CRII: SaTC: Securing Containers in Multi-Tenant Environment via Augmenting Linux Control Groups

CRII：SaTC：通过增强 Linux 控制组保护多租户环境中的容器

• 批准号: 1948131
• 负责人: Xing Gao
• 金额: $ 17.5万
• 依托单位: University of Memphis
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2020
• 资助国家: 美国
• 起止时间: 2020-06-01 至 2020-11-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1948131&HistoricalAwards=false
• 关键词: CRII; SaTC; Securing; Containers; Multi

Container technology provides a lightweight operating system level virtual hosting environment. It has been broadly adopted in various computation scenarios, including edge computing, serverless computing, and commercial clouds. Containers depend on multiple building blocks in the Linux kernel for resource isolation and control. Particularly, Linux Control Groups (i.e., cgroups) are leveraged to apply resource limits and account for resource usage for containers. However, those features in the Linux kernel may not provide the same level of security guarantees as conventional virtual machines. For example, breaking the resource control of cgroups would not only cause unfair resource sharing among multiple container instances, but also significantly reduce containers’ performance. This project intends to secure containers by systematically investigating security implications in cgroups and developing new defending systems to mitigate potential security threats in multi-tenant container environments. The research is expected to identify and address new security challenges in containers, and thus benefit both container service providers and customers. Educational and outreach activities include curriculum development in systems programming and cloud security, and research experience opportunities for women and minority students as well as for high school students. The project would systematically explore methods to break the resource rein of the existing cgroups mechanism, and comprehensively understand the security impacts on Linux containers. It develops a set of exploiting strategies to generate out-of-band workloads to escape cgroups. Novel kernel code analysis techniques are developed that use a combination of data flow, control flow and program dependency graphs to automatically uncover feasible exploitation cases available inside unprivileged containers with a set of cgroup resource controllers enabled. All potential exploits are quantitatively evaluated on multiple testbeds in realistic container environments under various attack scenarios. Specifically, a variety of real-world workloads are evaluated to understand the impact and severity of vulnerabilities. With better knowledge of the inadequacies in existing cgroup mechanism and related exploitations, the project develops lightweight defense mechanisms to secure containers and mitigate potential security threats. The proposed system is evaluated in terms of multiple aspects including performance and security.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

容器技术提供了一个轻量级的操作系统级虚拟主机环境。它已被广泛应用于各种计算场景，包括边缘计算，无服务器计算和商业云。容器依赖于Linux内核中的多个构建块来进行资源隔离和控制。特别是，Linux控制组（即，cgroups）被利用来应用资源限制并考虑容器的资源使用。然而，Linux内核中的那些功能可能无法提供与传统虚拟机相同级别的安全保证。例如，破坏cgroups的资源控制不仅会导致多个容器实例之间的不公平资源共享，还会显著降低容器的性能。该项目旨在通过系统地调查cgroups中的安全含义来保护容器，并开发新的防御系统以减轻多租户容器环境中的潜在安全威胁。预计该研究将识别和解决集装箱中的新安全挑战，从而使集装箱服务提供商和客户受益。教育和外联活动包括系统编程和云安全方面的课程开发，以及为妇女和少数民族学生以及高中生提供研究经验的机会。 该项目将系统地探索打破现有cgroups机制的资源束缚的方法，并全面了解对Linux容器的安全影响。它开发了一组利用策略来生成带外工作负载以逃避cgroups。开发了新的内核代码分析技术，该技术使用数据流、控制流和程序依赖图的组合来自动发现启用了一组cgroup资源控制器的非特权容器内可用的可行利用情况。在各种攻击场景下，在真实容器环境中的多个测试平台上对所有潜在漏洞进行定量评估。具体而言，评估各种真实世界的工作负载，以了解漏洞的影响和严重性。通过更好地了解现有cgroup机制和相关开发的不足之处，该项目开发了轻量级防御机制来保护容器并减轻潜在的安全威胁。该奖项反映了NSF的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。