• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.33 no.1
• /
• pp.87-97
• /
• 2023

Containers are an emerging virtualization technology that can build an isolated environment more lightweight and faster than existing virtual machines. For that reason, many organizations have recently adopted them for their services. Yet, the container architecture has also exposed many security problems since all containers share the same OS kernel. In this work, we focus on the fact that an attacker can abuse host resources to make them unavailable to benign containers-also known as host resource exhaustion attacks. Then, we analyze the impact of host resource exhaustion attacks through real attack scenarios exhausting critical host resources, such as CPU, memory, disk space, process ID, and sockets in Docker, the most popular container platform. We propose five attack scenarios performed in several different host environments and container images. The result shows that three of them put other containers in denial of service.

• Proceedings of the Korean Society of Computer Information Conference
• /
• 2023.07a
• /
• pp.595-596
• /
• 2023

본 논문에서는 컨테이너 오케스트레이션 플랫폼에 대하여 분석하고자 한다. 공공 클라우드 전환 로드맵 검토에 따라 클라우드 네이티브 전환을 위한 기술로 컨테이너, 마이크로서비스, 컨테이너 오케스트레이션의 중요성이 강조되고 있다. 대표적인 컨테이너 오케스트레이션 도구인 Kubernetes, Docker Swarm, Mesos를 비교하며, 이들의 초기 설치 용이성, 볼륨 관리, 애플리케이션 배포, 장애 관리 등에 대해 분석하고, 이를 통해 각 도구의 장단점과 적용 상황에 따른 고려사항을 파악함으로써, 클라우드 네이티브 전환 로드맵 수립에 도움을 제공하고자 한다.

• Journal of the Korea Society of Computer and Information
• /
• v.29 no.3
• /
• pp.107-116
• /
• 2024

In this paper, we analyze the performance of MicroVM when running AI applications on an edge computing environment and whether it can replace current container technology and traditional virtual machines. To achieve this, we set up Docker container, Firecracker MicroVM and KVM virtual machine environments on a Raspberry Pi 4 and executed representative AI applications in each environment. We analyze the inference time, total CPU usage and trends over time and file I/O performance on each environment. The results show that there is no significant performance difference between MicroVM and container when running AI applications. Moreover, on average, a stable inference time over multiple trials was observed on MicroVM. Therefore, we can confirm that executing AI applications using MicroVM instead of container or heavy-weight virtual machine is suitable for an edge computing.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.17 no.2
• /
• pp.8-14
• /
• 2016

When Open Source Projects are processed by multiple developers, the Version Control Systems, which control the different versions of the same file being used, is a very useful tool. On the other hand, because most of conventional VCS(SVN, Git, etc.) mainly control the history of the modifications of the source codes or documents, there is an inconvenience that each developer should modify the development environment whenever the development environment is modified. To overcome this inconvenience, this paper suggests a scheme of VC for OSP. The basic concept of the suggested scheme is that an image, including the development environment and controls, is created as a new version using the Docker, virtualization tool of the container method. To review the functional appropriateness of the suggested scheme, after establishing the Docker on the hosts that use the different OS( Ubuntu12.0.4, CentOS7), this study tested a VC that could control the different versions including the history of modifications of the development environment and evaluated them by a comparison with the conventional VCS. The results show that the suggested scheme is a convenient scheme of VC for the OSP.

• IEMEK Journal of Embedded Systems and Applications
• /
• v.19 no.3
• /
• pp.141-149
• /
• 2024

This paper proposes a configuration automation technique to minimize service interruption time in the event of a corporate network access layer switch failure. The automation is achieved without the need for a separate external system, as the network setting information is stored in a container inside the switch, enabling rapid recovery without requiring separate storage. This approach ensures the continuity of network services and demonstrates the efficiency of configuration automation. The proposed technique improves corporate network stability by providing a quick response in the event of a failure.

