A Container Security Survey: Exploits, Attacks, and Defenses

IF 23.8 1区计算机科学 Q1 COMPUTER SCIENCE, THEORY & METHODS

ACM Computing Surveys Pub Date : 2025-01-25 DOI:10.1145/3715001

Omar Jarkas, Ryan Ko, Naipeng Dong, Redowan Mahmud

{"title":"A Container Security Survey: Exploits, Attacks, and Defenses","authors":"Omar Jarkas, Ryan Ko, Naipeng Dong, Redowan Mahmud","doi":"10.1145/3715001","DOIUrl":null,"url":null,"abstract":"Containerization significantly boosts cloud computing efficiency by reducing resource consumption, enhancing scalability, and simplifying orchestration. Yet, these same features introduce notable security vulnerabilities due to the shared Linux kernel and reduced isolation compared to traditional virtual machines (VMs). This architecture, while resource-efficient, increases susceptibility to software vulnerabilities, exposing containers to potential breaches; a single kernel vulnerability could compromise all containers on the same host. Existing academic research on container security is often theoretical and lacks empirical data on the nature of attacks, exploits, and vulnerabilities. Studies that do look at vulnerabilities often focus on specific types. This lack of detailed data and breadth hampers the development of effective mitigation strategies and restricts insights into the inherent weaknesses of containers. To address these gaps, our study introduces a novel taxonomy integrating academic knowledge with industry insights and real-world vulnerabilities, creating a comprehensive and actionable framework for container security. We analyzed over 200 container-related vulnerabilities, categorizing them into 47 exploit types across 11 distinct attack vectors. This taxonomy not only advances theoretical understanding but also facilitates the identification of vulnerabilities and the implementation of effective mitigation strategies in containerized environments. Our approach enhances the resilience of these environments by mapping vulnerabilities to their corresponding exploits and mitigation strategies, especially in complex, multi-tenant cloud settings. By providing actionable insights, our taxonomy helps practitioners enhance container security. Our findings have identified critical areas for further investigation, thereby laying a comprehensive foundation for future research and improving container security in cloud environments.","PeriodicalId":50926,"journal":{"name":"ACM Computing Surveys","volume":"56 1","pages":""},"PeriodicalIF":23.8000,"publicationDate":"2025-01-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Computing Surveys","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1145/3715001","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}

引用次数: 0

Abstract

Containerization significantly boosts cloud computing efficiency by reducing resource consumption, enhancing scalability, and simplifying orchestration. Yet, these same features introduce notable security vulnerabilities due to the shared Linux kernel and reduced isolation compared to traditional virtual machines (VMs). This architecture, while resource-efficient, increases susceptibility to software vulnerabilities, exposing containers to potential breaches; a single kernel vulnerability could compromise all containers on the same host. Existing academic research on container security is often theoretical and lacks empirical data on the nature of attacks, exploits, and vulnerabilities. Studies that do look at vulnerabilities often focus on specific types. This lack of detailed data and breadth hampers the development of effective mitigation strategies and restricts insights into the inherent weaknesses of containers. To address these gaps, our study introduces a novel taxonomy integrating academic knowledge with industry insights and real-world vulnerabilities, creating a comprehensive and actionable framework for container security. We analyzed over 200 container-related vulnerabilities, categorizing them into 47 exploit types across 11 distinct attack vectors. This taxonomy not only advances theoretical understanding but also facilitates the identification of vulnerabilities and the implementation of effective mitigation strategies in containerized environments. Our approach enhances the resilience of these environments by mapping vulnerabilities to their corresponding exploits and mitigation strategies, especially in complex, multi-tenant cloud settings. By providing actionable insights, our taxonomy helps practitioners enhance container security. Our findings have identified critical areas for further investigation, thereby laying a comprehensive foundation for future research and improving container security in cloud environments.

查看原文本刊更多论文

求助全文

约1分钟内获得全文求助全文

来源期刊

ACM Computing Surveys 工程技术-计算机：理论方法

CiteScore

33.20

自引率

0.60%

发文量

372

审稿时长

12 months

期刊介绍： ACM Computing Surveys is an academic journal that focuses on publishing surveys and tutorials on various areas of computing research and practice. The journal aims to provide comprehensive and easily understandable articles that guide readers through the literature and help them understand topics outside their specialties. In terms of impact, CSUR has a high reputation with a 2022 Impact Factor of 16.6. It is ranked 3rd out of 111 journals in the field of Computer Science Theory & Methods. ACM Computing Surveys is indexed and abstracted in various services, including AI2 Semantic Scholar, Baidu, Clarivate/ISI: JCR, CNKI, DeepDyve, DTU, EBSCO: EDS/HOST, and IET Inspec, among others.