Research Spending & Results

• Xing Gao
• (302) 831-2711
• xgao@udel.edu

• FY 2020=$152,097

• Indrajit Ray
• (703) 292-5387
• iray@nsf.gov

Awardee Location

Primary Place of Performance

Abstract at Time of Award

Container technology provides a lightweight operating system level virtual hosting environment. It has been broadly adopted in various computation scenarios, including edge computing, serverless computing, and commercial clouds. Containers depend on multiple building blocks in the Linux kernel for resource isolation and control. Particularly, Linux Control Groups (i.e., cgroups) are leveraged to apply resource limits and account for resource usage for containers. However, those features in the Linux kernel may not provide the same level of security guarantees as conventional virtual machines. For example, breaking the resource control of cgroups would not only cause unfair resource sharing among multiple container instances, but also significantly reduce containers’ performance. This project intends to secure containers by systematically investigating security implications in cgroups and developing new defending systems to mitigate potential security threats in multi-tenant container environments. The research is expected to identify and address new security challenges in containers, and thus benefit both container service providers and customers. Educational and outreach activities include curriculum development in systems programming and cloud security, and research experience opportunities for women and minority students as well as for high school students. The project would systematically explore methods to break the resource rein of the existing cgroups mechanism, and comprehensively understand the security impacts on Linux containers. It develops a set of exploiting strategies to generate out-of-band workloads to escape cgroups. Novel kernel code analysis techniques are developed that use a combination of data flow, control flow and program dependency graphs to automatically uncover feasible exploitation cases available inside unprivileged containers with a set of cgroup resource controllers enabled. All potential exploits are quantitatively evaluated on multiple testbeds in realistic container environments under various attack scenarios. Specifically, a variety of real-world workloads are evaluated to understand the impact and severity of vulnerabilities. With better knowledge of the inadequacies in existing cgroup mechanism and related exploitations, the project develops lightweight defense mechanisms to secure containers and mitigate potential security threats. The proposed system is evaluated in terms of multiple aspects including performance and security. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.