Journal of the Korea Society of Computer and Information (한국컴퓨터정보학회논문지)

Korean Society of Computer Information (한국컴퓨터정보학회)
권호 표지
DOI QR코드

DOI QR Code

Security Assessment Technique of a Container Runtime Using System Call Weights

  • Yang, Jihyeok (School of Computer Science and Engineering, Kyungpook National University) ;
  • Tak, Byungchul (Dept. of Computer Science and Engineering, Kyungpook National University)
  • Received : 2020.08.13
  • Accepted : 2020.09.03
  • Published : 2020.09.29
Download PDF
⟨ Previous Next ⟩

Abstract

In this paper, we propose quantitative evaluation method that enable security comparison between Security Container Runtimes. security container runtime technologies have been developed to address security issues such as Container escape caused by containers sharing the host kernel. However, most literature provides only a analysis of the security of container technologies using rough metrics such as the number of available system calls, making it difficult to compare the secureness of container runtimes quantitatively. While the proposed model uses a new method of combining the degree of exposure of host system calls with various external vulnerability metrics. With the proposed technique, we measure and compare the security of runC (Docker default Runtime) and two representative Security Container Runtimes, gVisor, and Kata container.

본 연구에서는 보안 컨테이너 런타임 간의 직접적인 보안성 비교를 가능하게 하는 정량 평가기법을 제안한다. 보안 컨테이너 런타임(Security Container Runtime) 기술들은 컨테이너가 호스트 커널을 공유하여 발생하는 컨테이너 탈출(Container escape)과 같은 보안 이슈를 해결하기 위하여 등장하였다. 하지만 대부분의 문헌들에서 컨테이너 기술들의 보안성에 대하여 사용 가능한 시스템 콜 개수와 같은 대략적인 지표를 이용한 분석만을 제공하고 있어서 각 런타임에 대한 정량적인 비교 평가가 힘든 실정이다. 반면에 제안 모델은 호스트 시스템 콜의 노출 정도를 다양한 외부 취약점 지표들과 결합하는 새로운 방식을 사용한다. 제안하는 기법으로 runC(도커 기본 런타임) 및 대표적인 보안 컨테이너 런타임인 gVisor, Kata container의 보안성을 측정하고 비교한다.

Keywords

References

  1. Z. Jian, L. Chen, A Defense Method against Docker Escape Attack, In Proceedings of the 2017 International Conference on Cryptography, Security and Privacy (ICCSP'17), pp.142-146, Wuhan, China, March 2017. DOI: 10.1145/3058060
  2. S. Sultan, I. Ahmad, and T. Dimitriou, "Container Security: Issues, Challenges, and the Road Ahead," IEEE Access, Vol. 7, pp. 52976-52996, April, 2019, DOI: 10.1109/ACCESS.2019.2911732
  3. GVisor, https://gvisor.dev
  4. Kata container, https://katacontainers.io
  5. Nabla container, https://nabla-containers.github.io/
  6. Ethan G. Young, et al., The True Cost of Containing: A gVisor Case Study., In Proceedings of the 11th USENIX Conference on Hot Topics in Cloud Computing(HotCloud'19), p. 16, Renton WA, USA, July 2019. 10.5555/3357034.3357054
  7. Anjali, Tyler Caraza-Harter, Michael M.Swift., Blending containers and virtual machines: a study of firecracker and gVisor., Proceedings of the 16th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE'20), pp. 101-113, Lausanne, Switzerland, March 2020. 10.1145/3381052.3381315
  8. Measuring the Horizontal Attack Profile of Nabla Containers, https://blog.hansenpartnership.com/measur ing-the-horizontal-attack-profile-of-nabla-containers/
  9. CVE, https://cve.mitre.org/
  10. D. Williams, R. Koller, M. Lucina, and N. Prakash. Unikernels As Processes. In Proceedings of the ACM Symposium on Cloud Computing, SoCC '18, pp. 199-211, New York, NY, USA, October 2018. 10.1145/3267809.3267845
  11. A. Kurmus, R. Tartler, D. Dorneanu, B. Heinloth, V. Rothberg, A. Ruprecht, W. Schroder-Preikschat, D. Lohmann, and R. Kapitza, Attack Surface Metrics and Automated Compile-Time OS Kernel Tailoring, in Proceedings of the 20th Network and Distributed System Security Symposium(NDSS'13), San Diego, CA, Feburary 2013.
  12. Y. Li, B. Dolan-Gavitt, S. Weber, and J. Cappos, Lock-in-Pop: Securing Privileged Operating System Kernels by Keeping on the Beaten Path. In Proceedings of In Annual Technical Conference USENIX ATC'17, pp. 1-13, SANTA CLARA, CA, July 2017. 10.5555/3154690.3154692
  13. D. Williams, R. Koller, and B. Lum. Say goodbye to virtualization for a safer cloud. In Proc. of USENIX HotCloud, p. 20, Boston, MA, July 2018. 10.5555/3277180.3277200
  14. A. Agache, M. Brooker, A. Iordache, A. Liguori, R. Neugebauer, P. Piwonka, and D.-M. Popa. Firecracker: Lightweight virtualization for serverless applications, In 17th USENIX Symposium on Networked Systems Design and Implementation (NSDI 20), pp.419-434, Santa Clara, USA, Feburary 2020.
  15. ExploitDB, https://www.exploit-db.com/
  16. CVSS v2 Calculator, https://nvd.nist.gov/vulnmetrics/cvss/v2-calculator
  17. T.J. McCabe. "A Complexity Measure". In: Software Engineering, IEEE Transactions on SE-2.4 (1976), pages 308-320. ISSN: 0098-5589. DOI: 10.1109/TSE.1976.233837
  18. Objdump man page, https://linux.die.net/man/1/objdump
  19. LTP Project, https://github.com/linux-test-project/ltp
  20. Ftrace man page, https://linux.die.net/man/1/ftrace
  21. Docker Seccomp Profile, https://docs.docker.com/engine/security/seccomp/
  22. GVisor Seccomp Rule, https://github.com/google/gvisor/blob/master/runsc/boot/filter/config.go
  23. A. Randazzo, I. Tinnirello, Kata Containers: An Emerging Architecture for Enabling MEC Services in Fast and Secure Way, In Proceedings of the 2019 Sixth International Conference on Internet of Things: Systems, Management and Security (IOTSMS 2019), pp. 209-214, Granada, Spain, October 2019, DOI: 10.1109/IOTSMS48152.2019.8939164