Co-residency Attacks on Containers are Real

Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop Pub Date : 2020-11-09 DOI:10.1145/3411495.3421357

S. Shringarputale, P. Mcdaniel, Kevin R. B. Butler, T. L. Porta

{"title":"Co-residency Attacks on Containers are Real","authors":"S. Shringarputale, P. Mcdaniel, Kevin R. B. Butler, T. L. Porta","doi":"10.1145/3411495.3421357","DOIUrl":null,"url":null,"abstract":"Public clouds are inherently multi-tenant: applications deployed by different parties (including malicious ones) may reside on the same physical machines and share various hardware resources. With the introduction of newer hypervisors, containerization frameworks like Docker, and managed/orchestrated clusters using systems like Kubernetes, cloud providers downplay the feasibility of co-tenant attacks by marketing a belief that applications do not operate on shared hardware. In this paper, we challenge the conventional wisdom that attackers cannot confirm co-residency with a victim application from inside state-of-the-art containers running on virtual machines. We analyze the degree of vulnerability present in containers running on various systems including within a broad range of commercially utilized orchestrators. Our results show that on commercial cloud environments including AWS and Azure, we can obtain over 90% success rates for co-residency detection using real-life workloads. Our investigation confirms that co-residency attacks are a significant concern on containers running on modern orchestration systems.","PeriodicalId":125943,"journal":{"name":"Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop","volume":"21 5","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"12","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3411495.3421357","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 12

Abstract

Public clouds are inherently multi-tenant: applications deployed by different parties (including malicious ones) may reside on the same physical machines and share various hardware resources. With the introduction of newer hypervisors, containerization frameworks like Docker, and managed/orchestrated clusters using systems like Kubernetes, cloud providers downplay the feasibility of co-tenant attacks by marketing a belief that applications do not operate on shared hardware. In this paper, we challenge the conventional wisdom that attackers cannot confirm co-residency with a victim application from inside state-of-the-art containers running on virtual machines. We analyze the degree of vulnerability present in containers running on various systems including within a broad range of commercially utilized orchestrators. Our results show that on commercial cloud environments including AWS and Azure, we can obtain over 90% success rates for co-residency detection using real-life workloads. Our investigation confirms that co-residency attacks are a significant concern on containers running on modern orchestration systems.

查看原文本刊更多论文

对容器的共同驻留攻击是真实存在的

公共云本质上是多租户的:由不同方(包括恶意方)部署的应用程序可能驻留在相同的物理机器上，并共享各种硬件资源。随着新的管理程序、容器化框架(如Docker)和使用Kubernetes等系统的托管/编排集群的引入，云提供商通过宣传应用程序不会在共享硬件上运行的信念，淡化了共同租户攻击的可行性。在本文中，我们挑战了传统观点，即攻击者无法从运行在虚拟机上的最先进的容器中确认受害者应用程序的共同驻留。我们分析了在各种系统上运行的容器中存在的漏洞程度，包括在广泛的商业使用的编排器中。我们的结果表明，在包括AWS和Azure在内的商业云环境中，我们可以使用实际工作负载获得超过90%的共同驻留检测成功率。我们的调查证实，共同驻留攻击是对运行在现代编排系统上的容器的重大关注。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop

自引率

0.00%

发文量