A Defense Method against Docker Escape Attack

As one of the main technologies to support the virtualization of cloud computing, Docker has the characteristics of fast and lightweight virtualization on operating system-level,and is widely used in a variety of cloud platforms. Docker is faced with the risk of attacks that exploit kernel vulnerability by malicious users, once the exploit program in the container launches an effective escape attack can gain root privilege of the host, which will affect the reliability of other containers and the entire system. This paper discusses the existing security mechanism and security issues of Docker, summarize the methods and characteristics of Docker escape attack. And propose a defense method based on status inspection of namespaces, which is proved to be able to detect anomalous processes and prevent escape behaviors.

[1]  Pethuru Raj Chelliah,et al.  Securing Docker Containers from Denial of Service (DoS) Attacks , 2016, 2016 IEEE International Conference on Services Computing (SCC).

[2]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[3]  Eric W. Biederman,et al.  Multiple Instances of the Global Linux Namespaces , 2010 .

[4]  P. Menage Adding Generic Process Containers to the Linux Kernel , 2010 .

[5]  Roberto Di Pietro,et al.  To Docker or Not to Docker: A Security Perspective , 2016, IEEE Cloud Computing.

[6]  Han-Chiang Chen,et al.  Benefit of construct information security environment based on lightweight virtualization technology , 2015, 2015 International Carnahan Conference on Security Technology (ICCST).

[7]  Luigi Catuogno,et al.  On the Evaluation of Security Properties of Containerized Systems , 2016, 2016 15th International Conference on Ubiquitous Computing and Communications and 2016 International Symposium on Cyberspace and Security (IUCC-CSS).

[8]  Ann Mary Joy,et al.  Performance comparison between Linux containers and virtual machines , 2015, 2015 International Conference on Advances in Computer Engineering and Applications.