• Journal of the Korea Society of Computer and Information
• /
• v.25 no.9
• /
• pp.21-29
• /
• 2020

In this paper, we propose quantitative evaluation method that enable security comparison between Security Container Runtimes. security container runtime technologies have been developed to address security issues such as Container escape caused by containers sharing the host kernel. However, most literature provides only a analysis of the security of container technologies using rough metrics such as the number of available system calls, making it difficult to compare the secureness of container runtimes quantitatively. While the proposed model uses a new method of combining the degree of exposure of host system calls with various external vulnerability metrics. With the proposed technique, we measure and compare the security of runC (Docker default Runtime) and two representative Security Container Runtimes, gVisor, and Kata container.

• Journal of the Korea Institute of Military Science and Technology
• /
• v.25 no.4
• /
• pp.372-380
• /
• 2022

This study proposes a distributed parallel processing system, called the Fast Analysis System for remote sensing daTa(FAST), for large-scale satellite image processing and analysis. FAST is a system that designs jobs in vertices and sequences, and distributes and processes them simultaneously. FAST manages data based on the Hadoop Distributed File System, controls entire jobs based on Apache Spark, and performs tasks in parallel in multiple slave nodes based on a docker container design. FAST enables the high-performance processing of progressively accumulated large-volume satellite images. Because the unit task is performed based on Docker, it is possible to reuse existing source codes for designing and implementing unit tasks. Additionally, the system is robust against software/hardware faults. To prove the capability of the proposed system, we performed an experiment to generate the original satellite images as ortho-images, which is a pre-processing step for all image analyses. In the experiment, when FAST was configured with eight slave nodes, it was found that the processing of a satellite image took less than 30 sec. Through these results, we proved the suitability and practical applicability of the FAST design.

• IEMEK Journal of Embedded Systems and Applications
• /
• v.16 no.4
• /
• pp.153-161
• /
• 2021

Real-time access is required to handle continuous and unstructured data and should be flexible in management under dynamic state. Platform can be built to allow data collection, storage, and processing from local-server or multi-server. Although the former centralize method is easy to control, it creates an overload problem because it proceeds all the processing in one unit, and the latter distributed method performs parallel processing, so it is fast to respond and can easily scale system capacity, but the design is complex. This paper provides data collection and processing on one platform to derive significant insights from various data held by an enterprise or agency in the latter manner, which is intuitively available on dashboards and utilizes Spark to improve distributed processing performance. All service utilize dockers to distribute and management. The data used in this study was 100% collected from Kafka, showing that when the file size is 4.4 gigabytes, the data processing speed in spark cluster mode is 2 minute 15 seconds, about 3 minutes 19 seconds faster than the local mode.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.31 no.5
• /
• pp.901-909
• /
• 2021

Since mobile devices have limited computational resources, it tends to use the cloud to compute or store data. As real-time becomes more important due to 5G, many studies have been conducted on edge clouds that computes at locations closer to users than central clouds. The farther the user's physical distance from the edge cloud connected to base station is, the slower the network transmits. So applications should be migrated and re-run to nearby edge cloud for smooth service use. We run applications in docker containers, which is independent of the host operating system and has a relatively light images size compared to the virtual machine. Existing migration studies have been experimented by using network simulators. It uses fixed values, so it is different from the results in the real-world environment. In addition, the method of migrating images through shared storage was used, which poses a risk of packet content exposure. In this paper, Containers are migrated with Secure CoPy(SCP) method, a data encryption transmission, by establishing an edge computing environment in a real-world environment. It compares migration time with Network File System, one of the shared storage methods, and analyzes network packets to verify safety.

• Proceedings of the Korean Institute of Navigation and Port Research Conference
• /
• 2021.11a
• /
• pp.23-24
• /
• 2021

Among the failure cases of the existing navigation aids, the SW and operating system errors of the RTU, the embedded computer for navigation aids, account for about 10%. The causes of SW errors have an infinite number of cases, and it is impossible to correct them all. In this paper, we proposed a paravirtualized multi-OS Docker container utilization technique as a stable operation technique for smart navigational aids, which have recently increased the amount of computation and complexity of SW services that need to be managed. It is proposed to divide containers according to service type, expected load, and error frequency and load the service.