A Defense Method against Docker Escape Attack

Abstract

As one of the main technologies to support the virtualization of cloud computing, Docker has the characteristics of fast and lightweight virtualization on operating system-level,and is widely used in a variety of cloud platforms. Docker is faced with the risk of attacks that exploit kernel vulnerability by malicious users, once the exploit program in the container launches an effective escape attack can gain root privilege of the host, which will affect the reliability of other containers and the entire system. This paper discusses the existing security mechanism and security issues of Docker, summarize the methods and characteristics of Docker escape attack. And propose a defense method based on status inspection of namespaces, which is proved to be able to detect anomalous processes and prevent escape behaviors.