Security analysis of Docker-based containerized environmentsApply
Operating System (OS) virtualization, also known as container-based virtualization, has gained momentum over the past few years thanks to its lightweight nature and support for agility. However, its compelling features come at the price of a reduced isolation level compared to the traditional host-based virtualization techniques, exposing workloads to various faults, such as container escape. Those faults might be manifested as host OS bugs, container runtime vulnerabilities, and/or poor container deployment choices and profile configuration. The latter aspect is particularly critical as deployment and security configuration choices often need to be relaxed to meet the operational requirements of running applications leading hence to a widened attack surface. For example, if a container configured to be run with full privilege (or even with an extended set of capabilities) gets compromised, the latter might take control both of the hosting machine and the co-residing containers. The objective of this project is to perform a security assessment of containerized environments in order to unveil potentially dangerous container deployment and configuration options. This would enable identifying critical containers to closely monitor their behavior and detect erroneous security states as they occur. For more concrete discussions, we consider Docker, which stands out as the most adopted container technology.
Program - Computer Science
Division - Computer, Electrical and Mathematical Sciences and Engineering
Faculty Lab Link - https://cemse.kaust.edu.sa/cyberesil/people/person/paulo-verissimo
Center Affiliation - Resilient Computing and Cybersecurity Center
Field of Study - Security, OS cybersecurity, virtualization, Docker
Professor, Computer Science and Director, Resilient Computing and Cybersecurity Center (Computer, Electrical and Mathematical Science and Engineering Division)
Desired Project Deliverables
The expected outcome of this project is twofold. First, the student should come up with several real-life scenarios showcasing how potentially dangerous Docker container configuration and deployment options might be exploited in case of container compromise. Second, the student will collaborate with the team members to write a paper summarizing the findings exemplified by the previously defined scenarios.