Container Security: Issues, Challenges, and the Road Ahead

Containers emerged as a lightweight alternative to virtual machines (VMs) that offer better microservice architecture support. The value of the container market is expected to reach $2.7 billion in 2020 as compared to $762 million in 2016. Although they are considered the standardized method for microservices deployment, playing an important role in cloud computing emerging fields such as service meshes, market surveys show that container security is the main concern and adoption barrier for many companies. In this paper, we survey the literature on container security and solutions. We have derived four generalized use cases that should cover security requirements within the host-container threat landscape. The use cases include: (I) protecting a container from applications inside it, (II) inter-container protection, (III) protecting the host from containers, and (IV) protecting containers from a malicious or semi-honest host. We found that the first three use cases utilize a software-based solutions that mainly rely on Linux kernel features (e.g., namespaces, CGroups, capabilities, and seccomp) and Linux security modules (e.g., AppArmor). The last use case relies on hardware-based solutions such as trusted platform modules (TPMs) and trusted platform support (e.g., Intel SGX). We hope that our analysis will help researchers understand container security requirements and obtain a clearer picture of possible vulnerabilities and attacks. Finally, we highlight open research problems and future research directions that may spawn further research in this area.

[1]  Xiaoming Fu,et al.  A Survey on Virtual Machine Migration: Challenges, Techniques, and Open Issues , 2018, IEEE Communications Surveys & Tutorials.

[2]  Nicolae Paladi,et al.  Towards Secure Cloud Orchestration for Multi-Cloud Deployments , 2018, CrossCloud@EuroSys.

[3]  Dirk Merkel,et al.  Docker: lightweight Linux containers for consistent development and deployment , 2014 .

[4]  Zhiting Xiao,et al.  Building Trust into Cloud Computing Using Virtualization of TPM , 2012, 2012 Fourth International Conference on Multimedia Information Networking and Security.

[5]  Didrik Sæther Security in Docker Swarm: orchestration service for distributed software systems , 2018 .

[6]  Emmett Witchel,et al.  Ryoan: A Distributed Sandbox for Untrusted Computation on Secret Data , 2016, OSDI.

[7]  Ali Kanso,et al.  Leveraging the Serverless Architecture for Securing Linux Containers , 2017, 2017 IEEE 37th International Conference on Distributed Computing Systems Workshops (ICDCSW).

[8]  Sherali Zeadally,et al.  Container-as-a-Service at the Edge: Trade-off between Energy Efficiency and Service Availability at Fog Nano Data Centers , 2017, IEEE Wireless Communications.

[9]  Claudia Eckert,et al.  Enhancing Trusted Platform Modules with Hardware-Based Virtualization Techniques , 2008, 2008 Second International Conference on Emerging Security Information, Systems and Technologies.

[10]  Roberto Di Pietro,et al.  Docker ecosystem - Vulnerability Analysis , 2018, Comput. Commun..

[11]  Claus Pahl,et al.  Microservices: The Journey So Far and Challenges Ahead , 2018, IEEE Softw..

[12]  César A. F. De Rose,et al.  Performance Evaluation of Container-Based Virtualization for High Performance Computing Environments , 2013, 2013 21st Euromicro International Conference on Parallel, Distributed, and Network-Based Processing.

[13]  Willem-Jan van den Heuvel,et al.  The pains and gains of microservices: A Systematic grey literature review , 2018, J. Syst. Softw..

[14]  Xi Zheng,et al.  A survey on security issues in services communication of Microservices‐enabled fog applications , 2019, Concurr. Comput. Pract. Exp..

[15]  Julian M. Bass,et al.  Experimenting with docker: Linux container and base OS attack surfaces , 2016, 2016 International Conference on Information Society (i-Society).

[16]  Dimitrios Pendarakis,et al.  ContainerLeaks: Emerging Security Threats of Information Leakages in Container Clouds , 2017, 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[17]  Srdjan Capkun,et al.  Software Grand Exposure: SGX Cache Attacks Are Practical , 2017, WOOT.

[18]  Rakesh Bobba,et al.  Scheduling, Isolation, and Cache Allocation: A Side-Channel Defense , 2018, 2018 IEEE International Conference on Cloud Engineering (IC2E).

[19]  William Enck,et al.  A Study of Security Vulnerabilities on Docker Hub , 2017, CODASPY.

[20]  Andrew Martin,et al.  The ten-page introduction to Trusted Computing , 2008 .

[21]  Juan del Cuvillo,et al.  Using innovative instructions to create trustworthy software solutions , 2013, HASP '13.

[22]  Dejan S. Milojicic,et al.  A Manifesto for Future Generation Cloud Computing: Research Directions for the Next Decade , 2018 .

[23]  Rüdiger Kapitza,et al.  Telling Your Secrets without Page Faults: Stealthy Page Table-Based Attacks on Enclaved Execution , 2017, USENIX Security Symposium.

[24]  Jon-Anders Kabbe,et al.  Security analysis of Docker containers in a production environment , 2017 .

