Security hardening solution for docker container

2022 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC) Pub Date : 2022-10-01 DOI:10.1109/cyberc55534.2022.00049

Nan Yang, Cen Chen, Tao Yuan, Yujie Wang, Xiao Gu, Dan Yang

{"title":"Security hardening solution for docker container","authors":"Nan Yang, Cen Chen, Tao Yuan, Yujie Wang, Xiao Gu, Dan Yang","doi":"10.1109/cyberc55534.2022.00049","DOIUrl":null,"url":null,"abstract":"Docker uses software isolation mechanism while sharing the operating system kernel with the host, which results in insufficient isolation between containers and hosts. Attackers can affect the stable operation of hosts and other containers by attacking containers, causing container escape issues. In this paper, we design a security hardening scheme for docker containers. By detecting the vulnerabilities in container images, it avoids malicious vulnerabilities and performs image measurement to ensure that the images before the container is started has not been tampered. Through the container integrity measurement module, the process of measuring the code segment, data segment, and the shared library of the container ensures that the contents of these areas will not be tampered during the container’s operation. Further, it reduces the attacking surface by setting the system whitelist for the container process and restricting the interaction between the container and the external network. This improves the container safety and reliability.","PeriodicalId":234632,"journal":{"name":"2022 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC)","volume":"123 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/cyberc55534.2022.00049","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Docker uses software isolation mechanism while sharing the operating system kernel with the host, which results in insufficient isolation between containers and hosts. Attackers can affect the stable operation of hosts and other containers by attacking containers, causing container escape issues. In this paper, we design a security hardening scheme for docker containers. By detecting the vulnerabilities in container images, it avoids malicious vulnerabilities and performs image measurement to ensure that the images before the container is started has not been tampered. Through the container integrity measurement module, the process of measuring the code segment, data segment, and the shared library of the container ensures that the contents of these areas will not be tampered during the container’s operation. Further, it reduces the attacking surface by setting the system whitelist for the container process and restricting the interaction between the container and the external network. This improves the container safety and reliability.

查看原文本刊更多论文

docker容器安全加固解决方案

Docker在与主机共享操作系统内核的同时，采用了软件隔离机制，导致容器与主机之间隔离不足。攻击者通过攻击容器，可以影响主机和其他容器的稳定运行，造成容器逃逸问题。本文设计了一种针对docker容器的安全加固方案。通过检测容器镜像中的漏洞，避免恶意漏洞，并进行镜像测量，确保容器启动前的镜像未被篡改。通过容器完整性测量模块，对容器的代码段、数据段、共享库进行测量的过程，保证了容器在运行过程中这些区域的内容不会被篡改。通过设置容器进程的系统白名单，限制容器与外部网络的交互，减少攻击面。提高了集装箱的安全性和可靠性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2022 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC)

自引率

0.00%

发文量