Torpedo: A Fuzzing Framework for Discovering Adversarial Container Workloads

McDonough, Kenton Robert

13 July 2021

Over the last decade, container technology has fundamentally changed the landscape of commercial cloud computing services. In contrast to traditional VM technologies, containers theoretically provide the same process isolation guarantees with less overhead and additionally introduce finer grained options for resource allocation. Cloud providers have widely adopted container based architectures as the standard for multi-tenant hosting services and rely on underlying security guarantees to ensure that adversarial workloads cannot disrupt the activities of coresident containers on a given host. Unfortunately, recent work has shown that the isolation guarantees provided by containers are not absolute. Due to inconsistencies in the way cgroups have been added to the Linux kernel, there exist vulnerabilities that allow containerized processes to generate "out of band" workloads and negatively impact the performance of the entire host without being appropriately charged. Because of the relative complexity of the kernel, discovering these vulnerabilities through traditional static analysis tools may be very challenging. In this work, we present TORPEDO, a set of modifications to the SYZKALLER fuzzing framework that creates containerized workloads and searches for sequences of system calls that break process isolation boundaries. TORPEDO combines traditional code coverage feedback with resource utilization measurements to motivate the generation of "adversarial" programs based on user-defined criteria. Experiments conducted on the default docker runtime runC as well as the virtualized runtime gVisor independently reconfirm several known vulnerabilities and discover interesting new results and bugs, giving us a promising framework to conduct more research. / Master of Science / Over the last decade, container technology has fundamentally changed the landscape of commercial cloud computing services. By abstracting away many of the system details required to deploy software, developers can rapidly prototype, deploy, and take advantage of massive distributed frameworks when deploying new software products. These paradigms are supported with corresponding business models offered by cloud providers, who allocate space on powerful physical hardware among many potentially competing services. Unfortunately, recent work has shown that the isolation guarantees provided by containers are not absolute. Due to inconsistencies in the way containers have been implemented by the Linux kernel, there exist vulnerabilities that allow containerized programs to generate "out of band" workloads and negatively impact the performance of other containers. In general, these vulnerabilities are difficult to identify, but can be very severe. In this work, we present TORPEDO, a set of modifications to the SYZKALLER fuzzing framework that creates containerized workloads and searches for programs that negatively impact other containers. TORPEDO uses a novel technique that combines resource monitoring with code coverage approximations, and initial testing on common container software has revealed new interesting vulnerabilities and bugs.

Computer Systems

Containers

Container Security

Fuzzing

Fuzz Testing

Syzkaller

gVisor

Security in Rootless Containers : Measuring the Attack Surface of Containers

Engström Ericsson, Matilda

January 2022

Rootless containers are commonly perceived as more secure, as they run without added privileges. To the best of my knowledge, this hypothesis has never been proven.  This thesis aims to contribute to addressing knowledge gaps in research by measuring the attack surface of Rootless Podman, Rootless Docker, as well as Rootful Docker for comparison. Furthermore, different Rootless Container Engines are analysed in a prestudy to summarise what current options exist on the market today. The attack surface is systematically measured using the Attack Surface Measurement Method. The method identifies resources and groups them into different attack classes, based on the resource attackability. The authors of the method defines attackability as the likelihood of a successful attack. Finally, the total attackability of the container engines is computed.  The study concludes that attack surface is significantly reduced when a local container image is used, instead of downloading one. In addition, the design choice of the container engine influences the attack surface more than whether the container is rootless or rootful.

rootless container

container security

attack surface

Docker

Podman

Computer and Information Sciences

Data- och informationsvetenskap

Securing Cloud Containers through Intrusion Detection and Remediation

Abed, Amr Sayed Omar

29 August 2017

Linux containers are gaining increasing traction in both individual and industrial use. As these containers get integrated into mission-critical systems, real-time detection of malicious cyber attacks becomes a critical operational requirement. However, a little research has been conducted in this area. This research introduces an anomaly-based intrusion detection and remediation system for container-based clouds. The introduced system monitors system calls between the container and the host server to passively detect malfeasance against applications running in cloud containers. We started by applying a basic memory-based machine learning technique to model the container behavior. The same technique was also extended to learn the behavior of a distributed application running in a number of cloud-based containers. In addition to monitoring the behavior of each container independently, the system used prior knowledge for a more informed detection system. We then studied the feasibility and effectiveness of applying a more sophisticated deep learning technique to the same problem. We used a recurrent neural network to model the container behavior. We evaluated the system using a typical web application hosted in two containers, one for the front-end web server, and one for the back-end database server. The system has shown promising results for both of the machine learning techniques used. Finally, we describe a number of incident handling and remediation techniques to be applied upon attack detection. / Ph. D.

Security in Cloud Computing

Deep learning (Machine learning)

Intrusion Detection

Container Security

Behavior Modeling

Anomaly Detection