Computer Science

Computer Science ›› 2024, Vol. 51 ›› Issue (6): 399-408.doi: 10.11896/jsjkx.230200099

• Information Security • Previous Articles     Next Articles

N-variant Architecture for Container Runtime Security Threats

LIU Daoqing1, HU Hongchao1,2, HUO Shumin1,2   

  1. 1 Institute of Information Technology,University of Information Engineering,Zhengzhou 450000,China
    2 Purple Mountain Laboratories,Nanjing 210000,China
  • Received:2023-02-15 Revised:2023-06-14 Online:2024-06-15 Published:2024-06-05
  • About author:LIU Daoqing,born in 1996,postgra-duate.His main research interests include container cloud and active defense.
    HU Hongchao,born in 1982,professor. His main research interests include cloud computing and network security.
  • Supported by:
    National Natural Science Foundation of China(62072467,62002383) and National Key Research and Development Program of China(2021YFB1006200,2021YFB1006201).

PDF (PC)

474

Abstract: It is container technology that has promoted the development of cloud computing with its lightweight and scalability advantages,but the security threat of container runtime is increasingly serious.The existing intrusion detection and access control technology can’t effectively deal with the attack behavior of using container runtime to achieve container escape.First of all,this paper proposes an N-variant architecture for container runtime security threats combined with the redundancy and diversity me-thods of N-variant system.Secondly,through the redundancy and diversity methods of the N-variant system and the combination of the voting algorithm based on historical information,the accuracy of the voting is improved.Besides,service quality of container applications is optimized through two-stage voting and scheduling strategies.Finally,a prototype system is built.The test results show that the performance loss of the prototype system is within an acceptable range,and the attack surface of the system is reduced to a certain extent,thus achieving the purpose of enhancing the security of container applications.

Key words: Container safety, Cloud computing, N variant, Container runtime, Dispatch

CLC Number: 

