Condo: Enhancing Container Isolation Through Kernel Permission Data Protection

Condo: Enhancing Container Isolation Through Kernel Permission Data Protection

Container technology is widely adopted due to its features such as light weight and ease of rapid deployment. However, as an OS-level virtualization mechanism, container isolation relies on the kernel's security mechanisms and the kernel permission data (usually non-control flow data) used by t...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:IEEE transactions on information forensics and security 2024, Vol.19, p.6168-6183
Hauptverfasser: Xu, Shouyin, Wang, Yuewu, Lei, Lingguang, Sun, Kun, Jing, Jiwu, Ma, Siyuan, Wang, Jie, Huang, Heqing
Format: Artikel
Sprache:eng
Schlagworte:
Access control
Codes
Container
Containers
data integrity
isolation
Kernel
Linux
Security
trusted execution environment
Virtualization
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 6183
container_issue
container_start_page 6168
container_title IEEE transactions on information forensics and security
container_volume 19
creator Xu, Shouyin
Wang, Yuewu
Lei, Lingguang
Sun, Kun
Jing, Jiwu
Ma, Siyuan
Wang, Jie
Huang, Heqing
description Container technology is widely adopted due to its features such as light weight and ease of rapid deployment. However, as an OS-level virtualization mechanism, container isolation relies on the kernel's security mechanisms and the kernel permission data (usually non-control flow data) used by these mechanisms. None of the existing mitigation schemes for non-control flow data attacks provide an effective and practical solution to container security since they either trigger too much overhead, have limited effectiveness over attacks launched in specific ways, or can only be used to protect some specific kernel data. In addition, none of them accurately identify the kernel data associated with container isolation. In this paper, we provide a solution called Condo that enhances container isolation by protecting the associated kernel permission data. We first present a generic non-control flow kernel data protection mechanism that protects different types of kernel data uniformly with low overhead and is not limited by attack methods or data types. We then demystify the models of various kernel access control mechanisms in the container environment, and identify the subject and object permission data that are critical to container isolation. Finally, we provide a solution named Condo to enhance container isolation, which is completely transparent to the existing container ecosystem, including containerized applications and container management/orchestration tools such as Docker. Experimental results show that Condo can effectively reduce the compromises of container isolation due to memory corruption attacks with an acceptable overhead.
doi_str_mv 10.1109/TIFS.2024.3411915
format Article
fullrecord <record><control><sourceid>proquest_RIE</sourceid><recordid>TN_cdi_proquest_journals_3069614865</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>10552298</ieee_id><sourcerecordid>3069614865</sourcerecordid><originalsourceid>FETCH-LOGICAL-c246t-27e1b9ee62d8ce312cd0e0a84cc3d622ebf6bef5d723aae1df41b8917c10026a3</originalsourceid><addsrcrecordid>eNpNkFFLwzAQx4MoOKcfQPAh4HNnLkmz1jeZmw6HDpzPIU2vW8eWzKR98NvbsiE-3XH3-9_Bj5BbYCMAlj-s5rPPEWdcjoQEyCE9IwNIU5UoxuH8rwdxSa5i3DImJahsQN4n3pX-kU7dxjhbuzXtBo2pHQY6j35nmto7utoE36439A2Dwx1dYtjXMfabZ9MYugy-QduT1-SiMruIN6c6JF-z6Wrymiw-XuaTp0ViuVRNwscIRY6oeJlZFMBtyZCZTForSsU5FpUqsErLMRfGIJSVhCLLYWyBMa6MGJL7491D8N8txkZvfRtc91ILpnIFMlNpR8GRssHHGLDSh1DvTfjRwHSvTffadK9Nn7R1mbtjpkbEf3yacp5n4hf9h2mp</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>3069614865</pqid></control><display><type>article</type><title>Condo: Enhancing Container Isolation Through Kernel Permission Data Protection</title><source>IEEE Electronic Library (IEL)</source><creator>Xu, Shouyin ; Wang, Yuewu ; Lei, Lingguang ; Sun, Kun ; Jing, Jiwu ; Ma, Siyuan ; Wang, Jie ; Huang, Heqing</creator><creatorcontrib>Xu, Shouyin ; Wang, Yuewu ; Lei, Lingguang ; Sun, Kun ; Jing, Jiwu ; Ma, Siyuan ; Wang, Jie ; Huang, Heqing</creatorcontrib><description>Container technology is widely adopted due to its features such as light weight and ease of rapid deployment. However, as an OS-level virtualization mechanism, container isolation relies on the kernel's security mechanisms and the kernel permission data (usually non-control flow data) used by these mechanisms. None of the existing mitigation schemes for non-control flow data attacks provide an effective and practical solution to container security since they either trigger too much overhead, have limited effectiveness over attacks launched in specific ways, or can only be used to protect some specific kernel data. In addition, none of them accurately identify the kernel data associated with container isolation. In this paper, we provide a solution called Condo that enhances container isolation by protecting the associated kernel permission data. We first present a generic non-control flow kernel data protection mechanism that protects different types of kernel data uniformly with low overhead and is not limited by attack methods or data types. We then demystify the models of various kernel access control mechanisms in the container environment, and identify the subject and object permission data that are critical to container isolation. Finally, we provide a solution named Condo to enhance container isolation, which is completely transparent to the existing container ecosystem, including containerized applications and container management/orchestration tools such as Docker. Experimental results show that Condo can effectively reduce the compromises of container isolation due to memory corruption attacks with an acceptable overhead.</description><identifier>ISSN: 1556-6013</identifier><identifier>EISSN: 1556-6021</identifier><identifier>DOI: 10.1109/TIFS.2024.3411915</identifier><identifier>CODEN: ITIFA6</identifier><language>eng</language><publisher>New York: IEEE</publisher><subject>Access control ; Codes ; Container ; Containers ; data integrity ; isolation ; Kernel ; Linux ; Security ; trusted execution environment ; Virtualization</subject><ispartof>IEEE transactions on information forensics and security, 2024, Vol.19, p.6168-6183</ispartof><rights>Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2024</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><cites>FETCH-LOGICAL-c246t-27e1b9ee62d8ce312cd0e0a84cc3d622ebf6bef5d723aae1df41b8917c10026a3</cites><orcidid>0000-0002-3409-6149 ; 0009-0006-7095-600X ; 0000-0002-0841-1045 ; 0000-0003-4152-2107 ; 0000-0002-1936-0562 ; 0009-0003-5170-1253</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/10552298$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,776,780,792,4009,27902,27903,27904,54736</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/10552298$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Xu, Shouyin</creatorcontrib><creatorcontrib>Wang, Yuewu</creatorcontrib><creatorcontrib>Lei, Lingguang</creatorcontrib><creatorcontrib>Sun, Kun</creatorcontrib><creatorcontrib>Jing, Jiwu</creatorcontrib><creatorcontrib>Ma, Siyuan</creatorcontrib><creatorcontrib>Wang, Jie</creatorcontrib><creatorcontrib>Huang, Heqing</creatorcontrib><title>Condo: Enhancing Container Isolation Through Kernel Permission Data Protection</title><title>IEEE transactions on information forensics and security</title><addtitle>TIFS</addtitle><description>Container technology is widely adopted due to its features such as light weight and ease of rapid deployment. However, as an OS-level virtualization mechanism, container isolation relies on the kernel's security mechanisms and the kernel permission data (usually non-control flow data) used by these mechanisms. None of the existing mitigation schemes for non-control flow data attacks provide an effective and practical solution to container security since they either trigger too much overhead, have limited effectiveness over attacks launched in specific ways, or can only be used to protect some specific kernel data. In addition, none of them accurately identify the kernel data associated with container isolation. In this paper, we provide a solution called Condo that enhances container isolation by protecting the associated kernel permission data. We first present a generic non-control flow kernel data protection mechanism that protects different types of kernel data uniformly with low overhead and is not limited by attack methods or data types. We then demystify the models of various kernel access control mechanisms in the container environment, and identify the subject and object permission data that are critical to container isolation. Finally, we provide a solution named Condo to enhance container isolation, which is completely transparent to the existing container ecosystem, including containerized applications and container management/orchestration tools such as Docker. Experimental results show that Condo can effectively reduce the compromises of container isolation due to memory corruption attacks with an acceptable overhead.</description><subject>Access control</subject><subject>Codes</subject><subject>Container</subject><subject>Containers</subject><subject>data integrity</subject><subject>isolation</subject><subject>Kernel</subject><subject>Linux</subject><subject>Security</subject><subject>trusted execution environment</subject><subject>Virtualization</subject><issn>1556-6013</issn><issn>1556-6021</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2024</creationdate><recordtype>article</recordtype><sourceid>RIE</sourceid><recordid>eNpNkFFLwzAQx4MoOKcfQPAh4HNnLkmz1jeZmw6HDpzPIU2vW8eWzKR98NvbsiE-3XH3-9_Bj5BbYCMAlj-s5rPPEWdcjoQEyCE9IwNIU5UoxuH8rwdxSa5i3DImJahsQN4n3pX-kU7dxjhbuzXtBo2pHQY6j35nmto7utoE36439A2Dwx1dYtjXMfabZ9MYugy-QduT1-SiMruIN6c6JF-z6Wrymiw-XuaTp0ViuVRNwscIRY6oeJlZFMBtyZCZTForSsU5FpUqsErLMRfGIJSVhCLLYWyBMa6MGJL7491D8N8txkZvfRtc91ILpnIFMlNpR8GRssHHGLDSh1DvTfjRwHSvTffadK9Nn7R1mbtjpkbEf3yacp5n4hf9h2mp</recordid><startdate>2024</startdate><enddate>2024</enddate><creator>Xu, Shouyin</creator><creator>Wang, Yuewu</creator><creator>Lei, Lingguang</creator><creator>Sun, Kun</creator><creator>Jing, Jiwu</creator><creator>Ma, Siyuan</creator><creator>Wang, Jie</creator><creator>Huang, Heqing</creator><general>IEEE</general><general>The Institute of Electrical and Electronics Engineers, Inc. (IEEE)</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>7SP</scope><scope>7TB</scope><scope>8FD</scope><scope>FR3</scope><scope>JQ2</scope><scope>KR7</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope><orcidid>https://orcid.org/0000-0002-3409-6149</orcidid><orcidid>https://orcid.org/0009-0006-7095-600X</orcidid><orcidid>https://orcid.org/0000-0002-0841-1045</orcidid><orcidid>https://orcid.org/0000-0003-4152-2107</orcidid><orcidid>https://orcid.org/0000-0002-1936-0562</orcidid><orcidid>https://orcid.org/0009-0003-5170-1253</orcidid></search><sort><creationdate>2024</creationdate><title>Condo: Enhancing Container Isolation Through Kernel Permission Data Protection</title><author>Xu, Shouyin ; Wang, Yuewu ; Lei, Lingguang ; Sun, Kun ; Jing, Jiwu ; Ma, Siyuan ; Wang, Jie ; Huang, Heqing</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c246t-27e1b9ee62d8ce312cd0e0a84cc3d622ebf6bef5d723aae1df41b8917c10026a3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2024</creationdate><topic>Access control</topic><topic>Codes</topic><topic>Container</topic><topic>Containers</topic><topic>data integrity</topic><topic>isolation</topic><topic>Kernel</topic><topic>Linux</topic><topic>Security</topic><topic>trusted execution environment</topic><topic>Virtualization</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Xu, Shouyin</creatorcontrib><creatorcontrib>Wang, Yuewu</creatorcontrib><creatorcontrib>Lei, Lingguang</creatorcontrib><creatorcontrib>Sun, Kun</creatorcontrib><creatorcontrib>Jing, Jiwu</creatorcontrib><creatorcontrib>Ma, Siyuan</creatorcontrib><creatorcontrib>Wang, Jie</creatorcontrib><creatorcontrib>Huang, Heqing</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library (IEL)</collection><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Electronics &amp; Communications Abstracts</collection><collection>Mechanical &amp; Transportation Engineering Abstracts</collection><collection>Technology Research Database</collection><collection>Engineering Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>Civil Engineering Abstracts</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts – Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><jtitle>IEEE transactions on information forensics and security</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Xu, Shouyin</au><au>Wang, Yuewu</au><au>Lei, Lingguang</au><au>Sun, Kun</au><au>Jing, Jiwu</au><au>Ma, Siyuan</au><au>Wang, Jie</au><au>Huang, Heqing</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Condo: Enhancing Container Isolation Through Kernel Permission Data Protection</atitle><jtitle>IEEE transactions on information forensics and security</jtitle><stitle>TIFS</stitle><date>2024</date><risdate>2024</risdate><volume>19</volume><spage>6168</spage><epage>6183</epage><pages>6168-6183</pages><issn>1556-6013</issn><eissn>1556-6021</eissn><coden>ITIFA6</coden><abstract>Container technology is widely adopted due to its features such as light weight and ease of rapid deployment. However, as an OS-level virtualization mechanism, container isolation relies on the kernel's security mechanisms and the kernel permission data (usually non-control flow data) used by these mechanisms. None of the existing mitigation schemes for non-control flow data attacks provide an effective and practical solution to container security since they either trigger too much overhead, have limited effectiveness over attacks launched in specific ways, or can only be used to protect some specific kernel data. In addition, none of them accurately identify the kernel data associated with container isolation. In this paper, we provide a solution called Condo that enhances container isolation by protecting the associated kernel permission data. We first present a generic non-control flow kernel data protection mechanism that protects different types of kernel data uniformly with low overhead and is not limited by attack methods or data types. We then demystify the models of various kernel access control mechanisms in the container environment, and identify the subject and object permission data that are critical to container isolation. Finally, we provide a solution named Condo to enhance container isolation, which is completely transparent to the existing container ecosystem, including containerized applications and container management/orchestration tools such as Docker. Experimental results show that Condo can effectively reduce the compromises of container isolation due to memory corruption attacks with an acceptable overhead.</abstract><cop>New York</cop><pub>IEEE</pub><doi>10.1109/TIFS.2024.3411915</doi><tpages>16</tpages><orcidid>https://orcid.org/0000-0002-3409-6149</orcidid><orcidid>https://orcid.org/0009-0006-7095-600X</orcidid><orcidid>https://orcid.org/0000-0002-0841-1045</orcidid><orcidid>https://orcid.org/0000-0003-4152-2107</orcidid><orcidid>https://orcid.org/0000-0002-1936-0562</orcidid><orcidid>https://orcid.org/0009-0003-5170-1253</orcidid></addata></record>
fulltext fulltext_linktorsrc
identifier ISSN: 1556-6013
ispartof IEEE transactions on information forensics and security, 2024, Vol.19, p.6168-6183
issn 1556-6013
1556-6021
language eng
recordid cdi_proquest_journals_3069614865
source IEEE Electronic Library (IEL)
subjects Access control
Codes
Container
Containers
data integrity
isolation
Kernel
Linux
Security
trusted execution environment
Virtualization
title Condo: Enhancing Container Isolation Through Kernel Permission Data Protection
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-26T04%3A37%3A52IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Condo:%20Enhancing%20Container%20Isolation%20Through%20Kernel%20Permission%20Data%20Protection&rft.jtitle=IEEE%20transactions%20on%20information%20forensics%20and%20security&rft.au=Xu,%20Shouyin&rft.date=2024&rft.volume=19&rft.spage=6168&rft.epage=6183&rft.pages=6168-6183&rft.issn=1556-6013&rft.eissn=1556-6021&rft.coden=ITIFA6&rft_id=info:doi/10.1109/TIFS.2024.3411915&rft_dat=%3Cproquest_RIE%3E3069614865%3C/proquest_RIE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=3069614865&rft_id=info:pmid/&rft_ieee_id=10552298&rfr_iscdi=true