{"title":"Cordon: Enhancing security through kernel-level control in containerized computing environments","authors":"Qiqing Deng , Zhen Xu , Qihui Zhou , Yan Zhang","doi":"10.1016/j.cose.2025.104644","DOIUrl":null,"url":null,"abstract":"<div><div>Containers have become a foundational technology across a variety of computing environments, enabling an era of agility, efficiency, and scalability due to their inherent advantages. Simultaneously, containers confront escalating security threats, with vulnerabilities being exploited to compromise host machines and broaden attack impacts. Existing security mechanisms predominantly rely on host-based mandatory access control, which contradicts the autonomy and flexibility requirements of dynamic and scalable containerized computing environments. This paper introduces Cordon, a novel framework aimed at providing autonomous and flexible control management within the context of containerized computing, effectively addressing the limitations of existing security mechanisms. Cordon is designed to counter common attack vectors in containerized environments by implementing file access control, capability management, and system call interception, thereby enabling comprehensive container-aware security enforcement at the kernel level. Furthermore, Cordon supports multi-container management, enabling the application of security policies across various dimensions of container resources, a feature that allows for the batch security management of containers of the same type, such as multiple container instances deployed under the same Kubernetes deployment. We develop a prototype implementation of Cordon and evaluate its effectiveness, generality, and performance overhead. Our evaluation demonstrates that Cordon effectively blocks various container attacks while maintaining acceptable overhead.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"158 ","pages":"Article 104644"},"PeriodicalIF":5.4000,"publicationDate":"2025-08-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825003335","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0
Abstract
Containers have become a foundational technology across a variety of computing environments, enabling an era of agility, efficiency, and scalability due to their inherent advantages. Simultaneously, containers confront escalating security threats, with vulnerabilities being exploited to compromise host machines and broaden attack impacts. Existing security mechanisms predominantly rely on host-based mandatory access control, which contradicts the autonomy and flexibility requirements of dynamic and scalable containerized computing environments. This paper introduces Cordon, a novel framework aimed at providing autonomous and flexible control management within the context of containerized computing, effectively addressing the limitations of existing security mechanisms. Cordon is designed to counter common attack vectors in containerized environments by implementing file access control, capability management, and system call interception, thereby enabling comprehensive container-aware security enforcement at the kernel level. Furthermore, Cordon supports multi-container management, enabling the application of security policies across various dimensions of container resources, a feature that allows for the batch security management of containers of the same type, such as multiple container instances deployed under the same Kubernetes deployment. We develop a prototype implementation of Cordon and evaluate its effectiveness, generality, and performance overhead. Our evaluation demonstrates that Cordon effectively blocks various container attacks while maintaining acceptable overhead.
期刊介绍:
Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world.
Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.