TY - GEN
T1 - Securing the infrastructure and the workloads of linux containers
AU - Mattetti, Massimiliano
AU - Shulman-Peleg, Alexandra
AU - Allouche, Yair
AU - Corradi, Antonio
AU - Dolev, Shlomi
AU - Foschini, Luca
N1 - Publisher Copyright:
© 2015 IEEE.
PY - 2015/12/3
Y1 - 2015/12/3
N2 - One of the central building blocks of cloud platforms are linux containers which simplify the deployment and management of applications for scalability. However, they introduce new risks by allowing attacks on shared resources such as the file system, network and kernel. Existing security hardening mechanisms protect specific applications and are not designed to protect entire environments as those inside the containers. To address these, we present a LiCShield framework for securing of linux containers and their workloads via automatic construction of rules describing the expected activities of containers spawned from a given image. Specifically, given an image of interest LiCShield traces its execution and generates profiles of kernel security modules restricting the containers' capabilities. We distinguish between the operations on the linux host and the ones inside the container to provide the following protection mechanisms: (1) Increased host protection, by restricting the operations done by containers and container management daemon only to those observed in a testing environment; (2) Narrow container operations, by tightening the internal dynamic and noisy environments, without paying the high performance overhead of their on-line monitoring. Our experimental results show that this approach is efficient to prevent known attacks, while having almost no overhead on the production environment. We present our methodology and its technological insights and provide recommendations regarding its efficient deployment with intrusion detection tools to achieve both optimized performance and increased protection. The code of the LiCShield framework as well as the presented experimental results are freely available for use at https://github.com/LinuxContainerSecurity/LiCShield.git.
AB - One of the central building blocks of cloud platforms are linux containers which simplify the deployment and management of applications for scalability. However, they introduce new risks by allowing attacks on shared resources such as the file system, network and kernel. Existing security hardening mechanisms protect specific applications and are not designed to protect entire environments as those inside the containers. To address these, we present a LiCShield framework for securing of linux containers and their workloads via automatic construction of rules describing the expected activities of containers spawned from a given image. Specifically, given an image of interest LiCShield traces its execution and generates profiles of kernel security modules restricting the containers' capabilities. We distinguish between the operations on the linux host and the ones inside the container to provide the following protection mechanisms: (1) Increased host protection, by restricting the operations done by containers and container management daemon only to those observed in a testing environment; (2) Narrow container operations, by tightening the internal dynamic and noisy environments, without paying the high performance overhead of their on-line monitoring. Our experimental results show that this approach is efficient to prevent known attacks, while having almost no overhead on the production environment. We present our methodology and its technological insights and provide recommendations regarding its efficient deployment with intrusion detection tools to achieve both optimized performance and increased protection. The code of the LiCShield framework as well as the presented experimental results are freely available for use at https://github.com/LinuxContainerSecurity/LiCShield.git.
UR - http://www.scopus.com/inward/record.url?scp=84966293811&partnerID=8YFLogxK
U2 - 10.1109/CNS.2015.7346869
DO - 10.1109/CNS.2015.7346869
M3 - Conference contribution
AN - SCOPUS:84966293811
T3 - 2015 IEEE Conference on Communications and NetworkSecurity, CNS 2015
SP - 559
EP - 567
BT - 2015 IEEE Conference on Communications and NetworkSecurity, CNS 2015
PB - Institute of Electrical and Electronics Engineers
T2 - 3rd IEEE International Conference on Communications and Network Security, CNS 2015
Y2 - 28 September 2015 through 30 September 2015
ER -