• Journal of Digital Contents Society
• /
• v.19 no.3
• /
• pp.453-460
• /
• 2018

Virtualization technology is characterized by the ability to isolate the user's system environment and to support the computing resources flexibly and extensively on demand. However, virtualization technology of cloud computing, which is already well known, must overload the guest OS and the hypervisor to manage it. Container technology is emerging to solve such OS-based virtualization problems. This technology can isolate the processes under which the application is running, thus creating a virtualization-like environment with minimal overhead. In this work, we construct a container-based education practice system using Docker instead of the existing cloud-based environment. To do this, we analyze the requirements for the establishment of the training practice environment. We also analyze the functions of the container and study the method to meet the requirements. This can take advantage of the existing flexible and scalable cloud computing. Also, it maximizes the availability of limited resources by minimizing the performance load.

• Convergence Security Journal
• /
• v.23 no.4
• /
• pp.23-32
• /
• 2023

Container-based virtualization has attracted many attentions as an alternative to virtual machine technology because it can be used more lightly by sharing the host operating system instead of individual guest operating systems. However, this advantage may owe some vulnerabilities. In particular, excessive resource use of some containers can affect other containers, which is known as the noisy neighbor problem, so that the important property of isolation may not be guaranteed. The noisy neighbor problem can threat the availability of containers, so we need to consider the noisy neighbor problem as a security problem. In this paper, we investigate vulnerabilities on guarantee of isolation incurred by the noisy neighbor problem in container-based virtualization. For this we first analyze the structure of container-based virtualization environments. Then we present vulnerabilities in 3 functional layers and general directions for solutions with limitations.

• The Journal of Korean Institute of Next Generation Computing
• /
• v.13 no.3
• /
• pp.26-33
• /
• 2017

Recently container technologies have been receiving attention for efficient use of the cloud platform. Container virtualization technology has the advantage of a highly portable, high density when compared with the existing hypervisor. Container virtualization technology, however, uses a virtualization technology at the operating system level, which is shared by a single kernel to run multiple instances. For this reason, the feature of container is that the attacker can obtain the root privilege of the host operating system internal the container. Due to the characteristics of the container, the attacker can attack the root privilege of the host operating system in the container utilizing the vulnerability of the kernel. In this paper, we propose a framework for efficiently detecting and responding to root privilege attacks of a host operating system in a container. This framework uses a memory trap technique to detect changes in a specific memory area of a container and to suspend the operation of the container when it is detected.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2017.10a
• /
• pp.330-334
• /
• 2017

Container-based virtualization reduces performance overhead compared with other virtualization technologies and guarantees an isolation of each virtual execution environment. So, it is being studied to block access to host resources or container resources for sandboxing in restricted system resource like embedded devices. However, because security threats which are caused by security vulnerabilities of the host OS or the security issues of the host environment exist, the needs of the technology to prevent an illegal accesses and unauthorized behaviors by malware has to be increased. In this paper, we define additional access permissions to access a virtual execution environment newly and control them in kernel space to protect attacks from illegal access and unauthorized behaviors by malware and suggest the Container Access Control to control them. Also, we suggest a way to block a loading of unauthenticated kernel driver to disable the Container Access Control running in host OS by malware. We implement and verify proposed technologies on Linux Kernel.

• Journal of Information Processing Systems
• /
• v.14 no.6
• /
• pp.1398-1404
• /
• 2018

High-performance computing (HPC) provides to researchers a powerful ability to resolve problems with intensive computations, such as those in the math and medical fields. When an HPC platform is provided as a service, users may suffer from unexpected obstacles in developing and running applications due to restricted development environments and dependencies. In this context, operating system level virtualization can be a solution for HPC service to ensure lightweight virtualization and consistency in Dev-Ops environments. Therefore, this paper proposes three types of typical HPC structure for container environments built with HPC container and Docker. The three structures focus on smooth integration with existing HPC job framework, message passing interface (MPI). Lastly, the performance of the structures is analyzed with High Performance Linpack benchmark from the aspect of performance degradation in network communications under Docker.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.6
• /
• pp.1225-1241
• /
• 2014

Recently, Financial companies implement DLP(Data Leaks Prevention) security products and enforce internal controls to prevent customer information leaks. Accidental data leaks in financial business increase more and more because internal controls are insufficient. Security officials and IT operation staffs struggle to plan countermeasures to respond to all kinds of accidental data leaks. It is difficult to prevent data leaks and to control information flow in business without research applications that handle business and privacy information. Therefore this paper describes business and privacy information flow on applications and how to plan and deploy security container based OS-level and Hypervisor virtualization technology to enforce internal controls for applications. After building security container, it was verified to implement internal controls and to prevent customer information leaks. With security policies additional security functions was implemented in security container and With recycling security container costs and time of response to security vulnerabilities was reduced.

