Comprehensive defense scheme against container escape related to container management procedure

Abstract

Container technology has become a widely used virtualization technology in cloud platform because of its lightweight virtualization characteristics. However, compared with traditional virtual machine technology, the security and isolation of the container are poor and it may lead to container escape, because container technology shares the kernel with the host. This attack will pose a serious threat to the host and other containers on the same host. We studied the container escape attack caused by container management vulnerabilities, and propose a comprehensive container security protection scheme by using AppArmor and Seccomp. Through the simulation of vulnerability environment, the structure proves that the scheme is indeed effective.