Integrity verification of Docker containers for a lightweight cloud environment

Benedictis, Marco De; Lioy, Antonio

doi:10.1016/j.future.2019.02.026

Cited by 56 publications

(44 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…DIVE [5] is a very recent approach allowing an orchestrator to check the integrity of a given container on a remote compute node. DIVE relies on a modified version of IMA [27] supporting containers and a remote attestation framework (OpenAttestation).…”

Section: Configuration-based Defensementioning

confidence: 99%

“…Because Pledge and Seccomp-BPF provide mechanisms for a process to confine itself while other frameworks confine a full environment, modifications have to be made directly in the source code of this software and thus are less suitable to protect closed-source software. Genericity and integration column (5) shows whether the framework has been designed in a generic way, is well integrated into production environments and is usable in real life scenarios. For instance, in its current version, Landlock actually requires administrator rights to work thus limiting its usability in production where containers run in usermode.…”

Section: Recap Chartmentioning

confidence: 99%

See 1 more Smart Citation

Leveraging Kernel Security Mechanisms to Improve Container Security

Bélair

Laniepce

Menaud

2019

Proceedings of the 14th International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

Containerization is a lightweight virtualization technique reducing virtualization overhead and deployment latency compared to full VM; its popularity is quickly increasing. However, due to kernel sharing, containers provide less isolation than full VM. Thus, a compromised container may break out of its isolated context and gain root access to the host server. This is a huge concern, especially in multi-tenant cloud environments where we can find running on a single server containers serving very different purposes, such as banking microservices, compute nodes or honeypots. Thus, containers with specific security needs should be able to tune their own security level. Because OS-level defense approaches inherited from time-sharing OS generally requires administrator rights and aim to protect the entire system, they are not fully suitable to protect usermode containers. Research recently made several contributions to deliver enhanced security to containers from host OS level to (partially) solve these challenges. In this survey, we propose a new taxonomy on container defense at the infrastructure level with a particular focus on the virtualization boundary, where interactions between kernel and containers take place. We then classify the most promising defense frameworks into these categories. CCS CONCEPTS • Security and privacy → Virtualization and security; Access control; • Computer systems organization → Cloud computing; • General and reference → Surveys and overviews.

show abstract

Section: Configuration-based Defensementioning

confidence: 99%

Section: Recap Chartmentioning

confidence: 99%

Leveraging Kernel Security Mechanisms to Improve Container Security

Bélair

Laniepce

Menaud

2019

Proceedings of the 14th International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

show abstract

“…The main advantage of DIVE is its behaviour of detecting compromised container, so that it be stopped and replaced as early as possible without refreshing the whole system. It has also improved Remote Attestation efficiency and verified using OAT core tool [20]. In 2019, Yongfeng Yin et al proposed an experimentation platform architecture design to analyse the effectiveness of cyber security based on Docker.…”

Section: Literature Surveymentioning

confidence: 99%

Security Tools for Internet of Things: A Review

Singh¹,

Singh²

2020

IRJASH

View full text Add to dashboard Cite

In today's communications, the main challenging facet is Security of LTE systems in terms of various areas such as mutual authentication, key management, forward and backward secrecy, use of efficient security tools, etc. For proper key management, the generation and distribution of random keys is of main concern which can be done with the help of dynamic security tools. In this paper, main features of security tools like, Docker, Java Cryptography Architecture (JCA), Token-based authentication have been reviewed. Docker provides containerized environment based on application virtualization and also lighter than virtual machines. To define cryptographic concepts and algorithms, JCA cites design patterns and an extensible framework for Java platform. Token-based authentication method or system is used to provide secure user access to server using a token, like smart cards.

show abstract

“…A guest network is capable of data communication between virtual instances which are running on one host, multiple hosts, or across the different subnets [4][5][6]. The Docker [7] container platform is an open-source container management project launched by Docker Inc. This is a lightweight container technology that bundles and runs the service operating environment.…”

Section: Introductionmentioning

confidence: 99%

“…This is a lightweight container technology that bundles and runs the service operating environment. When configuring a cloud environment based on the Docker container, an orchestration software such as Kubernetes or Docker Swarm is needed to effectively manage and efficiently allocate the resources required for containers [8][9][10].…”

Section: Introductionmentioning

confidence: 99%

Performance analysis of container-based networking solutions for high-performance computing cloud

Lim¹,

Woo²,

Li³

2020

IJECE

View full text Add to dashboard Cite

Recently, cloud service providers have been gradually changing from virtual machine-based cloud infrastructures to container-based cloud-native infrastructures that consider performance and workload-management issues. Several data network performance issues for virtual instances have arisen, and various networking solutions have been newly developed or utilized. In this paper, we propose a solution suitable for a high-performance computing (HPC) cloud through a performance comparison analysis of container-based networking solutions. We constructed a supercomputer-based test-bed cluster to evaluate the serviceability by executing HPC jobs.

show abstract

Integrity verification of Docker containers for a lightweight cloud environment

Cited by 56 publications

References 6 publications

Leveraging Kernel Security Mechanisms to Improve Container Security

Leveraging Kernel Security Mechanisms to Improve Container Security

Security Tools for Internet of Things: A Review

Performance analysis of container-based networking solutions for high-performance computing cloud

Contact Info

Product

Resources

About