[25]  Xin Lin,et al.  A Measurement Study on Linux Container Security: Attacks and Countermeasures , 2018, ACSAC.

[26]  M. Ali Babar,et al.  Understanding Container Isolation Mechanisms for Building Security- Sensitive Private Cloud , 2017 .

[27]  Luigi Catuogno,et al.  On the Evaluation of Security Properties of Containerized Systems , 2016, 2016 15th International Conference on Ubiquitous Computing and Communications and 2016 International Symposium on Cyberspace and Security (IUCC-CSS).

[28]  De Lucia,et al.  A Survey on Security Isolation of Virtualization, Containers, and Unikernels , 2017 .

[29]  Carl A. Gunter,et al.  Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX , 2017, CCS.

[30]  Nathalie Mitton,et al.  Lightweight virtualization as enabling technology for future smart cars , 2017, 2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM).

[31]  Edward W. Felten,et al.  Understanding Trusted Computing: Will Its Benefits Outweigh Its Drawbacks? , 2003, IEEE Secur. Priv..

[32]  Jan-Erik Ekberg,et al.  Mandatory Access Control for Mobile Devices , 2008 .

[33]  Antonio Puliafito,et al.  Exploring Container Virtualization in IoT Clouds , 2016, 2016 IEEE International Conference on Smart Computing (SMARTCOMP).

[34]  Ghassan O. Karame,et al.  Enabling secure VM-vTPM migration in private clouds , 2011, ACSAC '11.

[35]  Antonio Corradi,et al.  Securing the infrastructure and the workloads of linux containers , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[36]  Mikael Sjödin,et al.  Towards implementing multi-resource server on multi-core Linux platform , 2013, 2013 IEEE 18th Conference on Emerging Technologies & Factory Automation (ETFA).

[37]  Oscar Henriksson,et al.  Static Vulnerability Analysis of Docker Images , 2017 .

[38]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[39]  Luigi Catuogno,et al.  An Effective Methodology for Measuring Software Resource Usage , 2018, IEEE Transactions on Instrumentation and Measurement.

[40]  Donald E. Porter,et al.  Graphene-SGX: A Practical Library OS for Unmodified Applications on SGX , 2017, USENIX Annual Technical Conference.

[41]  René Peinl,et al.  Docker Cluster Management for the Cloud - Survey Results and Own Solution , 2016, Journal of Grid Computing.

[42]  Kris Shaffer NSA Hacker Chief Explains How to Keep Him Out of Your System , 2016 .

[43]  Yuan Shi,et al.  An improved vTPM-VM live migration protocol , 2015, Wuhan University Journal of Natural Sciences.

[44]  Philippe Merle,et al.  Autonomic Vertical Elasticity of Docker Containers with ELASTICDOCKER , 2017, 2017 IEEE 10th International Conference on Cloud Computing (CLOUD).

[45]  Nael B. Abu-Ghazaleh,et al.  BranchScope: A New Side-Channel Attack on Directional Branch Predictor , 2018, ASPLOS.

[46]  Thomas Morris,et al.  Trusted Platform Module , 2011, Encyclopedia of Cryptography and Security.

[47]  Jörg Ott,et al.  Consolidate IoT Edge Computing with Lightweight Virtualization , 2018, IEEE Network.

[48]  Stefano Paraboschi,et al.  DockerPolicyModules: Mandatory Access Control for Docker containers , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[49]  R. Peleg,et al.  Secure yet usable: Protecting servers and Linux containers , 2016, IBM J. Res. Dev..

[50]  Bharadwaj Veeravalli,et al.  Blockchain-based decentralized content trust for docker images , 2017, Multimedia Tools and Applications.

[51]  Stefan Mangard,et al.  Malware Guard Extension: Using SGX to Conceal Cache Attacks , 2017, DIMVA.

[52]  Luigi Catuogno,et al.  Measuring the effectiveness of containerization to prevent power draining attacks , 2017, 2017 IEEE International Workshop on Measurement and Networking (M&N).

[53]  Roberto Di Pietro,et al.  To Docker or Not to Docker: A Security Perspective , 2016, IEEE Cloud Computing.

[54]  Marcus Peinado,et al.  T-SGX: Eradicating Controlled-Channel Attacks Against Enclave Programs , 2017, NDSS.

[55]  David Lo,et al.  Mining Sandboxes for Linux Containers , 2017, 2017 IEEE International Conference on Software Testing, Verification and Validation (ICST).

[56]  Srinivas Devadas,et al.  Intel SGX Explained , 2016, IACR Cryptol. ePrint Arch..

[57]  Marcus Peinado,et al.  Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing , 2016, USENIX Security Symposium.

[58]  Dimitrios Pendarakis,et al.  A Study on the Security Implications of Information Leakages in Container Clouds , 2018, IEEE Transactions on Dependable and Secure Computing.

[59]  Pethuru Raj Chelliah,et al.  Securing Docker Containers from Denial of Service (DoS) Attacks , 2016, 2016 IEEE International Conference on Services Computing (SCC).

