Security implications for docker container environments deploying images from public repositories : A systematic literature review

Tyresson, Dennis

January 2020

Because of the ease of use and effectiveness, Docker containers have become immensely popular among system administrators worldwide. Docker elegantly packages entire applications within a single software entity called images, allowing fast and consistent deployment over different host systems. However, it is not without drawbacks, as the close interaction with the operating system kernel gives rise to security concerns. The conducted systematic literature review aims to address concerns regarding the use of images from unknown sources. Multiple search terms were applied to a set of four scientific databases in order to find peer-reviewed articles that fulfill certain selection criteria. A final amount of 13 articles were selected and evaluated by using means of thematic coding. Analysis showed that users need to be wary of what images are used to deploy containers, as they might contain malicious code or other weaknesses. The use of automatic vulnerability detection using static and dynamic detection could help protect the user from bad images.

Docker

containers

virtualization

security

Information Systems

Implementation of Distributed Cloud System Architecture using AdvancedContainer Orchestration, Cloud Storage, and Centralized Database for a Web-based Platform

Karkera, Sohan Sadanand

January 2020

No description available.

Computer Science

Containers

Container orchestration

Cloud technology

Distributed systems

A study of oscillatory thermocapillary convection in circular containers with carbon dioxide laser heating

Lee, Jung Hyun

January 1994

No description available.

oscillatory thermocapillary

convection

circular containers

carbon dioxide

laser heating

Scaling analysis of thermocapillary flows in cylindrical containers

Chang, Anzhong

January 1994

No description available.

Engineering, Mechanical

The establishment and evaluation of safe processes involved in the flame sterilization of peas

Ice, James Richard

January 1975

No description available.

PEAS

containers

Flame Sterilizer

FLAME

Retort

Heat Penetration

Sterilizer

Torpedo: A Fuzzing Framework for Discovering Adversarial Container Workloads

McDonough, Kenton Robert

13 July 2021

Over the last decade, container technology has fundamentally changed the landscape of commercial cloud computing services. In contrast to traditional VM technologies, containers theoretically provide the same process isolation guarantees with less overhead and additionally introduce finer grained options for resource allocation. Cloud providers have widely adopted container based architectures as the standard for multi-tenant hosting services and rely on underlying security guarantees to ensure that adversarial workloads cannot disrupt the activities of coresident containers on a given host. Unfortunately, recent work has shown that the isolation guarantees provided by containers are not absolute. Due to inconsistencies in the way cgroups have been added to the Linux kernel, there exist vulnerabilities that allow containerized processes to generate "out of band" workloads and negatively impact the performance of the entire host without being appropriately charged. Because of the relative complexity of the kernel, discovering these vulnerabilities through traditional static analysis tools may be very challenging. In this work, we present TORPEDO, a set of modifications to the SYZKALLER fuzzing framework that creates containerized workloads and searches for sequences of system calls that break process isolation boundaries. TORPEDO combines traditional code coverage feedback with resource utilization measurements to motivate the generation of "adversarial" programs based on user-defined criteria. Experiments conducted on the default docker runtime runC as well as the virtualized runtime gVisor independently reconfirm several known vulnerabilities and discover interesting new results and bugs, giving us a promising framework to conduct more research. / Master of Science / Over the last decade, container technology has fundamentally changed the landscape of commercial cloud computing services. By abstracting away many of the system details required to deploy software, developers can rapidly prototype, deploy, and take advantage of massive distributed frameworks when deploying new software products. These paradigms are supported with corresponding business models offered by cloud providers, who allocate space on powerful physical hardware among many potentially competing services. Unfortunately, recent work has shown that the isolation guarantees provided by containers are not absolute. Due to inconsistencies in the way containers have been implemented by the Linux kernel, there exist vulnerabilities that allow containerized programs to generate "out of band" workloads and negatively impact the performance of other containers. In general, these vulnerabilities are difficult to identify, but can be very severe. In this work, we present TORPEDO, a set of modifications to the SYZKALLER fuzzing framework that creates containerized workloads and searches for programs that negatively impact other containers. TORPEDO uses a novel technique that combines resource monitoring with code coverage approximations, and initial testing on common container software has revealed new interesting vulnerabilities and bugs.

Computer Systems

Containers

Container Security

Fuzzing

Fuzz Testing

Syzkaller

gVisor

Modeling the impact of wood and fiber traits on the production costs of corrugated containers

Fernández Olivares, Jacobo Luis

05 1900

No description available.

Paper box industry Costs

Paperboard industry Costs

Boxes Design and construction

Containers Design and construction

Corrugated paperboard

Containers

Industrial costs

The Massachusetts bottle bill, 1967-1979 : a study of policy failure from the perspective of interest-group liberalism

Ross, David M. (David Michael)

January 1982

No description available.

Beverage containers -- Massachusetts.

