J. Coffman, "Docker Container Security in Cloud Computing," 2020 10th Annual Computing and Communication Workshop and Conference (CCWC), Las Vegas, NV, USA, pp. 0975-0980, 2020.
  4. C. Pahl, "Containerization and the PaaS Cloud," in IEEE Cloud Computing, vol. 2, no. 3, pp. 24-31, May-June. 2015. https://doi.org/10.1109/MCC.2015.51
  5. D. Williams, R. Koller, and B. Lum.. "Say goodbye to virtualization for a safer cloud". In Proceedings of the 10th USENIX Conference on Hot Topics in Cloud Computing (HotCloud'18). USENIX Association, USA, 2018.
  6. T. Lorido-Botran, S. Huerta, L. Tomas, J. Tordsson, B. Sanz, "An unsupervised approach to online noisy-neighbor detection in cloud data centers," Expert Systems with Applications, Volume 89, Pages 188-204, 2017. https://doi.org/10.1016/j.eswa.2017.07.038
  7. X. Pu, L. Liu, Y. Mei, S. Sivathanu, Y. Koh and C. Pu, "Understanding Performance Interference of I/O Workload in Virtualized Cloud Environments," 2010 IEEE 3rd International Conference on Cloud Computing, Miami, FL, USA, 2010, pp. 51-58, 2010.
  8. O. AbdElRahem, A. M. Bahaa-Eldin and A. Taha, "Virtualization security: A survey," 2016 11th International Conference on Computer Engineering & Systems (ICCES), Cairo, Egypt, pp. 32-40, 2016.
  9. J. Sahoo, S. Mohapatra and R. Lath, "Virtualization: A Survey on Concepts, Taxonomy and Associated Security Issues," 2010 Second International Conference on Computer and Network Technology, Bangkok, Thailand, pp. 222-226, 2010.
  10. M. Souppaya, J. Morello, K. Scarfon, "Application Container Security Guide", National Institute of Standards and Technology(NIST), 2017.
  11. N. G. Bachiega, P. S. L. Souza, S. M. Bruschi and S. d. R. S. de Souza, "Container-Based Performance Evaluation: A Survey and Challenges," 2018 IEEE International Conference on Cloud Engineering (IC2E), Orlando, FL, USA, pp. 398-403, 2018.
  12. D. Bernstein, "Containers and Cloud: From LXC to Docker to Kubernetes," in IEEE Cloud Computing, vol. 1, no. 3, pp. 81-84, Sept. 2014. https://doi.org/10.1109/MCC.2014.51
  13. X. Gao, Z. Gu, M. Kayaalp, D. Pendarakis and H. Wang, "ContainerLeaks: Emerging Security Threats of Information Leakages in Container Clouds," 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), Denver, CO, USA, pp. 237-248, 2017.
  14. X. Lin, L. Lei, Y. Wang, J. Jing, K. Sun, and Q. Zhou. "A Measurement Study on Linux Container Security: Attacks and Countermeasures" In Proceedings of the 34th Annual Computer Security Applications Conference (ACSAC '18). Association for Computing Machinery, New York, NY, USA, 418-429, 2018.
  15. X. Gao, Z. Gu, Z. Li, H. Jamjoom, and C. Wang.. "Houdini's Escape: Breaking the Resource Rein of Linux Control Groups". In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS '19), NY, USA, 1073-1086, 2019.
  16. Ruan, B., Huang, H., Wu, S., Jin, H. "A Performance Study of Containers in Cloud Environment." Advances in Services Computing. APSCC 2016. Lecture Notes in Computer Science, vol 10065. Springer, 2016.
  17. Y. Yang, W. Shen, B. Ruan, W. Liu and K. Ren, "Security Challenges in the Container Cloud," 2021 Third IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA), Atlanta, GA, USA, pp. 137-145, 2021.
  18. V. V. Sarkale, P. Rad and W. Lee, "Secure Cloud Container: Runtime Behavior Monitoring Using Most Privileged Container (MPC)," 2017 IEEE 4th International Conference on Cyber Security and Cloud Computing (CSCloud), New York, NY, USA, pp. 351-356, 2017.
  19. Wang, X., Du, J. & Liu, H. "Performance and isolation analysis of RunC, gVisor and Kata Containers runtimes". Cluster Comput 25, pp. 1497-1513, 2022. https://doi.org/10.1007/s10586-021-03517-8