Enhancing Security of Modern Linux Containers
Enhancing Security of Modern Linux Containers
Supervisor(s): | Sergej Proskurin |
Status: | finished |
Topic: | Linux stuff |
Author: | Charlie Groh |
Submission: | 2018-09-17 |
Type of Thesis: | Bachelorthesis |
DescriptionIn the last few years, containerization witnessed a rapid growth in adoption. This is due to the fact that it is not only very easy to deploy containers, but they are also extremely lightweight. Although state-of-the-art container implementations are able to isolate users in a similar way as virtual machines, they have a significantly lower overhead. Unfortunately, this reduction was paid with a considerable weaker isolation of host and container. For containers, the kernel takes the same role as the hypervisor for virtual machines. Hence, vulnerabilities in the kernel can be potentially abused by adversaries to escape containers. Since a kernel usually has a much larger attack surface than a hypervisor, this constitutes a serious security problem. For example, the Linux kernel (version 4.18.7) offers 335 syscalls, whereas the Xen hypervisor (version 4.11.0) only offers 42 hypercalls. As a result, it is extremely important to develop hardening mechanisms for containers.
|