• Convergence Security Journal
• /
• v.23 no.5
• /
• pp.21-27
• /
• 2023

In the cloud computing environment, servers and applications can be set up within minutes, and recovery in case of fail ures has also become easier. Particularly, using virtual servers in the cloud is not only convenient but also cost-effective compared to the traditional approach of setting up physical servers just for temporary services. However, most of the und erlying networks and security systems that serve as the foundation for such servers and applications are primarily hardwa re-based, posing challenges when it comes to implementing cloud virtualization. Even within the cloud, there is a growing need for virtualization-based security and protection measures for elements like networks and security infrastructure. This paper discusses research on enhancing the security of cloud networks using network virtualization technology. I configured a secure network by leveraging virtualization technology, creating virtual servers and networks to provide various security benefits. Link virtualization and router virtualization were implemented to enhance security, utilizing the capabilities of virt ualization technology. The application of virtual firewall functionality to the configured network allowed for the isolation of the network. It is expected that based on these results, there will be a contribution towards overcoming security vulnerabil ities in the virtualized environment and proposing a management strategy for establishing a secure network.

• International journal of advanced smart convergence
• /
• v.12 no.4
• /
• pp.126-133
• /
• 2023

Recent advancements in cloud service virtualization technologies have witnessed a shift from a Virtual Machine-centric approach to a container-centric paradigm, offering advantages such as faster deployment and enhanced portability. Container orchestration has emerged as a key technology for efficient management and scheduling of these containers. However, with the increasing complexity and diversity of heterogeneous workloads and service types, resource scheduling has become a challenging task. Various research endeavors are underway to address the challenges posed by diverse workloads and services. Yet, a systematic approach to container orchestration for effective cloud management has not been clearly defined. This paper proposes the DRA-Engine (Dynamic Resource Allocation Engine) for resource scheduling in container orchestration. The proposed engine comprises the Request Load Procedure, Required Resource Measurement Procedure, and Resource Provision Decision Procedure. Through these components, the DRA-Engine dynamically allocates resources according to the application's requirements, presenting a solution to the challenges of resource scheduling in container orchestration.

• International Journal of Internet, Broadcasting and Communication
• /
• v.13 no.1
• /
• pp.180-186
• /
• 2021

In cloud computing service it is important to share the system resource among multiple instances according to user requirements. In particular, the issue of efficiently distributing I/O resources across multiple instances is paid attention due to the rise of emerging data-centric technologies such as big data and deep learning. However, it is difficult to evaluate the I/O resource distribution of a Linux container, which is one of the core technologies of cloud computing, since conventional I/O benchmarks does not support features related to container management. In this paper, we propose a new I/O performance benchmarking framework that can easily evaluate the resource distribution of Linux containers using existing I/O benchmarks by supporting container-related features and integrated user interface. According to the performance evaluation result with trace-replay benchmark, the proposed benchmark framework has induced negligible performance overhead while providing convenience in evaluating the I/O performance of multiple Linux containers.

• KIISE Transactions on Computing Practices
• /
• v.21 no.9
• /
• pp.587-595
• /
• 2015

Several fields of science have traditionally demanded large-scale workflow support, which requires thousands of central processing unit (CPU) cores. In order to support such large-scale scientific workflows, large-capacity cluster systems such as supercomputers are widely used. However, as users require a diversity of software packages and configurations, a system administrator has some trouble in making a service environment in real time. In this paper, we present a container-based cluster management platform and introduce an implementation case to minimize performance reduction and dynamically provide a distributed computing environment desired by users. This paper offers the following contributions. First, a container-based virtualization technology is assimilated with a resource and job management system to expand applicability to support large-scale scientific workflows. Second, an implementation case in which docker and HTCondor are interlocked is introduced. Lastly, docker and native performance comparison results using two widely known benchmark tools and Monte-Carlo simulation implemented using various programming languages are presented.