Skip to main content
SpringerLink
Log in

Evaluation on the Security of Commercial Cloud Container Services

  • Conference paper
  • First Online:
Information Security (ISC 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12472))

Included in the following conference series:

Abstract

With the increasing adoption of the container mechanism in the industrial community, cloud vendors begin to provide cloud container services. Unfortunately, it lacks a concrete method to evaluate the security of cloud containers, whose security heavily depends on the security policies enforced by the cloud providers. In this paper, we first derive a metric checklist that identifies the critical factors associated with the security of cloud container services against the two most severe threats, i.e., the privilege escalation and container escaping attacks. Specifically, we identify the metrics which directly reflect the working conditions of the attacker. We also extract the metrics essential to achieve privilege escalation and container escaping attacks by investigating the feasible methods for breaking the security measures, including KASLR, SMEP and SMAP, etc. Since memory corruption vulnerabilities are frequently adopted in the privilege escalation attacks, we collect a dataset of the publicly released memory corruption vulnerabilities to assist the evaluation. Then, we develop a tool to collect the metric data listed in the checklist from inside the cloud containers and perform security inspection on five in-service commercial cloud container services. The results show that some containers are enforced with weak protection mechanisms (e.g., with the Seccomp mechanism being disabled), and the KASLR could be bypassed on all five cloud containers. However, even after obtaining ROOT privilege in a container, attackers still can hardly escape from the container on the public cloud platforms, since the necessary files for crafting or compiling a loadable kernel module for the host OS are inaccessible to the container. Finally, we provide some suggestions to improve the security of the cloud container services.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    As per requirement of some service providers, we use cp1, cp2, cp3, cp4, cp5 to represent the five cloud providers, and ccs1, ccs2, ccs3, ccs4, ccs5 to represent the five cloud container services in the evaluation results.

References

  1. Apparmor security profiles for docker. https://docs.docker.com/engine/security/apparmor/

  2. The linux kernel archives. https://www.kernel.org

  3. National vulnerability database. https://nvd.nist.gov/

  4. Supervisor mode execution prevention. https://en.wikipedia.org/wiki/Control_register#SMEP

  5. Cve-2016-2384 (2016). https://xairy.github.io/blog/2016/cve-2016-2384

  6. Cgroup\(\_\)namespaces-overview of linux cgroup namespaces (2017). https://www.man7.org/linux/man-pages/man7/cgroup_namespaces.7.html

  7. Aws fargate (2018). https://aws.amazon.com/fargate

  8. Overview of linux capabilities (2018). http://man7.org/linux/man-pages/man7/capabilities.7.html

  9. Overview of linux namespaces (2018). http://man7.org/linux/man-pages/man7/namespaces.7.html

  10. Seccomp security profiles for docker (2018). https://docs.docker.com/engine/security/seccomp/

  11. What is docker (2018). https://www.docker.com/what-docker

  12. Google kubernetes engine (2019). https://cloud.google.com/kubernetes-engine/

  13. Intel transactional synchronization extensions (intel tsx) overview (2019). https://software.intel.com/en-us/cpp-compiler-developer-guide-and-reference-intel-transactional-synchronization-extensions-intel-tsx-overview

  14. Red hat bugzilla (2019). https://bugzilla.redhat.com/

  15. Authors, T.K.: Production-grade container orchestration (2018). https://kubernetes.io/

  16. Babar, M.A., Ramsey, B.: Understanding container isolation mechanisms for building security-sensitive private cloud. Technical Report, CREST, University of Adelaide, Adelaide, Australia (2017)

    Google Scholar 

  17. Barham, P., et al.: Xen and the art of virtualization. SIGOPS Oper. Syst. Rev. 37(5), 164–177 (2003)

    Article  Google Scholar 

  18. Bernstein, D.: Containers and cloud: from LXC to docker to kubernetes. IEEE Cloud Comput. 1(3), 81–84 (2014)

    Article  Google Scholar 

  19. Bui, T.: Analysis of docker security. CoRR abs/1501.02967 (2015)

    Google Scholar 

  20. Corbet, J.: Supervisor mode access prevention (2012). https://lwn.net/Articles/517475/

  21. Edge, J.: Kernel address space layout randomization (2013), https://lwn.net/Articles/569635/

  22. Gao, X., Gu, Z., Kayaalp, M., Pendarakis, D., Wang, H.: Containerleaks: emerging security threats of information leakages in container clouds. In: 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017, Denver, CO, USA, June 26–29, 2017. pp. 237–248 (2017)

    Google Scholar 

  23. Hund, R., Willems, C., Holz, T.: Practical timing side channel attacks against kernel space ASLR. In: 2013 IEEE Symposium on Security and Privacy, pp. 191–205, May 2013

    Google Scholar 

  24. Jang, Y., Lee, S., Kim, T.: Breaking kernel address space layout randomization with intel TSX. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24–28, 2016, pp. 380–392 (2016)

    Google Scholar 

  25. Jian, Z., Chen, L.: A defense method against docker escape attack. In: Proceedings of the 2017 International Conference on Cryptography, Security and Privacy, ICCSP 2017, Wuhan, China, March 17–19, 2017, pp. 142–146 (2017)

