Analysis of Linux Container-based Security Mechanisms

基于Linux容器的安全机制分析

• 批准号: 487286-2015
• 负责人: Mannan, Mohammad
• 金额: $ 1.82万
• 依托单位: Concordia University
• 依托单位国家: 加拿大
• 项目类别: Engage Grants Program
• 财政年份: 2015
• 资助国家: 加拿大
• 起止时间: 2015-01-01 至 2016-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=586022
• 关键词: Analysis; Linux; Container; based; Security

Virtual machines (VMs) and hypervisors are typically relied on to achieve isolation between mutually hostile or untrustworthy applications. In recent times, the phenomenal growth of cloud computing and data centers lead to renewed interest in OS-based, lightweight isolation mechanisms due to their superior performance. This research will first identify key differences (from a security perspective) in existing virtualization technologies based on traditional hypervisors (e.g., virtual machines), and operating systems (e.g., Linux containers). We will then perform a security analysis of different OS-level virtualization mechanisms, with the focus on Linux containers. Particularly, we would like to understand how containerization could be attacked and how its security could be improved in order to build a more secure isolation technique for multi-tenant, untrusted environment, specifically for data center operations. We will analyze the limits of resource isolation provided by Linux containers, and consider the following attack avenues: exploiting shared hardware resources that are not isolated by containers (e.g., processor cache, memory, input/output devices); and exploitation of known Linux kernel vulnerabilities that may allow a malicious application to breakout of the confinement of a container. We will then outline some recommendations on how the identified limitations (if any) can be alleviated for a safer cloud computing environment, which is the primary goal of our industry partner, Huawei Canada. We will consult with our contacts at Huawei, and seek their feedback in all steps of this project. Results from our analysis is expected to help Huawei in choosing OS-based isolation mechanisms for their data center environment.

通常依靠虚拟机 (VM) 和虚拟机管理程序来实现相互敌对或相互隔离。 不可信的应用程序。近年来，云计算和数据中心的显着增长引领 由于其卓越的性能，人们对基于操作系统的轻量级隔离机制重新产生了兴趣。这 研究将首先确定现有虚拟化技术的关键差异（从安全角度） 基于传统的虚拟机管理程序（例如虚拟机）和操作系统（例如 Linux 容器）。我们 然后将对不同操作系统级虚拟化机制进行安全分析，重点是 Linux 容器。特别是，我们想了解容器化如何受到攻击以及它是如何受到攻击的。 可以提高安全性，以便为多租户、不可信的环境构建更安全的隔离技术 环境，专门用于数据中心运营。我们将分析所提供的资源隔离的局限性 通过 Linux 容器，并考虑以下攻击途径： 利用共享硬件资源 不被容器隔离（例如处理器缓存、内存、输入/输出设备）；和利用已知的 Linux 内核漏洞可能允许恶意应用程序突破操作系统的限制 容器。然后，我们将概述一些关于如何识别已识别的限制（如果有）的建议 为了更安全的云计算环境，这是我们的行业合作伙伴华为的首要目标 加拿大。我们将咨询华为的联系人，并在该项目的各个步骤中寻求他们的反馈。 我们的分析结果预计将帮助华为为其数据选择基于操作系统的隔离机制 中心环境。