Abstract
With the increasing adoption of the container mechanism in the industrial community, cloud vendors begin to provide cloud container services. Unfortunately, it lacks a concrete method to evaluate the security of cloud containers, whose security heavily depends on the security policies enforced by the cloud providers. In this paper, we first derive a metric checklist that identifies the critical factors associated with the security of cloud container services against the two most severe threats, i.e., the privilege escalation and container escaping attacks. Specifically, we identify the metrics which directly reflect the working conditions of the attacker. We also extract the metrics essential to achieve privilege escalation and container escaping attacks by investigating the feasible methods for breaking the security measures, including KASLR, SMEP and SMAP, etc. Since memory corruption vulnerabilities are frequently adopted in the privilege escalation attacks, we collect a dataset of the publicly released memory corruption vulnerabilities to assist the evaluation. Then, we develop a tool to collect the metric data listed in the checklist from inside the cloud containers and perform security inspection on five in-service commercial cloud container services. The results show that some containers are enforced with weak protection mechanisms (e.g., with the Seccomp mechanism being disabled), and the KASLR could be bypassed on all five cloud containers. However, even after obtaining ROOT privilege in a container, attackers still can hardly escape from the container on the public cloud platforms, since the necessary files for crafting or compiling a loadable kernel module for the host OS are inaccessible to the container. Finally, we provide some suggestions to improve the security of the cloud container services.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
As per requirement of some service providers, we use cp1, cp2, cp3, cp4, cp5 to represent the five cloud providers, and ccs1, ccs2, ccs3, ccs4, ccs5 to represent the five cloud container services in the evaluation results.
References
Apparmor security profiles for docker. https://docs.docker.com/engine/security/apparmor/
The linux kernel archives. https://www.kernel.org
National vulnerability database. https://nvd.nist.gov/
Supervisor mode execution prevention. https://en.wikipedia.org/wiki/Control_register#SMEP
Cve-2016-2384 (2016). https://xairy.github.io/blog/2016/cve-2016-2384
Cgroup\(\_\)namespaces-overview of linux cgroup namespaces (2017). https://www.man7.org/linux/man-pages/man7/cgroup_namespaces.7.html
Aws fargate (2018). https://aws.amazon.com/fargate
Overview of linux capabilities (2018). http://man7.org/linux/man-pages/man7/capabilities.7.html
Overview of linux namespaces (2018). http://man7.org/linux/man-pages/man7/namespaces.7.html
Seccomp security profiles for docker (2018). https://docs.docker.com/engine/security/seccomp/
What is docker (2018). https://www.docker.com/what-docker
Google kubernetes engine (2019). https://cloud.google.com/kubernetes-engine/
Intel transactional synchronization extensions (intel tsx) overview (2019). https://software.intel.com/en-us/cpp-compiler-developer-guide-and-reference-intel-transactional-synchronization-extensions-intel-tsx-overview
Red hat bugzilla (2019). https://bugzilla.redhat.com/
Authors, T.K.: Production-grade container orchestration (2018). https://kubernetes.io/
Babar, M.A., Ramsey, B.: Understanding container isolation mechanisms for building security-sensitive private cloud. Technical Report, CREST, University of Adelaide, Adelaide, Australia (2017)
Barham, P., et al.: Xen and the art of virtualization. SIGOPS Oper. Syst. Rev. 37(5), 164–177 (2003)
Bernstein, D.: Containers and cloud: from LXC to docker to kubernetes. IEEE Cloud Comput. 1(3), 81–84 (2014)
Bui, T.: Analysis of docker security. CoRR abs/1501.02967 (2015)
Corbet, J.: Supervisor mode access prevention (2012). https://lwn.net/Articles/517475/
Edge, J.: Kernel address space layout randomization (2013), https://lwn.net/Articles/569635/
Gao, X., Gu, Z., Kayaalp, M., Pendarakis, D., Wang, H.: Containerleaks: emerging security threats of information leakages in container clouds. In: 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017, Denver, CO, USA, June 26–29, 2017. pp. 237–248 (2017)