Environmental policy -- Massachusetts.

One kernel to rule them all : An experimental study inspecting the Meltdown patch effects on the costs of system calls in systemd-nspawn containers / En kärna att härska över dem alla : En experimental studie som inspekterar effekterna av Meltdown uppdateringen i samband med systemd-nspawn containers

Kooijman, Ben

January 2018

Context. The paradigm of virtualization is rapidly changing due to hardware optimization and capabilities, while also due to rapid development and deployment strategies used in the modern day IT industry. Just like the positive changes, negative effects are necessary to occur in order to improve modern day technologies.This final year project takes a look at both the positive and negatives by exploring how containers are relevant to modern day computing and how they are affected by the patch that mitigates the Meltdown CPU vulnerabilities discovered in mid-2017 in terms of performance. Looking at the trade-off between information security and performance by taking an in-depth approach with a take on the core functionalities of the Linux Kernel. This paper succeeded to identify system call costs that between a secure and non-secure Linux kernel in the context of a containerized environment. Objectives. This study examines the effects of the KAISER security patch aimed to mitigate microprocessor vulnerabilities related to Meltdown. The investigated effect is the performance as the cost of system calls under the condition of a non-KAISER and a KAISER enabled Linux kernel. The intent is to increase the transparency of how a major security patch such as KAISER affects the system. Methods. A quantitative experimental study is conducted. One single Debian Stretch node is used with two different treatments. First micro-benchmarks are run without a KAISER enabled kernel which later is compared with a KAISER enabled kernel. The measuring point is the time one single system call takes in a sequence of 1 000 000 system calls. Results. First macro-benchmarks were conducted to see what a performance loss would look like on an application level. This proved to introduce many superfluous factors which made it difficult to use system calls as a measuring point. In the end a comparison between the two kernels was done. This indicated that the cost per system differed roughly 29% in time. Conclusions. The results indicate that a large performance loss is identified. However, this does not indicate that all activities on a computer will suffer from this loss. The performance loss the end-user will experience all depends on the amount of system calls generated from one single set of instructions. The performance loss can be neglected if these instructions generating a low amount of system calls. These results should notbe used as evidence to favor performance over information security in real life applications and implementations but rather as a motivation to meet the two aspects. / Kontext. Användning kring virtualisering håller snabbt på att förändras tack vare bättre hårdvaruoptimeringar och förmågor. Samtidigt ändras många olika utplaceringstrategier av datorresurser iden moderna IT industrin. Likväl alla positiva förändringar så introduceras det även effekter med negativa följder. Det här är ett examensarbete som ämnar att utforska båda dessa positiva och negativa effekter. Genom att titta på hur den populära virtualiserings tekniken som består av containers påverkas av uppdateringen som ska lösa sårbarhter i moderna processorer som går under namnet Meltdown. Påverkningarna definieras i form av prestanda vilket tillåter en djupare inspektering av de fundementala funktioner av Linux kärnan, där systemanrop kan användas som mätningspunkt. Metoden samt resultat i det här examensarbetet har med framgång lyckats hitta en kostnads skillnad per systemanrop under förhållandetav en osäker samt en säker Linux kärnna i en miljö som består av containers. Mål. Examensarbetet tittar på effekterna av uppdateringen som ska åtgärda sårbarheterna i moderna mikroprocessorer relaterade till Meltdown. De investigerade effekterna är definierade som prestandan där kostanden av systemanrop används som mätningspunkt. Meningen med det här examensarbetet att öka transparansen av vad en stor säkerhetsuppdatering gör med ett modernt datorsystem. Metod. En kvantitativ experimental studie utförs där en Debian Stretch nod används för att observera två olika behandlingar. Till början så körs det ”mikrobenchmarks” under förhållandet av en osäker Linux kärna. Sedan så följs detta upp med en säker Linux kärna. Till slut jämförs de olika resultat med varandra för att identifera hur mycket ett system anrop kostar under en sekvens av 10’000’000 systemanrop. Resultat. Som pilot studie utfördes det en rad olika tester som använder många olika verktyg för att se om det går att identifiera en prestanda förlust på applikations nivå. Genom att utföra tester utav den karaktären blev det tydligt att överflödiga faktorer förhindrade ett utfall som ansågs vara tillräcklig. Till slut hittades rätt typ av verktyg för att få fram ett utfall som visade att en prestanda skillnad på ~29% existerade mellan en osäker samt en säker Linux kärna. Sammanfattning. Resultatet indikerar att en prestanda förlust existerar. Dock påverkas inte den generella prestandan nödvändigtvis. Prestanda förlusten en slutanvändare kommer att uppleva beror helt på av hur stort antal systemanrop som genereras under sekvensen av aktiviteten som utförs. Resultatet som redovisas i detta examensarbete bör inte användas som motivation att prioritera prestanda över informations säkerhet i produktions miljöer men hellre som en motivation att kunna bemöta båda aspekterna.

