Smart Isolation in Large-Scale Production Computing Infrastructures
Security isolation is a foundation of computing systems that enables resilience
to different forms of attacks. In the first step, our project seeks to
understand existing security isolation techniques by systematically classifying
different approaches and analyzing their properties. We provide a hierarchical
classification structure for grouping different security isolation techniques.
At the top level, we consider two principal aspects: mechanism and policy. Each
aspect is broken down into salient dimensions that describe key properties. We
break the mechanism into two dimensions, enforcement location and isolation
granularity, and break the policy aspect down into three dimensions: policy
generation, policy configurability, and policy lifetime. We apply our
classification to a set of representative articles that cover a breadth of
security isolation techniques and discuss tradeoffs among different design
choices and limitations of existing approaches.
In the second step, we target Docker containers to implement smart security
isolation techniques. Docker containers have recently become a popular approach
to provision multiple applications over shared physical hosts in a more
lightweight fashion than traditional virtual machines. This popularity has led
to the creation of the Docker Hub registry, which distributes a large number of
official and community images. Our project studies the state of security
vulnerabilities in Docker Hub images. We create a scalable Docker image
vulnerability analysis (DIVA) framework that automatically discovers, downloads,
and analyzes both official and community images on Docker Hub. Using our
framework, we have studied 356,218 images and made the several findings. Those
findings demonstrate a strong need for more automated and systematic methods of
applying security updates to Docker images and our current Docker image analysis
framework provides a good foundation for such automatic security update.
In the following work of this project, we focus on runtime intrusion detection
in Docker container as well as efficient runtime security patching techniques.
- Rui Shu, Xiaohui Gu, and William Enck
A Study of Security Vulnerabilities on Docker Hub",
Proc. of the ACM Conference on Data and Application Security and Privacy
(CODASPY), Scottsdale, Arizona, March, 2017.
- Rui Shu, Peipei Wang, Sigmund A. Gorski III, Benjamin Andow, Adwait Nadkarni,
Luke Deshotels, Jason Gionta, William Enck, and Xiaohui Gu
A Study of Security Isolation Techniques",
ACM Computing Survey,
- This work is supported by the NSA Science of Security
Lablet at North Carolina State University, under Contract
Code & data release
- Data used in the CODASPY'2017 paper is available upon email request. (The data can only be used for research. If you use our data, please acknowledge our paper.)