• Title/Summary/Keyword: Container-based virtualization

Search Result 25, Processing Time 0.027 seconds

Building Education Practice Environment through Container-based Virtualization (컨테이너 기반 가상화를 통한 교육 실습환경 구축)

  • Yoon, JunWeon;Song, Ui-Sung
    • Journal of Digital Contents Society
    • /
    • v.19 no.3
    • /
    • pp.453-460
    • /
    • 2018
  • Virtualization technology is characterized by the ability to isolate the user's system environment and to support the computing resources flexibly and extensively on demand. However, virtualization technology of cloud computing, which is already well known, must overload the guest OS and the hypervisor to manage it. Container technology is emerging to solve such OS-based virtualization problems. This technology can isolate the processes under which the application is running, thus creating a virtualization-like environment with minimal overhead. In this work, we construct a container-based education practice system using Docker instead of the existing cloud-based environment. To do this, we analyze the requirements for the establishment of the training practice environment. We also analyze the functions of the container and study the method to meet the requirements. This can take advantage of the existing flexible and scalable cloud computing. Also, it maximizes the availability of limited resources by minimizing the performance load.

A Study on Vulnerability for Isolation Guarantee in Container-based Virtualization (컨테이너 기반 가상화에서 격리성 보장을 위한 취약성 고찰)

  • Dayun Yum;Dongcheon Shin
    • Convergence Security Journal
    • /
    • v.23 no.4
    • /
    • pp.23-32
    • /
    • 2023
  • Container-based virtualization has attracted many attentions as an alternative to virtual machine technology because it can be used more lightly by sharing the host operating system instead of individual guest operating systems. However, this advantage may owe some vulnerabilities. In particular, excessive resource use of some containers can affect other containers, which is known as the noisy neighbor problem, so that the important property of isolation may not be guaranteed. The noisy neighbor problem can threat the availability of containers, so we need to consider the noisy neighbor problem as a security problem. In this paper, we investigate vulnerabilities on guarantee of isolation incurred by the noisy neighbor problem in container-based virtualization. For this we first analyze the structure of container-based virtualization environments. Then we present vulnerabilities in 3 functional layers and general directions for solutions with limitations.

Access Control using Secured Container-based Virtualization (보안 컨테이너 가상화 기반 접근 제어)

  • Jeong, Dong-hwa;Lee, Sunggyu;Shin, Youngsang;Park, Hyuncheol
    • Proceedings of the Korean Institute of Information and Commucation Sciences Conference
    • /
    • 2017.10a
    • /
    • pp.330-334
    • /
    • 2017
  • Container-based virtualization reduces performance overhead compared with other virtualization technologies and guarantees an isolation of each virtual execution environment. So, it is being studied to block access to host resources or container resources for sandboxing in restricted system resource like embedded devices. However, because security threats which are caused by security vulnerabilities of the host OS or the security issues of the host environment exist, the needs of the technology to prevent an illegal accesses and unauthorized behaviors by malware has to be increased. In this paper, we define additional access permissions to access a virtual execution environment newly and control them in kernel space to protect attacks from illegal access and unauthorized behaviors by malware and suggest the Container Access Control to control them. Also, we suggest a way to block a loading of unauthenticated kernel driver to disable the Container Access Control running in host OS by malware. We implement and verify proposed technologies on Linux Kernel.

  • PDF

Container Vulnerability Intruder Detection Framework based on Memory Trap Technique (메모리 트랩기법을 활용한 컨테이너 취약점 침입 탐지 프레임워크)

  • Choi, Sang-Hoon;Jeon, Woo-Jin;Park, Ki-Woong
    • The Journal of Korean Institute of Next Generation Computing
    • /
    • v.13 no.3
    • /
    • pp.26-33
    • /
    • 2017
  • Recently container technologies have been receiving attention for efficient use of the cloud platform. Container virtualization technology has the advantage of a highly portable, high density when compared with the existing hypervisor. Container virtualization technology, however, uses a virtualization technology at the operating system level, which is shared by a single kernel to run multiple instances. For this reason, the feature of container is that the attacker can obtain the root privilege of the host operating system internal the container. Due to the characteristics of the container, the attacker can attack the root privilege of the host operating system in the container utilizing the vulnerability of the kernel. In this paper, we propose a framework for efficiently detecting and responding to root privilege attacks of a host operating system in a container. This framework uses a memory trap technique to detect changes in a specific memory area of a container and to suspend the operation of the container when it is detected.

Proposal of Container-Based HPC Structures and Performance Analysis

  • Yong, Chanho;Lee, Ga-Won;Huh, Eui-Nam
    • Journal of Information Processing Systems
    • /
    • v.14 no.6
    • /
    • pp.1398-1404
    • /
    • 2018
  • High-performance computing (HPC) provides to researchers a powerful ability to resolve problems with intensive computations, such as those in the math and medical fields. When an HPC platform is provided as a service, users may suffer from unexpected obstacles in developing and running applications due to restricted development environments and dependencies. In this context, operating system level virtualization can be a solution for HPC service to ensure lightweight virtualization and consistency in Dev-Ops environments. Therefore, this paper proposes three types of typical HPC structure for container environments built with HPC container and Docker. The three structures focus on smooth integration with existing HPC job framework, message passing interface (MPI). Lastly, the performance of the structures is analyzed with High Performance Linpack benchmark from the aspect of performance degradation in network communications under Docker.

