Browse > Article
http://dx.doi.org/10.9708/jksci.2020.25.09.021

Security Assessment Technique of a Container Runtime Using System Call Weights  

Yang, Jihyeok (School of Computer Science and Engineering, Kyungpook National University)
Tak, Byungchul (Dept. of Computer Science and Engineering, Kyungpook National University)
Abstract
In this paper, we propose quantitative evaluation method that enable security comparison between Security Container Runtimes. security container runtime technologies have been developed to address security issues such as Container escape caused by containers sharing the host kernel. However, most literature provides only a analysis of the security of container technologies using rough metrics such as the number of available system calls, making it difficult to compare the secureness of container runtimes quantitatively. While the proposed model uses a new method of combining the degree of exposure of host system calls with various external vulnerability metrics. With the proposed technique, we measure and compare the security of runC (Docker default Runtime) and two representative Security Container Runtimes, gVisor, and Kata container.
Keywords
Container Security; Container Runtime; Vulnerability; System call; Exploit;
Citations & Related Records
연도 인용수 순위
  • Reference
1 CVSS v2 Calculator, https://nvd.nist.gov/vulnmetrics/cvss/v2-calculator
2 T.J. McCabe. "A Complexity Measure". In: Software Engineering, IEEE Transactions on SE-2.4 (1976), pages 308-320. ISSN: 0098-5589. DOI: 10.1109/TSE.1976.233837   DOI
3 Objdump man page, https://linux.die.net/man/1/objdump
4 LTP Project, https://github.com/linux-test-project/ltp
5 Ftrace man page, https://linux.die.net/man/1/ftrace
6 Docker Seccomp Profile, https://docs.docker.com/engine/security/seccomp/
7 GVisor Seccomp Rule, https://github.com/google/gvisor/blob/master/runsc/boot/filter/config.go
8 A. Randazzo, I. Tinnirello, Kata Containers: An Emerging Architecture for Enabling MEC Services in Fast and Secure Way, In Proceedings of the 2019 Sixth International Conference on Internet of Things: Systems, Management and Security (IOTSMS 2019), pp. 209-214, Granada, Spain, October 2019, DOI: 10.1109/IOTSMS48152.2019.8939164
9 Z. Jian, L. Chen, A Defense Method against Docker Escape Attack, In Proceedings of the 2017 International Conference on Cryptography, Security and Privacy (ICCSP'17), pp.142-146, Wuhan, China, March 2017. DOI: 10.1145/3058060
10 S. Sultan, I. Ahmad, and T. Dimitriou, "Container Security: Issues, Challenges, and the Road Ahead," IEEE Access, Vol. 7, pp. 52976-52996, April, 2019, DOI: 10.1109/ACCESS.2019.2911732   DOI
11 GVisor, https://gvisor.dev
12 Kata container, https://katacontainers.io
13 Nabla container, https://nabla-containers.github.io/
14 Ethan G. Young, et al., The True Cost of Containing: A gVisor Case Study., In Proceedings of the 11th USENIX Conference on Hot Topics in Cloud Computing(HotCloud'19), p. 16, Renton WA, USA, July 2019. 10.5555/3357034.3357054
15 D. Williams, R. Koller, M. Lucina, and N. Prakash. Unikernels As Processes. In Proceedings of the ACM Symposium on Cloud Computing, SoCC '18, pp. 199-211, New York, NY, USA, October 2018. 10.1145/3267809.3267845
16 Anjali, Tyler Caraza-Harter, Michael M.Swift., Blending containers and virtual machines: a study of firecracker and gVisor., Proceedings of the 16th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE'20), pp. 101-113, Lausanne, Switzerland, March 2020. 10.1145/3381052.3381315
17 Measuring the Horizontal Attack Profile of Nabla Containers, https://blog.hansenpartnership.com/measur ing-the-horizontal-attack-profile-of-nabla-containers/
18 CVE, https://cve.mitre.org/
19 A. Kurmus, R. Tartler, D. Dorneanu, B. Heinloth, V. Rothberg, A. Ruprecht, W. Schroder-Preikschat, D. Lohmann, and R. Kapitza, Attack Surface Metrics and Automated Compile-Time OS Kernel Tailoring, in Proceedings of the 20th Network and Distributed System Security Symposium(NDSS'13), San Diego, CA, Feburary 2013.
20 Y. Li, B. Dolan-Gavitt, S. Weber, and J. Cappos, Lock-in-Pop: Securing Privileged Operating System Kernels by Keeping on the Beaten Path. In Proceedings of In Annual Technical Conference USENIX ATC'17, pp. 1-13, SANTA CLARA, CA, July 2017. 10.5555/3154690.3154692
21 D. Williams, R. Koller, and B. Lum. Say goodbye to virtualization for a safer cloud. In Proc. of USENIX HotCloud, p. 20, Boston, MA, July 2018. 10.5555/3277180.3277200
22 A. Agache, M. Brooker, A. Iordache, A. Liguori, R. Neugebauer, P. Piwonka, and D.-M. Popa. Firecracker: Lightweight virtualization for serverless applications, In 17th USENIX Symposium on Networked Systems Design and Implementation (NSDI 20), pp.419-434, Santa Clara, USA, Feburary 2020.
23 ExploitDB, https://www.exploit-db.com/