  • TP393.08
[1]JIN H,LI Z,ZOU D,et al.Dseom:A framework for dynamic se-curity evaluation and optimization of mtd in container-based cloud[J].IEEE Transactions on Dependable and Secure Computing,2019,18(3):1125-1136.
[2]KAUR K,DHAND T,KUMAR N,et al.Container-as-a-service at the edge:Trade-off between energy efficiency and serviceavailability at fog nano data centers[J].IEEE Wireless Communications,2017,24(3):48-56.
[3]KHAZAEI H,BANNAZADEH H,LEON-GARCIA A.Savi-iot:A self-managing containerized iot platform[C]//IEEE 5th International Conference on Future Internet of Things and Cloud(FiCloud).2017:227-234.
[4]CELESTI A,MULFARI D,FAZIO M,et al.Exploring contai-ner virtualization in IoT clouds[C]//IEEE International Confe-rence on Smart Computing(SMARTCOMP).2016:1-6.
[5]MORABITO R,PETROLO R,LOSCRÌ V,et al.Lightweightvirtualization as enabling technology for future smart cars[C]//IFIP/IEEE Symposium on Integrated Network and Service Management(IM).2017:1238-1245.
[6]JAMSHIDI P,PAHL C,MENDONÇA N C,et al.Microser-vices:The journey so far and challenges ahead[J].IEEE Software,2018,35(3):24-35.
[7]VAUCHER S,PIRES R,FELBER P,et al.SGX-aware contai-ner orchestration for heterogeneous clusters[C]//2018 IEEE 38th International Conference on Distributed Computing Systems(ICDCS).IEEE,2018:730-741.
[8]JITHIN R,CHANDRAN P.Virtual machine isolation[C]//International Conference on Security in Computer Networks and Distributed Systems.Berlin,Heidelberg:Springer,2014:91-102.
[9]SULTAN S,AHMAD I,DIMITRIOU T.Container security:Issues,challenges,and the road ahead[J].IEEE Access,2019,7:52976-52996.
[10]SHRINGARPUTALE S,MCDANIEL P,BUTLER K,et al.Co-residency attacks on containers are real[C]//Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop.2020:53-66.
[11]REEVES M,TIAN D J,BIANCHI A,et al.Towards Improving Container Security by Preventing Runtime Escapes[C]//2021 IEEE Secure Development Conference(SecDev).IEEE,2021:38-46.
[12]YANG Y,SHEN W,RUAN B,et al.Security challenges in the container cloud[C]//2021 Third IEEE International Conference on Trust,Privacy and Security in Intelligent Systems and Applications(TPS-ISA).IEEE,2021:137-145.
[13]BÉLAIR M,LANIEPCE S,MENAUD J M.Leveraging kernel security mechanisms to improve container security:a survey[C]//Proceedings of the 14th International Conference on Availability,Reliability and Security.2019:1-6.
[14]LI X,CHEN Y,LIN Z,et al.Automatic Policy Generation for Inter-Service Access Control of Microservices[C]//USENIX Security Symposium.2021:3971-3988.
[15]PAN R J,WANG G C,HUANG H Y.Attribute access control based on dynamic User trust in cloud computing[J].Computer Science,2021,48(5):313-319.
[16]ZHONG Z,XU M,RODRIGUEZ M A,et al.Machine learning-based orchestration of containers:A taxonomy and future directions[J].ACM Computing Surveys(CSUR),2022,54(10s):1-35.
[17]EL KHAIRI A,CASELLI M,KNIERIM C,et al.Contextua-lizing System Calls in Containers for Anomaly-Based Intrusion Detection[C]//Proceedings of the 2022 on Cloud Computing Security Workshop.2022:9-21.
[18]YAO D,ZHANG Z,ZHANG G F,et al.Review of multi-variantexecution Security defense technology[J].Journal of Cyber Security,2020,5(5):77-94.
[19]COX B,EVANS D,FILIPI A,et al.N-Variant Systems:A Secretless Framework for Security through Diversity[C]//USENIX Security Symposium.2006:105-120.
[20]VOULIMENEAS A,SONG D,PARZEFALL F,et al.DMON:A Distributed Heterogeneous N-Variant System[J].arXiv:1903.03643,2019.
[21]BRUSCHI D,CAVALLARO L,LANZI A.Diversified process replicae for defeating memory error exploits[C]//2007 IEEE International Performance,Computing,and Communications Conference.IEEE,2007:434-441.
[22]VOLCKAERT S,COPPENS B,VOULIMENEAS A,et al.Se-cure and efficient application monitoring and replication[C]//2016 USENIX Annual Technical Conference(USENIX ATC 16).2016:167-179.
[23]LU K,XU M,SONG C,et al.Stopping memory disclosures via diversification and replicated execution[J].IEEE Transactions on Dependable and Secure Computing,2018,18(1):160-173.
[24]VOLCKAERT S,COPPENS B,DE SUTTER B.Cloning your gadgets:Complete ROP attack immunity with multi-variant execution[J].IEEE Transactions on Dependable and Secure Computing,2015,13(4):437-450.
[25]VOLCKAERT S,COPPENS B,VOULIMENEAS A,et al.Secure and efficient application monitoring and replication[C]//2016 USENIX Annual Technical Conference(USENIX ATC 16).2016:167-179.
[26]XU M,LU K,KIM T,et al.Bunshin:compositing securitymechanisms through diversification[C]//2017 USENIX AnnualTechnical Conference(USENIX ATC 17).2017:271-283.
[27]SILBERMAN G M,EBCIOGLU K.An architectural framework for supporting heterogeneous instruction-set architectures[J].Computer,1993,26(6):39-56.
[28]CERF V G.On heterogeneous computing[J].Communications of the ACM,2021,64(12):9.
[29]BARBALACE A,KARAOUI M L,WANG W,et al.Edge computing:the case for heterogeneous-isa container migration[C]//Proceedings of the 16th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments.2020:73-87.
[30]LI T,BRETT P,KNAUERHASE R,et al.Operating systemsupport for overlapping-ISA heterogeneous multi-core architectures[C]//HPCA-16 2010 The Sixteenth International Symposium on High-Performance Computer Architecture.IEEE,2010:1-12.
[31]ZHONG Z,BUYYA R.A cost-efficient container orchestration strategy in Kubernetes based cloud computing infrastructures with heterogeneous resources[J].ACM Transactions on Internet Technology(TOIT),2020,20(2):1-24.
[32]HU Y,DE LAAT C,ZHAO Z.Multi-objective container de-ployment on heterogeneous clusters[C]//2019 19th IEEE/ACM International Symposium on Cluster,Cloud and Grid Computing(CCGRID).IEEE,2019:592-599.
[33]ALYAS T,ALI S,KHAN H U,et al.Container Performance and Vulnerability Management for Container Security Using Docker Engine[J].Security and Communication Networks,2022:5-5.
[34]HUSSEIN M K,MOUSA M H,ALQARNI M A.A placement architecture for a container as a service(CaaS) in a cloud environment[J].Journal of Cloud Computing,2019,8(1):1-15.
[35]ALLODI L,MASSACCI F.Comparing vulnerability severityand exploits using case-control studies[J].ACM Transactions on Information and System Security(TISSEC),2014,17(1):1-20.
[36]WANG Y,WANG Q,CHEN X,et al.Containerguard:A real-time attack detection system in container-based big data platform[J].IEEE Transactions on Industrial Informatics,2020,18(5):3327-3336.
[37]GAO X,STEENKAMER B,GU Z,et al.A study on the security implications of information leakages in container clouds[J].IEEE Transactions on Dependable and Secure Computing,2018,18(1):174-191.
[38]GAO X,GU Z,LI Z,et al.Houdini’s escape:Breaking the re-source rein of linux control groups[C]//Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security.2019:1073-1086.
[39]MCALLISTER D F,SUN C E,VOUK M A.Reliability of vo-ting in fault-tolerant software systems for small output-spaces[J].IEEE Transactions on Reliability,1990,39(5):524-534.
[40]JAMALI N,SAMMUT C.Majority voting:Material classification by tactile sensing using surface texture[J].IEEE Transactions on Robotics,2011,27(3):508-521.
[41]GARCIA M,BESSANI A,GASHI I,et al.Analysis of operating system diversity for intrusion tolerance[J].Software:Practice and Experience,2014,44(6):735-770.
[42]ZHOU D,CHEN H,CHENG G,et al.SecIngress:An API gateway framework to secure cloud applications based on N-variant system[J].China Communications,2021,18(8):17-34.
[1] HAN Yujie, XU Zhijie, YANG Dingyu, HUANG Bo, GUO Jianmei. CDES:Data-driven Efficiency Evaluation Methodology for Cloud Database [J]. Computer Science, 2024, 51(6): 111-117.
[2] LI Zichen, YI Xiuwen, CHEN Shun, ZHANG Junbo, LI Tianrui. Government Event Dispatch Approach Based on Deep Multi-view Network [J]. Computer Science, 2024, 51(5): 216-222.
[3] LIU Xuanyu, ZHANG Shuai, HUO Shumin, SHANG Ke. Microservice Moving Target Defense Strategy Based on Adaptive Genetic Algorithm [J]. Computer Science, 2023, 50(9): 82-89.
[4] LI Yinghao, GUO Haogong, LIU Panpan, XIANG Yihao, LIU Chengming. Cloud Platform Load Prediction Method Based on Temporal Convolutional Network [J]. Computer Science, 2023, 50(7): 254-260.
[5] ZAHO Peng, ZHOU Jiantao, ZHAO Daming. Cloud Computing Load Prediction Method Based on Hybrid Model of CEEMDAN-ConvLSTM [J]. Computer Science, 2023, 50(6A): 220300272-9.
[6] CHEN Rui, SHEN Xin, WAN Desheng, ZHOU Enyi. Intelligent Networked Electric Vehicles Scheduling Method for Green Energy Saving [J]. Computer Science, 2023, 50(12): 285-293.
[7] JIA Jingdong, ZHANG Minnan, ZHAO Xiang, HUANG Jian. Study on Scheduling Algorithm of Intelligent Order Dispatching [J]. Computer Science, 2023, 50(11A): 230300029-7.
[8] LI Jinliang, LIN Bing, CHEN Xing. Reliability Constraint-oriented Workflow Scheduling Strategy in Cloud Environment [J]. Computer Science, 2023, 50(10): 291-298.
[9] GAO Shi-yao, CHEN Yan-li, XU Yu-lan. Expressive Attribute-based Searchable Encryption Scheme in Cloud Computing [J]. Computer Science, 2022, 49(3): 313-321.
[10] MA Xin-yu, JIANG Chun-mao, HUANG Chun-mei. Optimal Scheduling of Cloud Task Based on Three-way Clustering [J]. Computer Science, 2022, 49(11A): 211100139-7.
[11] ZHOU Qian, DAI Hua, SHENG Wen-jie, HU Zheng, YANG Geng. Research on Verifiable Keyword Search over Encrypted Cloud Data:A Survey [J]. Computer Science, 2022, 49(10): 272-278.
[12] WANG Zheng, JIANG Chun-mao. Cloud Task Scheduling Algorithm Based on Three-way Decisions [J]. Computer Science, 2021, 48(6A): 420-426.
[13] PAN Rui-jie, WANG Gao-cai, HUANG Heng-yi. Attribute Access Control Based on Dynamic User Trust in Cloud Computing [J]. Computer Science, 2021, 48(5): 313-319.
[14] CHEN Yu-ping, LIU Bo, LIN Wei-wei, CHENG Hui-wen. Survey of Cloud-edge Collaboration [J]. Computer Science, 2021, 48(3): 259-268.
[15] JIANG Hui-min, JIANG Zhe-yuan. Reference Model and Development Methodology for Enterprise Cloud Service Architecture [J]. Computer Science, 2021, 48(2): 13-22.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.