Hund, R., Willems, C., Holz, T.: Practical timing side channel attacks against kernel space ASLR. In: 2013 IEEE Symposium on Security and Privacy, pp. 191–205, May 2013
Jang, Y., Lee, S., Kim, T.: Breaking kernel address space layout randomization with intel TSX. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24–28, 2016, pp. 380–392 (2016)
Jian, Z., Chen, L.: A defense method against docker escape attack. In: Proceedings of the 2017 International Conference on Cryptography, Security and Privacy, ICCSP 2017, Wuhan, China, March 17–19, 2017, pp. 142–146 (2017)
Kedrowitsch, A., Yao, D.D., Wang, G., Cameron, K.: A first look: Using linux containers for deceptive honeypots. In: Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense, pp. 15–22. ACM (2017)
Lin, X., Lei, L., Wang, Y., Jing, J., Sun, K., Zhou, Q.: A measurement study on linux container security: attacks and countermeasures. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 418–429. ACSAC 2018, ACM, New York, NY, USA (2018)
Ltd, C.: Lxc introduction (2018). https://linuxcontainers.org/lxc/introduction/
Martin, A., Raponi, S., Combe, T., Pietro, R.D.: Docker ecosystem - vulnerability analysis. Comput. Commun. 122, 30–43 (2018)
McCarty, B.: Selinux: Nsa’s open source security enhanced linux, vol. 238. O’Reilly (2005). http://www.oreilly.de/catalog/selinux/index.html
\(\acute{A}\)ngel Mendoza, M.: Vulnerabilities reached a historic peak in 2017 (2018). https://www.welivesecurity.com/2018/02/05/vulnerabilities-reached-historic-peak-2017/
Merkel, D.: Docker: lightweight linux containers for consistent development and deployment. Linux J. 2014(239), 2 (2014)
Mouat, A.: Docker security using containers safely in production (2015). https://www.oreilly.com/content/docker-security/
Pahl, C., Brogi, A., Soldani, J., Jamshidi, P.: Cloud container technologies: a state-of-the-art review. In: IEEE Transactions on Cloud Computing (2017)
Qumranet, A., Qumranet, Y., Qumranet, D., Qumranet, U., Liguori, A.: KVM: the linux virtual machine monitor. In: Proceedings Linux Symposium, vol. 15 (2007)
Reports, H.C.R.: Containers as a service market research report - global forecast 2023 (2019). https://www.marketresearchfuture.com/reports/containers-as-a-service-market-4611
Reshetova, E., Karhunen, J., Nyman, T., Asokan, N.: Security of OS-Level virtualization technologies. In: Bernsmed, K., Fischer-Hübner, S. (eds.) NordSec 2014. LNCS, vol. 8788, pp. 77–93. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11599-3_5
Sconway: Kubernetes continues to move from development to production (2017). https://www.cncf.io/blog/2017/12/06/cloud-native-technologies-scaling-production-applications/
SecurityFocus: Securityfocus (2019). https://www.securityfocus.com/
Stoler, N.: How i hacked play-with-docker and remotely ran code on the host (2019). https://www.cyberark.com/threat-research-blog/how-i-hacked-play-with-docker-and-remotely-ran-code-on-the-host/
Vertical, horizontal data: Inventory of cyber security vulnerabilities in 2017: The number of vulnerabilities has grown unprecedentedly and may occur at all levels (2017), https://news.zoneidc.com/679.html
Acknowledgment
We thank the anonymous reviewers for their insightful comments on improving our work. This work is partially supported by National Key R&D Program of China under Award No. 2018YFB0804402, the National Natural Science Foundation of China under GA No. 61802398, the National Cryptography Development Fund under Award No. MMJJ20180222 and the NSF grant CNS-1815650.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Wu, Y., Lei, L., Wang, Y., Sun, K., Meng, J. (2020). Evaluation on the Security of Commercial Cloud Container Services. In: Susilo, W., Deng, R.H., Guo, F., Li, Y., Intan, R. (eds) Information Security. ISC 2020. Lecture Notes in Computer Science(), vol 12472. Springer, Cham. https://doi.org/10.1007/978-3-030-62974-8_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-62974-8_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-62973-1
Online ISBN: 978-3-030-62974-8
eBook Packages: Computer ScienceComputer Science (R0)