Co-residency Attacks on Containers are Real

Shringarputale, Sushrut; McDaniel, Patrick; Butler, Kevin; Porta, Thomas La

doi:10.1145/3411495.3421357

Cited by 12 publications

(5 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In [157], authors confirm that containers placed in VMs are susceptible to co-residency attacks. The co-residency detection can tolerate background noise with a 70% success rate, as long as it does not surpass the hardware capacity.…”

Section: ) Securitymentioning

confidence: 87%

VNF and CNF Placement in 5G: Recent Advances and Future Trends

Attaoui¹,

Sabir

Elbiaze

et al. 2023

IEEE Trans. Netw. Serv. Manage.

View full text Add to dashboard Cite

With the growing demand for openness, scalability, and granularity, mobile network function virtualization (NFV) has emerged as a key enabler for the most of mobile network operators. NFV decouples network functions from hardware devices. This decoupling allows network services, called Virtualized Network Functions (VNFs), to be hosted on commodity hardware which simplifies and enhances service deployment and management for providers, improves flexibility, and leads to efficient and scalable resource usage, and lower costs. The proper placement of VNFs in the hosting infrastructures is one of the main technical challenges. This placement significantly influences the network's performance, reliability, and operating costs. The VNF placement is NP-Hard. Therefore, there is a need for placement methods that can cope with the complexity of the problem and find appropriate solutions in a reasonable duration. The primary purpose of this study is to provide a taxonomy of optimization techniques used to tackle the VNF placement problems. We classify the studied papers based on performance metrics, methods, algorithms, and environment. Virtualization is not limited to simply replacing physical machines with virtual machines or VNFs, but may also include microservices, containers, and cloud-native systems. In this context, the second part of our article focuses on the placement of Containers Network Functions (CNFs) in edge/fog computing. Many issues have been considered as traffic congestion, resource utilization, energy consumption, performance degradation, etc. For each matter, various solutions are proposed through different surveys and research papers in which each one addresses the placement problem in a specific manner by suggesting single objective or multi-objective methods based on different types of algorithms such as heuristic, meta-heuristic, and machine learning algorithms.

show abstract

Section: ) Securitymentioning

confidence: 87%

VNF and CNF Placement in 5G: Recent Advances and Future Trends

Attaoui¹,

Sabir

Elbiaze

et al. 2023

IEEE Trans. Netw. Serv. Manage.

View full text Add to dashboard Cite

show abstract

“…Bonus attack speed boosts attack speed while lowering attack cooldown in a 1:1 ratio. Because they scale inversible, the new attack speed will be X% faster than the base attack speed, and the base attack cooldown will be X% longer than the new attack cooldown [18].…”

Section: Delay Attackmentioning

confidence: 99%

Effect Man-In the Middle on the Network Performance in Various Attack Strategies

Alodat¹

2021

IJNSA

View full text Add to dashboard Cite

In this paper, we examined the effect on network performance of the various strategies an attacker could adopt to launch Man-In The Middle (MITM) attacks on the wireless network, such as fleet or random strategies. In particular, we're focusing on some of those goals for MITM attackers - message delay, message dropping. According to simulation data, these attacks have a significant effect on legitimate nodes in the network, causing vast amounts of infected packets, end-to-end delays, and significant packet loss.

show abstract

“…Co-Residency Detection for Containers [45] is a concept similar to host alias detection, which aims to detect whether two endpoints on two different containers are hosted by the same physical host. If virtualization is used, then the containers may run on two different virtual machines.…”

Section: Host Alias Resolution De-natting and Co-residency Detectionmentioning

confidence: 99%

“…A container co-residency detection technique is described in [45], but this attack is local, i.e. the attacker's container must co-reside with the target container.…”

Section: Container Co-residency Detection and Cross Container Informa...mentioning

confidence: 99%

Subverting Stateful Firewalls with Protocol States (Extended Version)

Klein¹

2021

Preprint

View full text Add to dashboard Cite

We analyzed the generation of protocol header fields in the implementations of multiple TCP/IP network stacks and found new ways to leak information about global protocol states. We then demonstrated new covert channels by remotely observing and modifying the system's global state via these protocol fields. Unlike earlier works, our research focuses on hosts that reside in firewalled networks (including source address validation -SAV), which is a very common scenario nowadays. Our attacks are designed to be non-disruptive -in the exfiltration scenario, this makes the attacks stealthier and thus extends their longevity, and in case of host alias resolution and similar techniques -this ensures the techniques are ethical. We focused on ICMP, which is commonly served by firewalls, and on UDP, which is forecasted to take a more prominent share of the Internet traffic with the advent of HTTP/3 and QUIC, though we report results for TCP as well.The information leakage scenarios we discovered enable the construction of practical covert channels which directly pierce firewalls, or indirectly establish communication via hosts in firewalled networks that also employ SAV. We describe and test three novel attacks in this context: exfiltration via the firewall itself, exfiltration via a DMZ host, and exfiltration via co-resident containers. These are three generic, new use cases for covert channels that work around * This is an extended version of a paper that will be published in NDSS 2022.firewalling and enable devices that are not allowed direct communication with the Internet, to still exfiltrate data out of the network. In other words, we exfiltrate data from isolated networks to the Internet. We also explain how to mount known attacks such as host alias resolution, de-NATting and container coresidence detection, using the new information leakage techniques.

show abstract

Co-residency Attacks on Containers are Real

Cited by 12 publications

References 21 publications

VNF and CNF Placement in 5G: Recent Advances and Future Trends

VNF and CNF Placement in 5G: Recent Advances and Future Trends

Effect Man-In the Middle on the Network Performance in Various Attack Strategies

Subverting Stateful Firewalls with Protocol States (Extended Version)

Contact Info

Product

Resources

About