[60]  Michael Httermann,et al.  DevOps for Developers , 2012 .

[61]  Antonio Iera,et al.  Evaluating Performance of Containerized IoT Services for Clustered Devices at the Network Edge , 2017, IEEE Internet of Things Journal.

[62]  Ramaswamy Chandramouli Security Assurance Requirements for Linux Application Container Deployments , 2017 .

[63]  Wolfgang Gentzsch,et al.  Novel Software Containers for Engineering and Scientific Simulations in the Cloud , 2016, Int. J. Grid High Perform. Comput..

[64]  Marcus Peinado,et al.  Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems , 2015, 2015 IEEE Symposium on Security and Privacy.

[65]  Sherali Zeadally,et al.  Virtualization: Issues, security threats, and solutions , 2013, CSUR.

[66]  Justin Cappos,et al.  Lock-in-Pop: Securing Privileged Operating System Kernels by Keeping on the Beaten Path , 2017, USENIX Annual Technical Conference.

[67]  Nectarios Koziris,et al.  Docker-Sec: A Fully Automated Container Security Enhancement Mechanism , 2018, 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS).

[68]  Ville Leppänen,et al.  Security in Container-Based Virtualization through vTPM , 2016, 2016 IEEE/ACM 9th International Conference on Utility and Cloud Computing (UCC).

[69]  TU Dresden mhaehnel High-Resolution Side Channels for Untrusted Operating Systems , 2017 .

[70]  Long Chen,et al.  A Defense Method against Docker Escape Attack , 2017, ICCSP '17.

[71]  Thanh Bui,et al.  Analysis of Docker Security , 2015, ArXiv.

[72]  Levente Buttyán,et al.  A survey of security issues in hardware virtualization , 2013, CSUR.

[73]  Tao Lu,et al.  Research of Penetration Testing Technology in Docker Environment , 2017 .

[74]  Michael Hamburg,et al.  Meltdown: Reading Kernel Memory from User Space , 2018, USENIX Security Symposium.

[75]  Rui Ma,et al.  SPEAKER: Split-Phase Execution of Application Containers , 2017, DIMVA.

[76]  Ashok Kumar,et al.  Enhancing security of Docker using Linux hardening techniques , 2016, 2016 2nd International Conference on Applied and Theoretical Computing and Communication Technology (iCATccT).

[77]  Antonio Brogi,et al.  Cloud Container Technologies: A State-of-the-Art Review , 2019, IEEE Transactions on Cloud Computing.

[78]  Paul England,et al.  Para-Virtualized TPM Sharing , 2008, TRUST.

[79]  Karen A. Scarfone,et al.  Application Container Security Guide , 2017 .

[80]  Hamzeh Khazaei,et al.  SAVI-IoT: A Self-Managing Containerized IoT Platform , 2017, 2017 IEEE 5th International Conference on Future Internet of Things and Cloud (FiCloud).

[81]  Fabrizio Montesi,et al.  Microservices: Yesterday, Today, and Tomorrow , 2017, Present and Ulterior Software Engineering.

[82]  N. Asokan,et al.  Security of OS-Level Virtualization Technologies , 2014, NordSec.

[83]  Jarek Nabrzyski,et al.  A Comparative Evaluation of Blockchain Systems for Application Sharing Using Containers , 2017, 2017 IEEE 13th International Conference on e-Science (e-Science).

[84]  Stefan Berger,et al.  vTPM: Virtualizing the Trusted Platform Module , 2006, USENIX Security Symposium.

[85]  Crispin Cowan,et al.  Linux security modules: general security support for the linux kernel , 2002, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[86]  Hovav Shacham,et al.  Iago attacks: why the system call API is a bad untrusted RPC interface , 2013, ASPLOS '13.

[87]  Brendan Michael Abbott A Security Evaluation Methodology for Container Images , 2017 .

[88]  Yuqiong Sun,et al.  Security Namespace: Making Linux Security Frameworks Available to Containers , 2018, USENIX Security Symposium.

[89]  Mohamed Eltoweissy,et al.  MIGRATE: Towards a Lightweight Moving-Target Defense Against Cloud Side-Channels , 2016, 2016 IEEE Security and Privacy Workshops (SPW).

[90]  Lui Sha,et al.  A Container-based DoS Attack-Resilient Control Framework for Real-Time UAV Systems , 2018, 2019 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[91]  Roberto Morabito,et al.  Virtualization on Internet of Things Edge Devices With Container Technologies: A Performance Evaluation , 2017, IEEE Access.

[92]  David M. Eyers,et al.  SCONE: Secure Linux Containers with Intel SGX , 2016, OSDI.

[93]  Valerio Schiavoni,et al.  SGX-Aware Container Orchestration for Heterogeneous Clusters , 2018, 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS).

[94]  Yang Luo,et al.  Whispers between the Containers: High-Capacity Covert Channel Attacks in Docker , 2016, 2016 IEEE Trustcom/BigDataSE/ISPA.