警戒线:在容器化计算环境中通过内核级控制来增强安全性

IF 5.4 2区 计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS
Qiqing Deng , Zhen Xu , Qihui Zhou , Yan Zhang
{"title":"警戒线:在容器化计算环境中通过内核级控制来增强安全性","authors":"Qiqing Deng ,&nbsp;Zhen Xu ,&nbsp;Qihui Zhou ,&nbsp;Yan Zhang","doi":"10.1016/j.cose.2025.104644","DOIUrl":null,"url":null,"abstract":"<div><div>Containers have become a foundational technology across a variety of computing environments, enabling an era of agility, efficiency, and scalability due to their inherent advantages. Simultaneously, containers confront escalating security threats, with vulnerabilities being exploited to compromise host machines and broaden attack impacts. Existing security mechanisms predominantly rely on host-based mandatory access control, which contradicts the autonomy and flexibility requirements of dynamic and scalable containerized computing environments. This paper introduces Cordon, a novel framework aimed at providing autonomous and flexible control management within the context of containerized computing, effectively addressing the limitations of existing security mechanisms. Cordon is designed to counter common attack vectors in containerized environments by implementing file access control, capability management, and system call interception, thereby enabling comprehensive container-aware security enforcement at the kernel level. Furthermore, Cordon supports multi-container management, enabling the application of security policies across various dimensions of container resources, a feature that allows for the batch security management of containers of the same type, such as multiple container instances deployed under the same Kubernetes deployment. We develop a prototype implementation of Cordon and evaluate its effectiveness, generality, and performance overhead. Our evaluation demonstrates that Cordon effectively blocks various container attacks while maintaining acceptable overhead.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"158 ","pages":"Article 104644"},"PeriodicalIF":5.4000,"publicationDate":"2025-08-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Cordon: Enhancing security through kernel-level control in containerized computing environments\",\"authors\":\"Qiqing Deng ,&nbsp;Zhen Xu ,&nbsp;Qihui Zhou ,&nbsp;Yan Zhang\",\"doi\":\"10.1016/j.cose.2025.104644\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>Containers have become a foundational technology across a variety of computing environments, enabling an era of agility, efficiency, and scalability due to their inherent advantages. Simultaneously, containers confront escalating security threats, with vulnerabilities being exploited to compromise host machines and broaden attack impacts. Existing security mechanisms predominantly rely on host-based mandatory access control, which contradicts the autonomy and flexibility requirements of dynamic and scalable containerized computing environments. This paper introduces Cordon, a novel framework aimed at providing autonomous and flexible control management within the context of containerized computing, effectively addressing the limitations of existing security mechanisms. Cordon is designed to counter common attack vectors in containerized environments by implementing file access control, capability management, and system call interception, thereby enabling comprehensive container-aware security enforcement at the kernel level. Furthermore, Cordon supports multi-container management, enabling the application of security policies across various dimensions of container resources, a feature that allows for the batch security management of containers of the same type, such as multiple container instances deployed under the same Kubernetes deployment. We develop a prototype implementation of Cordon and evaluate its effectiveness, generality, and performance overhead. Our evaluation demonstrates that Cordon effectively blocks various container attacks while maintaining acceptable overhead.</div></div>\",\"PeriodicalId\":51004,\"journal\":{\"name\":\"Computers & Security\",\"volume\":\"158 \",\"pages\":\"Article 104644\"},\"PeriodicalIF\":5.4000,\"publicationDate\":\"2025-08-30\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Computers & Security\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0167404825003335\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825003335","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

摘要

容器已经成为跨各种计算环境的基础技术,由于其固有的优势,实现了一个敏捷、高效和可伸缩性的时代。同时,容器面临着不断升级的安全威胁,漏洞被利用来危害主机并扩大攻击的影响。现有的安全机制主要依赖于基于主机的强制访问控制,这与动态和可扩展的容器化计算环境的自主性和灵活性需求相矛盾。本文介绍了Cordon,这是一个新的框架,旨在在容器化计算环境中提供自主和灵活的控制管理,有效地解决了现有安全机制的局限性。Cordon旨在通过实现文件访问控制、功能管理和系统调用拦截来对抗容器化环境中的常见攻击向量,从而在内核级别实现全面的容器感知安全实施。此外,Cordon支持多容器管理,支持跨容器资源的各个维度应用安全策略,该特性允许对相同类型的容器进行批量安全管理,例如在相同的Kubernetes部署下部署的多个容器实例。我们开发了一个Cordon的原型实现,并评估了它的有效性、通用性和性能开销。我们的评估表明,Cordon有效地阻止各种容器攻击,同时保持可接受的开销。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
Cordon: Enhancing security through kernel-level control in containerized computing environments
Containers have become a foundational technology across a variety of computing environments, enabling an era of agility, efficiency, and scalability due to their inherent advantages. Simultaneously, containers confront escalating security threats, with vulnerabilities being exploited to compromise host machines and broaden attack impacts. Existing security mechanisms predominantly rely on host-based mandatory access control, which contradicts the autonomy and flexibility requirements of dynamic and scalable containerized computing environments. This paper introduces Cordon, a novel framework aimed at providing autonomous and flexible control management within the context of containerized computing, effectively addressing the limitations of existing security mechanisms. Cordon is designed to counter common attack vectors in containerized environments by implementing file access control, capability management, and system call interception, thereby enabling comprehensive container-aware security enforcement at the kernel level. Furthermore, Cordon supports multi-container management, enabling the application of security policies across various dimensions of container resources, a feature that allows for the batch security management of containers of the same type, such as multiple container instances deployed under the same Kubernetes deployment. We develop a prototype implementation of Cordon and evaluate its effectiveness, generality, and performance overhead. Our evaluation demonstrates that Cordon effectively blocks various container attacks while maintaining acceptable overhead.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
Computers & Security
Computers & Security 工程技术-计算机:信息系统
CiteScore
12.40
自引率
7.10%
发文量
365
审稿时长
10.7 months
期刊介绍: Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:604180095
Book学术官方微信