Linux

containers

systemd-nspawn

Meltdown

KAISER

system calls

Linux

containers

systemd-nspawn

Meltdown

KAISER

systemanrop

Computer Sciences

Datavetenskap (datalogi)

Migração de metais por interação das embalagens com soluções parenterais / Migration of metals by the interaction of packages with pararenteral solutions

Bertagnolli, Denise de Castro

19 June 2008

Coordenação de Aperfeiçoamento de Pessoal de Nível Superior / The administration of medication and nutrients via parenteral is very used nowadays. One of the risks of this procedure is the presence of contaminants, which depending on their nature may cause severe damage to the patients due to the direct way of the administration (in the circulatory stream). In this work we investigated the possibility of the containers to be sources of metals for solutions of parenteral nutrition. The investigated containers are made of different kinds of glass and plastic polymers, namely polypropylene, PVC and EVA. The system container/solution (amino acids, salts, glucose and lipids) individually stored, was submitted to the sterilization process and after that stored for a time period of approximately 10 months, since the shelf-life period of these formulations are generally 2 years. After the sterilization and at regular time intervals, aliquots of each solution were collected and their contents on Al, Pb, Cd, Fe, Cr, Mn, Ba, and Zn were measured by graphite furnace atomic absorption spectrometry. The containers were also analyzed for the determination of the amount of each metal they contained. These metals are either constituents of the container material, as Al in glasses, or impurities in the case of plastic polymers. All containers presented the metals investigated. The solutions, depending on their composition (species dissolved) were able to extract the metals either from the glass or the polymers. The highest extraction rates occurred in solutions of the amino acids cysteine and glutamic acid, and in solutions of NaHCO3. The metals released in higher concentration were Ba, Pb and Zn form plastic containers and Al, Pb and Zn form glass containers. A different behavior was observed among the plastic polymers, and the different kinds of glass. While EVA was the most inert polymer, the clear glass ampoule released the highest amount of metals into the solutions. Fifty commercial samples were analyzed as well, and the investigated metals were found in all of them. The commercial formulations presented the same tendency of the individual sample used in the study, either in relation to the behavior of the substance in solution or the container material. / Atualmente a administração parenteral, tanto de medicamentos quanto nutrientes, é uma prática muito difundida. Um dos riscos desta prática é a presença de contaminantes que, dependendo da sua natureza, podem acarretar graves danos aos pacientes devido à forma direta (na corrente circulatória) da administração. Neste trabalho, investigou-se a possibilidade das embalagens serem fontes de contaminação por metais de soluções utilizadas na nutrição parenteral. As embalagens investigadas incluíram vários tipos de vidro e polímeros plásticos mais comumente utilizados (polipropileno, polivinil cloreto (PVC) e etil vinil acetato(EVA)). As embalagens, nas quais foram armazenados individualmente os constituintes das soluções parenterais (aminoácidos, sais, glicose, vitaminas e lipídeos), foram submetidas ao processo de esterilização e de armazenagem a longo prazo, visto que a validade deste tipo de formulação é geralmente de 2 anos. Após a esterilização e em intervalos de tempo regulares, alíquotas das soluções foram retiradas e os teores em Al, Pb, Cd, Fe, Cr, Mn, Ba e Zn foram medidos por espectrometria de absorção atômica forno de grafite (GF AAS) e espectrometria de massa com plasma indutivamente acoplado (ICP-MS). As embalagens utilizadas foram também analisadas para determinar quanto dos metais em estudo elas apresentavam, seja como constituinte, como é o caso do Al no vidro, ou como impureza, no caso de todos os metais nos polímeros plásticos. Todas as embalagens continham os metais em estudo em maior ou menor concentração. As soluções, dependendo dos seus constituintes foram capazes de extrair os metais, tanto do vidro quanto do plástico. As maiores taxas de extração ocorreram com as soluções dos aminoácidos cisteína e acido glutâmico. Os metais extraídos em maiores quantidades foram Ba, Pb e Zn das embalagens plásticas e Al, Pb e Zn das embalagens de vidro. Observou-se diferente comportamento entre os diferentes polímeros e tipos de vidro. O EVA mostrou-se o polímero mais inerte, enquanto que as ampolas transparentes foram as que mais metais liberaram para as soluções. Foram analisadas, também, 50 amostras comerciais, as quais se mostraram contaminadas pelos metais em estudo. Observou-se nas soluções comerciais a mesma tendência das soluções individuais do estudo, tanto com relação ao comportamento da embalagem, quanto ao conteúdo (ação do componente sobre a embalagem) e os metais extraídos.

Nutrição parenteral

Embalagens plásticas

Embalagens de vidro

Parenteral nutrition

Plastic containers

Glass containers