Smart Isolation in Large-Scale Production Computing Infrastructures
Background
Security isolation is a foundation of computing systems that enables resilience
to different forms of attacks. In the first step, our project seeks to
understand existing security isolation techniques by systematically classifying
different approaches and analyzing their properties. We provide a hierarchical
classification structure for grouping different security isolation techniques.
At the top level, we consider two principal aspects: mechanism and policy. Each
aspect is broken down into salient dimensions that describe key properties. We
break the mechanism into two dimensions, enforcement location and isolation
granularity, and break the policy aspect down into three dimensions: policy
generation, policy configurability, and policy lifetime. We apply our
classification to a set of representative articles that cover a breadth of
security isolation techniques and discuss tradeoffs among different design
choices and limitations of existing approaches.
In the second step, we target Docker containers to implement smart security
isolation techniques. Docker containers have recently become a popular approach
to provision multiple applications over shared physical hosts in a more
lightweight fashion than traditional virtual machines. This popularity has led
to the creation of the Docker Hub registry, which distributes a large number of
official and community images. Our project studies the state of security
vulnerabilities in Docker Hub images. We create a scalable Docker image
vulnerability analysis (DIVA) framework that automatically discovers, downloads,
and analyzes both official and community images on Docker Hub. Using our
framework, we have studied 356,218 images and made the several findings. Those
findings demonstrate a strong need for more automated and systematic methods of
applying security updates to Docker images and our current Docker image analysis
framework provides a good foundation for such automatic security update.
In the following work of this project, we focus on runtime intrusion detection
in Docker container as well as efficient runtime security patching techniques.
People
Faculty
Current Students
Publications
- Yuhang Lin, Olufogorehan Tunde-Onadele, and Xiaohui Gu
"
CDL: Classified Distributed Learning for Detecting Security Attacks in Containerized Applications",
Proc. of the Annual Computer Security Applications Conference (ACSAC), Austin, Texas, December, 2020.
- Olufogorehan Tunde-Onadele, Yuhang Lin, Jingzhu He, and Xiaohui Gu
"
Self-Patch: Beyond Patch Tuesday for Containerized Applications",
Proc. of IEEE International Conference on Autonomic Computing and Self-Organizing Systems (ACSOS), Washington, DC, Washington, August, 2020.
- Olufogorehan Tunde-Onadele, Yuhang Lin, Jingzhu He, and Xiaohui Gu
"
Toward Just-in-Time Patching for Containerized Applications",
Proc. of the 7th Annual Symposium on Hot Topics in the Science of Security Symposium (HotSoS), poster session, Lawrence, Kansas, September, 2020.
- Olufogorehan Tunde-Onadele, Jingzhu He, Ting Dai, and Xiaohui Gu
"
A Study on Container Vulnerability Exploit Detection",
Proc. of IEEE International Conference on Cloud Engineering (IC2E), Prague, Czech Republic, June, 2019.
- Rui Shu, Xiaohui Gu, and William Enck
"
A Study of Security Vulnerabilities on Docker Hub",
Proc. of the ACM Conference on Data and Application Security and Privacy
(CODASPY), Scottsdale, Arizona, March, 2017.
- Rui Shu, Peipei Wang, Sigmund A. Gorski III, Benjamin Andow, Adwait Nadkarni,
Luke Deshotels, Jason Gionta, William Enck, and Xiaohui Gu
"
A Study of Security Isolation Techniques",
ACM Computing Survey,
(CSUR), 2016
Sponsors
- This work is supported by the NSA Science of Security
Lablet at North Carolina State University, under Contract
# H98230-14-C-0139.
Code & data release
- Data used in the CODASPY'2017 paper is available upon email request. (The data can only be used for research. If you use our data, please acknowledge our paper)
- Data used in IC2E 2019 paper can be downloaded here
- Data used in ACSAC 2020 paper can be downloaded here