A study on Cloud Security based on Network Virtualization (네트워크 가상화 기반 클라우드 보안 구성에 관한 연구)

  • Sang-Beom Hong;Sung-Cheol Kim;Mi-Hwa Lee
    • Convergence Security Journal
    • /
    • v.23 no.5
    • /
    • pp.21-27
    • /
    • 2023
  • In the cloud computing environment, servers and applications can be set up within minutes, and recovery in case of fail ures has also become easier. Particularly, using virtual servers in the cloud is not only convenient but also cost-effective compared to the traditional approach of setting up physical servers just for temporary services. However, most of the und erlying networks and security systems that serve as the foundation for such servers and applications are primarily hardwa re-based, posing challenges when it comes to implementing cloud virtualization. Even within the cloud, there is a growing need for virtualization-based security and protection measures for elements like networks and security infrastructure. This paper discusses research on enhancing the security of cloud networks using network virtualization technology. I configured a secure network by leveraging virtualization technology, creating virtual servers and networks to provide various security benefits. Link virtualization and router virtualization were implemented to enhance security, utilizing the capabilities of virt ualization technology. The application of virtual firewall functionality to the configured network allowed for the isolation of the network. It is expected that based on these results, there will be a contribution towards overcoming security vulnerabil ities in the virtualized environment and proposing a management strategy for establishing a secure network.

A Study on Security Container to Prevent Data Leaks (정보 유출 방지를 위한 보안 컨테이너의 효과성 연구)

  • Lee, Jong-Shik;Lee, Kyeong-Ho
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.24 no.6
    • /
    • pp.1225-1241
    • /
    • 2014
  • Recently, Financial companies implement DLP(Data Leaks Prevention) security products and enforce internal controls to prevent customer information leaks. Accidental data leaks in financial business increase more and more because internal controls are insufficient. Security officials and IT operation staffs struggle to plan countermeasures to respond to all kinds of accidental data leaks. It is difficult to prevent data leaks and to control information flow in business without research applications that handle business and privacy information. Therefore this paper describes business and privacy information flow on applications and how to plan and deploy security container based OS-level and Hypervisor virtualization technology to enforce internal controls for applications. After building security container, it was verified to implement internal controls and to prevent customer information leaks. With security policies additional security functions was implemented in security container and With recycling security container costs and time of response to security vulnerabilities was reduced.

Container-based Cluster Management System for User-driven Distributed Computing (사용자 맞춤형 분산 컴퓨팅을 위한 컨테이너 기반 클러스터 관리 시스템)

  • Park, Ju-Won;Hahm, Jaegyoon
    • KIISE Transactions on Computing Practices
    • /
    • v.21 no.9
    • /
    • pp.587-595
    • /
    • 2015
  • Several fields of science have traditionally demanded large-scale workflow support, which requires thousands of central processing unit (CPU) cores. In order to support such large-scale scientific workflows, large-capacity cluster systems such as supercomputers are widely used. However, as users require a diversity of software packages and configurations, a system administrator has some trouble in making a service environment in real time. In this paper, we present a container-based cluster management platform and introduce an implementation case to minimize performance reduction and dynamically provide a distributed computing environment desired by users. This paper offers the following contributions. First, a container-based virtualization technology is assimilated with a resource and job management system to expand applicability to support large-scale scientific workflows. Second, an implementation case in which docker and HTCondor are interlocked is introduced. Lastly, docker and native performance comparison results using two widely known benchmark tools and Monte-Carlo simulation implemented using various programming languages are presented.

Method of Digital Forensic Investigation of Docker-Based Host (도커 기반 호스트에 대한 디지털 포렌식 조사 기법)

  • Kim, Hyeon Seung;Lee, Sang Jin
    • KIPS Transactions on Computer and Communication Systems
    • /
    • v.6 no.2
    • /
    • pp.75-86
    • /
    • 2017
  • Docker, which is one of the various virtualization technology in server systems, is getting popular as it provides more lightweight environment for service operation than existing virtualization technology. It supports easy way of establishment, update, and migration of server environment with the help of image and container concept. As the adoption of docker technology increases, the attack motive for the server for the distribution of docker images and the incident case of attacking docker-based hosts would also increase. Therefore, the method and procedure of digital forensic investigation of docker-based host including the way to extract the filesystem of containers when docker daemon is inactive are presented in this paper.

A Study for Applying for the Server Virtualization Technology based on Application Characteristics (애플리케이션 특성을 반영한 서버 가상화 기술 적용방안)

  • Kim, Hyeon-Jeong;Lee, Sang-Gil;Lee, Cheol-Hoon
    • Proceedings of the Korean Society of Computer Information Conference
    • /
    • 2021.01a
    • /
    • pp.1-3
    • /
    • 2021
  • 서버 가상화 기술은 초기 하이퍼바이저 방식에서 비즈니스 민첩성을 높일 수 있는 컨테이너 기술로 진화하고 있다. 하지만, 컨테이너 기술은 운영체제를 공유하고 잦은 빌드와 배포로 보안과 안정성에 대한 문제가 제기되고 있다. 이에 따라 본 논문에서는 서버 가상화 기술인 하이퍼바이저와 컨테이너 기술을 비교분석하고 애플리케이션 특성을 분석한다. 하이퍼바이저 기술은 하드웨어 가상화를 통해 안정성이 높은 반면 복잡하고 무거우며 속도가 느린 단점이 있다. 컨테이너 기술은 하이퍼바이저에 비해 가볍고 성능이 향상되는 반면 보안 및 안정성에 문제가 발생할 수 있다는 단점이 있다. 이를 통해 미션 크리티컬 워크로드를 가진 애플리케이션은 안정성이 우수한 하이퍼바이저 기술이 적합하고, 자원 사용이 가변적인 애플리케이션은 서버 확장이 유연하고 성능이 우수한 컨테이너 기술이 적합하다고 제안한다.

  • PDF