Annual Computer Security Applications Conference (ACSAC) 2018

Full Program »

A Measurement Study on Linux Container Security: Attacks and Countermeasures

Linux container mechanism has attracted a lot of attention and is increasingly utilized to deploy industry applications. Though it is a consensus that the container mechanism is not secure due to the kernel-sharing property, it lacks a concrete and systematical evaluation on its security using real world exploits. In this paper, we collect an attack dataset including 223 exploits that are effective on the container platform, and classify them into different categories using a two-dimensional attack taxonomy. Then we evaluate the security of existing Linux container mechanism using 88 typical exploits filtered out from the dataset. We find 50 (56.82%) exploits can successfully launch attacks from inside the container with the default configuration. Since the privilege escalation exploits can completely disable the container protection mechanism, we conduct an in-depth analysis on these exploits. We find the kernel security mechanisms such as Capability, Seccomp, and MAC play a more important role in preventing privilege escalation than the container isolation mechanisms (i.e., Namespace and Cgroup). However, the interdependence and mutual-influence relationship among these kernel security mechanisms may make them fall into the "short board effect" and impair their protection capability. By studying the 11 exploits that still can successfully break the isolation provided by container and achieve privilege escalation, we identify a common 4-step attack model followed by all 11 exploits. Finally, we propose a defense mechanism to effectively defeat those identified privilege escalation attacks.

Xin Lin
School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China and Institute of Information Engineering, CAS, Beijing, China and Data Assurance and Communication Security Research Center, CAS, Beijing, China
China

Lingguang Lei
Institute of Information Engineering, CAS, Beijing, China and Data Assurance and Communication Security Research Center, CAS, Beijing, China
China

Yuewu Wang
Institute of Information Engineering, CAS, Beijing, China and Data Assurance and Communication Security Research Center, CAS, Beijing, China
China

Jiwu Jing
Institute of Information Engineering, CAS, Beijing, China and Data Assurance and Communication Security Research Center, CAS, Beijing, China
China

Kun Sun
George Mason University, Fairfax, USA
United States

Quan Zhou
Institute of Information Engineering, CAS, Beijing, China and Data Assurance and Communication Security Research Center, CAS, Beijing, China
China

 



Powered by OpenConf®
Copyright©2002-2018 Zakon Group LLC