CRII: SaTC: Securing Containers in Multi-Tenant Environment via Augmenting Linux Control Groups

CRII：SaTC：通过增强 Linux 控制组保护多租户环境中的容器

• 批准号: 2054657
• 负责人: Xing Gao
• 金额: $ 15.21万
• 依托单位: University of Delaware
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2020
• 资助国家: 美国
• 起止时间: 2020-08-16 至 2024-05-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2054657&HistoricalAwards=false
• 关键词: CRII; SaTC; Securing; Containers; Multi

Container technology provides a lightweight operating system level virtual hosting environment. It has been broadly adopted in various computation scenarios, including edge computing, serverless computing, and commercial clouds. Containers depend on multiple building blocks in the Linux kernel for resource isolation and control. Particularly, Linux Control Groups (i.e., cgroups) are leveraged to apply resource limits and account for resource usage for containers. However, those features in the Linux kernel may not provide the same level of security guarantees as conventional virtual machines. For example, breaking the resource control of cgroups would not only cause unfair resource sharing among multiple container instances, but also significantly reduce containers’ performance. This project intends to secure containers by systematically investigating security implications in cgroups and developing new defending systems to mitigate potential security threats in multi-tenant container environments. The research is expected to identify and address new security challenges in containers, and thus benefit both container service providers and customers. Educational and outreach activities include curriculum development in systems programming and cloud security, and research experience opportunities for women and minority students as well as for high school students. The project would systematically explore methods to break the resource rein of the existing cgroups mechanism, and comprehensively understand the security impacts on Linux containers. It develops a set of exploiting strategies to generate out-of-band workloads to escape cgroups. Novel kernel code analysis techniques are developed that use a combination of data flow, control flow and program dependency graphs to automatically uncover feasible exploitation cases available inside unprivileged containers with a set of cgroup resource controllers enabled. All potential exploits are quantitatively evaluated on multiple testbeds in realistic container environments under various attack scenarios. Specifically, a variety of real-world workloads are evaluated to understand the impact and severity of vulnerabilities. With better knowledge of the inadequacies in existing cgroup mechanism and related exploitations, the project develops lightweight defense mechanisms to secure containers and mitigate potential security threats. The proposed system is evaluated in terms of multiple aspects including performance and security.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

容器技术提供了轻量级的操作系统级虚拟托管环境，已广泛应用于各种计算，包括边缘计算、无服务器计算和商业云，尤其是容器依赖于Linux内核中的多个构建块来实现资源隔离和控制场景。 Linux 控制组（即 cgroup）用于应用资源限制并考虑容器的资源使用情况，但是，传统 Linux 内核中的这些功能可能无法提供与虚拟机相同级别的安全保证。 cgroup 的资源控制不仅会导致多个容器实例之间不公平的资源共享，还会显着降低容器的性能。该项目旨在通过最终调查 cgroup 中的安全影响并开发新的防御系统来减轻多容器中的潜在安全威胁，从而确保容器的安全。该研究预计将识别和解决容器中的新安全挑战，从而使容器服务提供商和客户受益。教育和推广活动包括系统编程和云安全方面的课程开发，以及为女性和少数族裔提供研究经验机会。学生以及高中生。将系统地探索打破现有 cgroups 机制的资源控制的方法，并全面了解对 Linux 容器的安全影响。它开发了一套利用策略来生成带外工作负载以逃避 cgroups。开发了使用数据流、控制流和程序依赖图的组合来自动发现非特权容器内可用的可行利用案例，并启用了一组 cgroup 资源控制器。所有潜在的利用都在现实容器环境中的多个测试平台上进行了定量评估。具体来说，通过评估各种现实世界的工作负载，以了解漏洞的影响和严重性，通过更好地了解现有 cgroup 机制和相关利用的不足，该项目开发了轻量级防御机制来保护容器并减轻潜在的威胁。所提议的系统从性能和安全性等多个方面进行评估。该奖项反映了 NSF 的法定使命，并通过使用基金会的智力价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Red Alert for Power Leakage: Exploiting Intel RAPL-Induced Side Channels

漏电红色警报：利用 Intel RAPL 引发的侧通道

• DOI: 10.1145/3433210.3437517
• 发表时间: 2021
• 期刊: ACM Asia Conference on Computer and Communication Security (Asia CSS ’21
• 作者: Zhang, Zhenkai;Liang, Sisheng;Yao, Fan;Gao, Xing
• 通讯作者: Gao, Xing

Torpedo: A Fuzzing Framework for Discovering Adversarial Container Workloads

• DOI: 10.1109/dsn53405.2022.00048
• 发表时间: 2022-06
• 期刊: 2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)
• 作者: Kenton McDonough;Xing Gao;Shuai Wang;Haining Wang

An Investigation of Identity-Account Inconsistency in Single Sign-On

• DOI: 10.1145/3442381.3450085
• 发表时间: 2021-04
• 期刊: Proceedings of the Web Conference 2021
• 作者: Guannan Liu;Xing Gao;Haining Wang

Time-Print: Authenticating USB Flash Drives with Novel Timing Fingerprints

• DOI: 10.1109/sp46214.2022.9833595
• 发表时间: 2022-05
• 期刊: 2022 IEEE Symposium on Security and Privacy (SP)
• 作者: P. Cronin;Xing Gao;Haining Wang;Chase Cotton

CloudSkulk: A Nested Virtual Machine Based Rootkit and Its Detection

• DOI: 10.1109/dsn48987.2021.00047
• 发表时间: 2021-06
• 期刊: 2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)
• 作者: Joseph Connelly;Taylor Roberts;Xing Gao;Jidong Xiao;Haining Wang;A. Stavrou