CRII: SaTC: Securing Containers in Multi-Tenant Environment via Augmenting Linux Control Groups

CRII：SaTC：通过增强 Linux 控制组保护多租户环境中的容器

• 批准号: 2054657
• 负责人: Xing Gao
• 金额: $ 15.21万
• 依托单位: University of Delaware
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2020
• 资助国家: 美国
• 起止时间: 2020-08-16 至 2024-05-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2054657&HistoricalAwards=false
• 关键词: CRII; SaTC; Securing; Containers; Multi

Container technology provides a lightweight operating system level virtual hosting environment. It has been broadly adopted in various computation scenarios, including edge computing, serverless computing, and commercial clouds. Containers depend on multiple building blocks in the Linux kernel for resource isolation and control. Particularly, Linux Control Groups (i.e., cgroups) are leveraged to apply resource limits and account for resource usage for containers. However, those features in the Linux kernel may not provide the same level of security guarantees as conventional virtual machines. For example, breaking the resource control of cgroups would not only cause unfair resource sharing among multiple container instances, but also significantly reduce containers’ performance. This project intends to secure containers by systematically investigating security implications in cgroups and developing new defending systems to mitigate potential security threats in multi-tenant container environments. The research is expected to identify and address new security challenges in containers, and thus benefit both container service providers and customers. Educational and outreach activities include curriculum development in systems programming and cloud security, and research experience opportunities for women and minority students as well as for high school students. The project would systematically explore methods to break the resource rein of the existing cgroups mechanism, and comprehensively understand the security impacts on Linux containers. It develops a set of exploiting strategies to generate out-of-band workloads to escape cgroups. Novel kernel code analysis techniques are developed that use a combination of data flow, control flow and program dependency graphs to automatically uncover feasible exploitation cases available inside unprivileged containers with a set of cgroup resource controllers enabled. All potential exploits are quantitatively evaluated on multiple testbeds in realistic container environments under various attack scenarios. Specifically, a variety of real-world workloads are evaluated to understand the impact and severity of vulnerabilities. With better knowledge of the inadequacies in existing cgroup mechanism and related exploitations, the project develops lightweight defense mechanisms to secure containers and mitigate potential security threats. The proposed system is evaluated in terms of multiple aspects including performance and security.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

容器技术提供了轻巧的操作系统级别虚拟托管环境。它已在各种计算方案中广泛采用，包括边缘计算，无服务器计算和商业云。容器依赖于Linux内核中的多个构建块进行资源隔离和控制。特别是，利用Linux对照组（即Cgroups）来应用资源限制并说明容器的资源使用情况。但是，Linux内核中的这些功能可能无法提供与常规虚拟机相同的安全保证。例如，打破CGROUP的资源控制不仅会导致多个容器实例之间的不公平资源共享，而且会大大降低容器的性能。该项目打算通过系统地研究CGROUP中的安全含义并开发新的防御系统来减轻多租户容器环境中潜在的安全威胁，以确保容器。预计该研究将确定和应对容器中的新安全挑战，从而使集装箱服务提供商和客户受益。教育和外展活动包括系统编程和云安全方面的课程开发，以及为妇女和少数民族学生以及高中生的研究机会。该项目将系统地探索打破现有CGroup机制资源的方法，并全面了解对Linux容器的安全影响。它开发了一组利用策略，以产生带外工作负载以逃避CGroups。开发了新颖的内核代码分析技术，该技术使用数据流，控制流和程序依赖图组合来自动发现无私人容器内可用可行的利用案例，并启用了一组Cgroup Resource Controlers。在各种攻击方案下，在逼真的容器环境中的多个测试床上进行定量评估所有潜在的利用。具体而言，评估各种现实的工作负载，以了解漏洞的影响和严重性。在更好地了解现有的CGroup机制和相关剥削中的不足之处，该项目开发了轻巧的防御机制，以确保容器并减轻潜在的安全威胁。该奖项反映了NSF的法定任务，并通过基金会的知识分子优点和更广泛的影响标准评估，对拟议的系统进行了评估。该奖项反映了NSF的法定任务。

项目成果

Red Alert for Power Leakage: Exploiting Intel RAPL-Induced Side Channels

漏电红色警报：利用 Intel RAPL 引发的侧通道

• DOI: 10.1145/3433210.3437517
• 发表时间: 2021
• 期刊: ACM Asia Conference on Computer and Communication Security (Asia CSS ’21
• 作者: Zhang, Zhenkai;Liang, Sisheng;Yao, Fan;Gao, Xing
• 通讯作者: Gao, Xing

Torpedo: A Fuzzing Framework for Discovering Adversarial Container Workloads

• DOI: 10.1109/dsn53405.2022.00048
• 发表时间: 2022-06
• 期刊: 2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)
• 作者: Kenton McDonough;Xing Gao;Shuai Wang;Haining Wang

An Investigation of Identity-Account Inconsistency in Single Sign-On

• DOI: 10.1145/3442381.3450085
• 发表时间: 2021-04
• 期刊: Proceedings of the Web Conference 2021
• 作者: Guannan Liu;Xing Gao;Haining Wang

CloudSkulk: A Nested Virtual Machine Based Rootkit and Its Detection

• DOI: 10.1109/dsn48987.2021.00047
• 发表时间: 2021-06
• 期刊: 2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)
• 作者: Joseph Connelly;Taylor Roberts;Xing Gao;Jidong Xiao;Haining Wang;A. Stavrou

Ready Raider One: Exploring the Misuse of Cloud Gaming Services

• DOI: 10.1145/3548606.3560647
• 发表时间: 2022-11
• 期刊: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security
• 作者: Guannan Liu;Daiping Liu;Shuai Hao;Xing Gao;Kun Sun;Haining Wang