SaTC: TTP: Small: Enhancing Container Security via Fine-Grained System Resource Constraints

SaTC：TTP：小型：通过细粒度系统资源约束增强容器安全性

• 批准号: 1815650
• 负责人: Kun Sun
• 金额: $ 48.93万
• 依托单位: George Mason University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-09-01 至 2022-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1815650&HistoricalAwards=false
• 关键词: SaTC; TTP; Small; Enhancing; Container

Linux containers have become a popular light-weight virtualization platform for effective on-demand computing. Their use ranges from simple high-performance computing (HPC) clusters to fully orchestrated enterprise systems. As such they have become attractive targets for attackers. This project aims at improving the trustworthiness and reliability of the Linux containers and their applications. With the substantial security enhancement against malicious attacks, it could promote the adaptation of the light-weight container platform, particularly, in the HPC community to satisfy the needs on mobility of compute. In addition, the developed techniques are generic and can be easily ported or extended to protect other Linux platforms that have the basic security primitives enabled.This project provides a novel and practical framework to enhance container security via enforcing dynamic system resource constraints based on the lifecycle phases of a particular container platform. Particularly, since the same operating system (OS) kernel is shared among all containers on a host, when one malicious container escapes from the user-level process into the OS kernel, all other containers are compromised too. The project can dramatically reduce the attack surface of the host OS by smoothly integrating dynamic filters with the existing security primitives (e.g., seccomp, capabilities, and cgroups) in Linux kernels. Moreover, the combination of these enhanced security primitives provides more power and flexibility on attack mitigation. This security enhancement is user-transparent and has a minimal overhead.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

Linux容器已经成为一种流行的轻量级虚拟化平台，用于有效的按需计算。它们的使用范围从简单的高性能计算（HPC）集群到完全协调的企业系统。因此，它们已成为攻击者的诱人目标。该项目旨在提高Linux容器及其应用程序的可信度和可靠性。随着对恶意攻击的实质性安全增强，它可以促进轻量级容器平台的适应，特别是在HPC社区中，以满足计算移动性的需求。此外，开发的技术是通用的，可以很容易地移植或扩展到保护其他Linux平台的基本安全primitive.This项目提供了一个新颖的和实用的框架，通过实施动态系统资源约束的基础上，一个特定的容器平台的生命周期阶段的容器安全。特别地，由于在主机上的所有容器之间共享相同的操作系统（OS）内核，所以当一个恶意容器从用户级进程逃逸到OS内核中时，所有其他容器也受到危害。该项目可以通过将动态过滤器与现有的安全原语（例如，seccomp、capabilities和cgroups）。此外，这些增强的安全原语的组合在攻击缓解方面提供了更多的能力和灵活性。该奖项反映了NSF的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

RusTEE: Developing Memory-Safe ARM TrustZone Applications

• DOI: 10.1145/3427228.3427262
• 发表时间: 2020-12
• 期刊: Proceedings of the 36th Annual Computer Security Applications Conference
• 作者: Shengye Wan;Ning Zhang

Evaluation on the Security of Commercial Cloud Container Services

• DOI: 10.1007/978-3-030-62974-8_10
• 发表时间: 2020
• 作者: Yifei Wu;Lingguang Lei;Yuewu Wang;Kun Sun;Jingzi Meng

The devil is in the detail: Generating system call whitelist for Linux seccomp

细节决定成败：为 Linux seccomp 生成系统调用白名单

• DOI: 10.1016/j.future.2022.04.016
• 发表时间: 2022
• 期刊: Future Generation Computer Systems
• 作者: Xing, Yunlong;Cao, Jiahao;Sun, Kun;Yan, Fei;Wan, Shengye
• 通讯作者: Wan, Shengye

A Measurement Study on Linux Container Security: Attacks and Countermeasures

• DOI: 10.1145/3274694.3274720
• 发表时间: 2018-12
• 期刊: Proceedings of the 34th Annual Computer Security Applications Conference
• 作者: Xin Lin;Lingguang Lei;Yuewu Wang;Jiwu Jing;Kun Sun;Quan Zhou

Cache-in-the-Middle (CITM) Attacks: Manipulating Sensitive Data in Isolated Execution Environments

• DOI: 10.1145/3372297.3417886
• 发表时间: 2020-10
• 期刊: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security
• 作者: Jie Wang;Kun Sun;Lingguang Lei;Shengye Wan;Yuewu Wang;Jiwu Jing