    Google Scholar 

  26. Kedrowitsch, A., Yao, D.D., Wang, G., Cameron, K.: A first look: Using linux containers for deceptive honeypots. In: Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense, pp. 15–22. ACM (2017)

    Google Scholar 

  27. Lin, X., Lei, L., Wang, Y., Jing, J., Sun, K., Zhou, Q.: A measurement study on linux container security: attacks and countermeasures. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 418–429. ACSAC 2018, ACM, New York, NY, USA (2018)

    Google Scholar 

  28. Ltd, C.: Lxc introduction (2018). https://linuxcontainers.org/lxc/introduction/

  29. Martin, A., Raponi, S., Combe, T., Pietro, R.D.: Docker ecosystem - vulnerability analysis. Comput. Commun. 122, 30–43 (2018)

    Article  Google Scholar 

  30. McCarty, B.: Selinux: Nsa’s open source security enhanced linux, vol. 238. O’Reilly (2005). http://www.oreilly.de/catalog/selinux/index.html

  31. \(\acute{A}\)ngel Mendoza, M.: Vulnerabilities reached a historic peak in 2017 (2018). https://www.welivesecurity.com/2018/02/05/vulnerabilities-reached-historic-peak-2017/

  32. Merkel, D.: Docker: lightweight linux containers for consistent development and deployment. Linux J. 2014(239), 2 (2014)

    Google Scholar 

  33. Mouat, A.: Docker security using containers safely in production (2015). https://www.oreilly.com/content/docker-security/

  34. Pahl, C., Brogi, A., Soldani, J., Jamshidi, P.: Cloud container technologies: a state-of-the-art review. In: IEEE Transactions on Cloud Computing (2017)

    Google Scholar 

  35. Qumranet, A., Qumranet, Y., Qumranet, D., Qumranet, U., Liguori, A.: KVM: the linux virtual machine monitor. In: Proceedings Linux Symposium, vol. 15 (2007)

    Google Scholar 

  36. Reports, H.C.R.: Containers as a service market research report - global forecast 2023 (2019). https://www.marketresearchfuture.com/reports/containers-as-a-service-market-4611

  37. Reshetova, E., Karhunen, J., Nyman, T., Asokan, N.: Security of OS-Level virtualization technologies. In: Bernsmed, K., Fischer-Hübner, S. (eds.) NordSec 2014. LNCS, vol. 8788, pp. 77–93. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11599-3_5

    Chapter  Google Scholar 

  38. Sconway: Kubernetes continues to move from development to production (2017). https://www.cncf.io/blog/2017/12/06/cloud-native-technologies-scaling-production-applications/

  39. SecurityFocus: Securityfocus (2019). https://www.securityfocus.com/

  40. Stoler, N.: How i hacked play-with-docker and remotely ran code on the host (2019). https://www.cyberark.com/threat-research-blog/how-i-hacked-play-with-docker-and-remotely-ran-code-on-the-host/

  41. Vertical, horizontal data: Inventory of cyber security vulnerabilities in 2017: The number of vulnerabilities has grown unprecedentedly and may occur at all levels (2017), https://news.zoneidc.com/679.html

Download references

Acknowledgment

We thank the anonymous reviewers for their insightful comments on improving our work. This work is partially supported by National Key R&D Program of China under Award No. 2018YFB0804402, the National Natural Science Foundation of China under GA No. 61802398, the National Cryptography Development Fund under Award No. MMJJ20180222 and the NSF grant CNS-1815650.

Author information

Authors and Affiliations

  1. State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

    Yifei Wu, Lingguang Lei, Yuewu Wang & Jingzi Meng

  2. School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China

    Yifei Wu, Lingguang Lei, Yuewu Wang & Jingzi Meng

  3. Center for Secure Information Systems, George Mason University, Fairfax, USA

    Kun Sun

Authors
  1. Yifei Wu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lingguang Lei
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yuewu Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Kun Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Jingzi Meng
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Lingguang Lei .

Editor information

Editors and Affiliations

  1. Institute of Cybersecurity and Cryptology, University of Wollongong, Wollongong, NSW, Australia

    Willy Susilo

  2. Singapore Management University, Singapore, Singapore

    Robert H. Deng

  3. Institute of Cybersecurity and Cryptology, University of Wollongong, Wollongong, NSW, Australia

    Fuchun Guo

  4. Institute of Cybersecurity and Cryptology, University of Wollongong, Wollongong, NSW, Australia

    Yannan Li

  5. Informatics, Petra Christian University, Surabaya, Indonesia

    Rolly Intan

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Wu, Y., Lei, L., Wang, Y., Sun, K., Meng, J. (2020). Evaluation on the Security of Commercial Cloud Container Services. In: Susilo, W., Deng, R.H., Guo, F., Li, Y., Intan, R. (eds) Information Security. ISC 2020. Lecture Notes in Computer Science(), vol 12472. Springer, Cham. https://doi.org/10.1007/978-3-030-62974-8_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-62974-8_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-62973-1

  • Online ISBN: 978-3-030-62974-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation