A Taxonomy of container security on computational clouds: concerns and solutions

Guilherme Panizzon, Joao Henrique Faes Battisti, Guilherme Piegas Koslovski, Maurício Aronne Pillon, Charles Christian Miers

Abstract


VirtualizationincloudcomputinghasbeenusedincombinationwithenvironmentsPlatformas a Service (PaaS) and Infrastructure as a Service (IaaS) in order to provide performance, isolation, and scalability. However, containers and virtual machines (VMs) are susceptible to the vulnerabilities present in the core of operating system as well as container solutions, which are a risk for information and service operation of all entities sharing a same host. The safety recommendation guides aims to mitigate the security in this scenario, but the selection of containerization solutions taking into account security requirements is a complex task. Thus, we propose a security taxonomy focused on containers to cloud computing in order to assist the classification and evaluation containers security mechanisms and solutions.



Keywords


Cloud computing; Container; Security; Taxonomy

Full Text:

PDF

References


HASHIZUME, K. et al. An analysis of security issues for cloud computing. Journal of Internet Services and Applications, v. 4, n. 1, p. 5, 2013. ISSN 1869-0238. Disponivel em: ⟨http://dx.doi.org/10.1186/1869-0238-4-5⟩.

GONZALEZ, N. et al. A quantitative analysis of current security concerns and solutions for cloud computing. Journal of Cloud Computing: Advances, Systems and Applications, v. 1, n. 1, p. 1–18, 2012. ISSN 2192-113X. Disponivel em: ⟨http://dx.doi.org/10.1186/2192-113X-1-11⟩.

BUI, T. Analysis of docker security. CoRR, abs/1501.02967, 2015. Disponivel em: ⟨http: //arxiv.org/abs/1501.02967⟩.

COMBE, T.; MARTIN, A.; PIETRO, R. D. To Docker or Not to Docker: A Security Perspective. IEEE Cloud Computing, v. 3, n. 5, p. 54–62, set. 2016. ISSN 2325-6095.

TOZZI, C. 3 Container Security Advantages

and 3 Security Challenges. 2018. Disponıvel em: ⟨https://containerjournal.com/2018/08/16/ 3-container-security-advantages-and-3-security-challenges/ ⟩.

TAVANGARIAN, D. Cloud Computing: New Paradigms and Challenges. In: MEESAD, P.; BOONKRONG, S.; UNGER, H. (Ed.). Recent Advances in Information and Communication Technology 2016. [S.l.]: Springer International Publishing, 2016. (Advances in Intelligent Systems and Computing), p. 3–3. ISBN 978-3-319-40415-8.

KANG, M. et al. A Comparison of System Performance on a Private OpenStack Cloud and Amazon EC2. In: 2017 IEEE 10th International Conference on Cloud Computing (CLOUD). [S.l.: s.n.], 2017. p. 310–317.

IZRAILEVSKY, Y.; BELL, C. Cloud Reliability. IEEE Cloud Computing, v. 5, n. 3, p. 39–44, maio 2018. ISSN 2325-6095.

KULKARNI, P. Getting your hands dirty with Containers. [S.l.], 2016. 1-45 p. Disponivel em: ⟨https://www. cse.iitb.ac.in/∼prashanth/containers/seminar/manual.pdf⟩. Acesso em: 21 set. 2016.

EDER, M. Hypervisor- vs. container-based virtualization. Network Architectures and Services, p. 11–17, 7 2016.

MIERS, C. et al. Ana ́lise de Seguranc ̧a para Soluc ̧o ̃es de Computacao em Nuvem. In: SBRC 2014 Minicursos. [S.l.: s.n.], 2014.

PAHL, C. Containerisation and the paas cloud. In: Complex, Intelligent, and Software Intensive Systems (CISIS), 2015 Ninth International Conference on. [S.l.: s.n.], 2015. p. 1–6. ISSN 2325-6095.

LI, W.; KANSO, A. Comparing Containers versus Virtual Machines for Achieving High Availability. In: 2015 IEEE International Conference on Cloud Engineering. [S.l.: s.n.], 2015. p. 353–358.

SALAH, T. et al. Performance comparison between container-based and vm-based services. In: 2017 20th Conference on Innovations in Clouds, Internet and Networks (ICIN). [S.l.: s.n.], 2017. p. 185–190. ISSN 2472-8144.

SOUPPAYA JOHN MORELLO, K. S. M. SP 800-190. Application Container Security Guide. Gaithersburg, MD, United States, 2017. Disponivel em: ⟨”https://nvlpubs.nist. gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf”⟩. Acesso em: 14 mar. 2018.

BERNSTEIN, D. Containers and Cloud: From LXC to Docker to Kubernetes. 2014. 81-84 p.

CLUSTERHQ. Container Market Adop- tion. 2016. ⟨https://clusterhq.com/assets/pdfs/ state-of-container-usage-june-2016.pdf⟩. Dis- pon ́ıvel em: ⟨https://clusterhq.com/assets/pdfs/ state-of-containerusage-june-2016.pdf⟩.

OpenStack Security. Exploring Opportunities: Containers and OpenStack. [S.l.], 2016. Disponivel em: ⟨https://www.openstack.org/assets/pdf-downloads/ Containers-and-OpenStack.pdf⟩. Acesso em: 21 set. 2016.

ALLIANCE, C. S. Security Guidance for Critical Areas of Focus in Cloud Computing V3.0. [S.l.], 2011. Disponivel em: ⟨http://www.cloudsecurityalliance.org/ guidance/csaguide.v3.0.pdf⟩. Acesso em: 03 mar. 2018.

JANSEN, W.; GRANCE, T. SP 800-144. Guidelines on Security and Privacy in Public Cloud Computing. Gaithersburg, MD, United States, 2011. Disponivel em: ⟨”http://nvlpubs.nist.gov/nistpubs/Legacy/SP/ nistspecialpublication800-144.pdf”⟩. Acesso em: 21 set. 2016.

ENISA. Benefits, Risks and Recommendations for Information Security. [S.l.], 2012.

ZHANG, M.; MARINO, D.; EFSTATHOPOULOS, P. Harbormaster: Policy enforcement for containers. In: 2015 IEEE 7th International Conference on Cloud Computing Technology and Science (CloudCom). [S.l.: s.n.], 2015. p. 355–362.

BACIS, E. et al. Dockerpolicymodules: Mandatory access control for docker containers. In: Communications and Network Security (CNS), 2015 IEEE Conference on. [S.l.: s.n.], 2015. p. 749–750.

CONTAINERS, S. L. Securing Linux Containers. 2015. 1–25 p. ⟨https://www.sans.org/reading-room/whitepapers/ linux/securing-linux-containers-36142⟩. Disponivel em: ⟨https://www.sans.org/reading-room/whitepapers/linux/ securing-linux-containers-36142⟩.

NCC Group. technical report, Understan- ding and Hardening Linux Containers. 2016. ⟨https://www.nccgroup.trust/uk/our-research/ understanding-and-hardening-linux-containers/⟩. Disponivel em: ⟨https://www.nccgroup.trust/uk/our-research/ understanding-and-hardening-linux-containers/⟩.

BARLEV, S. et al. Secure yet usable: protecting servers and linux containers. IBM Journal of Research and Development, v. 60, n. 4, p. 12:1–12:10, July 2016. ISSN 0018-8646.

NCC Group. Abusing Privileged and Unpri- vileged Linux Containers. [S.l.], 2016. Disponivel em: ⟨https://www.nccgroup.trust/uk/our-research/ abusing-privileged-and-unprivileged-linux-containers/⟩.

SELINUX. SELinux Wiki. ⟨http://selinuxproject.org/ page/Main Page⟩. Disponivel em: ⟨http://selinuxproject.org/ page/Main Page⟩.

APPARMOR. AppArmor: Mandatory Access Control (MAC) system. 2016. ⟨http://wiki.apparmor. net/index.php/Main Page⟩. Disponivel em: ⟨http: //wiki.apparmor.net/index.php/Main Page⟩.

GLOBALPLATFORM. TEE System Architecturev1.2.

INTEL SGX Homepage.

ARNAUTOV, S. et al. SCONE: Secure linux containers with intel SGX. In: 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16). Savannah, GA: [s.n.], 2016. p. 689–703. ISBN 978-1-931971-33-1.

DOCKER. Overview of Docker Hub. 2017. ⟨https://docs.docker.com/docker-hub/⟩. Disponivel em: ⟨https://docs.docker.com/docker-hub/⟩.

GUMMARAJU, T. D. J.; TURNER, Y. Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities. 2015. Disponivel em https://www.banyanops.com/pdf/BanyanOps- AnalyzingDockerHub-WhitePaper.pdf. Disponivel em: ⟨https://www.banyanops.com/blog/analyzing-docker-hub/⟩.

POLVI, A. CoreOS is building a container runtime, rkt. 2016. Disponivel em: ⟨https://coreos.com/blog/rocket/⟩.

NAMESPACES, L. namespaces(7) - Linux manual page. 2017. ⟨http://man7.org/linux/man-pages/ man7/namespaces.7.html⟩. Disponivel em: ⟨http: //man7.org/linux/man-pages/man7/namespaces.7.html⟩.

ALVES, F. C. C. et al. Uma Revisa ̃o Sobre as Publicac ̧o ̃es de Sistemas de Deteccao de Intrusa ̃o. Revista de Informa ́tica Teo ́rica e Aplicada, v. 23, n. 2, p. 67–99, dec 2016. ISSN 21752745. Disponivel em: ⟨http://www.seer. ufrgs.br/rita/article/view/RITA-VOL23-NR2-67⟩.

ARCHWIKI. Cgroups - ArchWiki. 2016. ⟨https://wiki.archlinux.org/index.php/cgroups⟩. Disponivel em: ⟨https://wiki.archlinux.org/index.php/cgroups⟩.

KREUTZ, D. et al. Software-Defined Networking: A Comprehensive Survey. Proceedings of the IEEE, v. 103, n. 1, p. 63, 2015. Disponivel em: ⟨http://arxiv.org/abs/1406.0440⟩.

ALEDHARI, M. et al. Protecting Internet Traffic: Security challengesand solutions. IEEE Internet Technology Policy Community, 2017. Disponivel em: ⟨https://internetinitiative.ieee.org/images/files/resources/ white papers/internet traffic feb2017.pdf⟩.

CLOSE, M. Protecting Sensitive Information in Docker Container Images. 2016. Disponivel em: ⟨https://www.ctl.io/developers/blog/post/ tutorial-protecting-sensitive-info-docker⟩.

BAL, B. Automation and Orchestration with Docker and Containers. 2016. Disponivel em: ⟨https://mesosphere.com/wp-content/uploads/2016/06/ TheNewStack Book3 Automation and Orchestration with Docker and Containers-1-1.pdf⟩.

WHEELER, D. A. Cloud Security: Virtua- lization, Containers, and Related Issues. 2016. Disponivel em: ⟨http://www.dwheeler.com/essays/ cloud-security-virtualization-containers.html⟩.

BADGER, L. et al. SP 800-146. Cloud Computing Synopsis and Recommendations. Gaithersburg, MD, United States, 2012. Disponivel em: ⟨http://nvlpubs.nist.gov/ nistpubs/Legacy/SP/nistspecialpublication800-146.pdf⟩.

HASHICORP. Introduction to Vault. 2016. ⟨https://www.vaultproject.io/intro/index.html⟩. Disponivel em: ⟨https://www.vaultproject.io/intro/index.html⟩.

CLUSTERHQ. What is Flocker? 2016. ⟨https://clusterhq.com/flocker/introduction/⟩. Disponivel em: ⟨https://clusterhq.com/flocker/introduction/⟩.

DOCKER. Docker Swarm. 2016. ⟨https: //docs.docker.com/swarm/overview/⟩. Disponivel em: ⟨https://docs.docker.com/swarm/overview/⟩.

TRUST, T. Twistlock Trust. 2016. ⟨https: //www.twistlock.com/trust/⟩. Disponivel em: ⟨https: //www.twistlock.com/trust/⟩.

TRUST, T. Twistlock Runtime. 2016. ⟨https: //www.twistlock.com/runtime/⟩. Disponivel em: ⟨https://www.twistlock.com/runtime/⟩.

HAT, R. Ten Layers of Container Security. [S.l.], 2017.




DOI: https://doi.org/10.22456/2175-2745.86196

Copyright (c) 2019 Guilherme Panizzon, Joao Henrique Faes Battisti, Guilherme Piegas Koslovski, Mauricio Aronne Pillon, Charles Christian Miers

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.