Skip directly to content

Minimize RSR Award Detail

Research Spending & Results

Award Detail

Doing Business As Name:University of Delaware
  • Xing Gao
  • (302) 831-2711
Award Date:10/27/2020
Estimated Total Award Amount: $ 152,097
Funds Obligated to Date: $ 152,097
  • FY 2020=$152,097
Start Date:08/16/2020
End Date:05/31/2022
Transaction Type:Grant
Awarding Agency Code:4900
Funding Agency Code:4900
CFDA Number:47.070
Primary Program Source:040100 NSF RESEARCH & RELATED ACTIVIT
Award Title or Description:CRII: SaTC: Securing Containers in Multi-Tenant Environment via Augmenting Linux Control Groups
Federal Award ID Number:2054657
DUNS ID:059007500
Parent DUNS ID:059007500
Program:Secure &Trustworthy Cyberspace
Program Officer:
  • Indrajit Ray
  • (703) 292-5387

Awardee Location

Street:210 Hullihen Hall
Awardee Cong. District:00

Primary Place of Performance

Organization Name:University of Delaware
Cong. District:00

Abstract at Time of Award

Container technology provides a lightweight operating system level virtual hosting environment. It has been broadly adopted in various computation scenarios, including edge computing, serverless computing, and commercial clouds. Containers depend on multiple building blocks in the Linux kernel for resource isolation and control. Particularly, Linux Control Groups (i.e., cgroups) are leveraged to apply resource limits and account for resource usage for containers. However, those features in the Linux kernel may not provide the same level of security guarantees as conventional virtual machines. For example, breaking the resource control of cgroups would not only cause unfair resource sharing among multiple container instances, but also significantly reduce containers’ performance. This project intends to secure containers by systematically investigating security implications in cgroups and developing new defending systems to mitigate potential security threats in multi-tenant container environments. The research is expected to identify and address new security challenges in containers, and thus benefit both container service providers and customers. Educational and outreach activities include curriculum development in systems programming and cloud security, and research experience opportunities for women and minority students as well as for high school students. The project would systematically explore methods to break the resource rein of the existing cgroups mechanism, and comprehensively understand the security impacts on Linux containers. It develops a set of exploiting strategies to generate out-of-band workloads to escape cgroups. Novel kernel code analysis techniques are developed that use a combination of data flow, control flow and program dependency graphs to automatically uncover feasible exploitation cases available inside unprivileged containers with a set of cgroup resource controllers enabled. All potential exploits are quantitatively evaluated on multiple testbeds in realistic container environments under various attack scenarios. Specifically, a variety of real-world workloads are evaluated to understand the impact and severity of vulnerabilities. With better knowledge of the inadequacies in existing cgroup mechanism and related exploitations, the project develops lightweight defense mechanisms to secure containers and mitigate potential security threats. The proposed system is evaluated in terms of multiple aspects including performance and security. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

For specific questions or comments about this information including the NSF Project Outcomes Report, contact us.