Linux containers have become a popular light-weight virtualization platform for effective on-demand computing. Their use ranges from simple high-performance computing (HPC) clusters to fully orchestrated enterprise systems. As such they have become attractive targets for attackers. This project aims at improving the trustworthiness and reliability of the Linux containers and their applications. With the substantial security enhancement against malicious attacks, it could promote the adaptation of the light-weight container platform, particularly, in the HPC community to satisfy the needs on mobility of compute. In addition, the developed techniques are generic and can be easily ported or extended to protect other Linux platforms that have the basic security primitives enabled.
This project provides a novel and practical framework to enhance container security via enforcing dynamic system resource constraints based on the lifecycle phases of a particular container platform. Particularly, since the same operating system (OS) kernel is shared among all containers on a host, when one malicious container escapes from the user-level process into the OS kernel, all other containers are compromised too. The project can dramatically reduce the attack surface of the host OS by smoothly integrating dynamic filters with the existing security primitives (e.g., seccomp, capabilities, and cgroups) in Linux kernels. Moreover, the combination of these enhanced security primitives provides more power and flexibility on attack mitigation. This security enhancement is user-transparent and has a minimal overhead.
This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.