TY - GEN
T1 - Co-residency Attacks on Containers are Real
AU - Shringarputale, Sushrut
AU - Mcdaniel, Patrick
AU - Butler, Kevin
AU - La Porta, Thomas
N1 - Publisher Copyright:
© 2020 ACM.
PY - 2020/11/9
Y1 - 2020/11/9
N2 - Public clouds are inherently multi-tenant: applications deployed by different parties (including malicious ones) may reside on the same physical machines and share various hardware resources. With the introduction of newer hypervisors, containerization frameworks like Docker, and managed/orchestrated clusters using systems like Kubernetes, cloud providers downplay the feasibility of co-tenant attacks by marketing a belief that applications do not operate on shared hardware. In this paper, we challenge the conventional wisdom that attackers cannot confirm co-residency with a victim application from inside state-of-the-art containers running on virtual machines. We analyze the degree of vulnerability present in containers running on various systems including within a broad range of commercially utilized orchestrators. Our results show that on commercial cloud environments including AWS and Azure, we can obtain over 90% success rates for co-residency detection using real-life workloads. Our investigation confirms that co-residency attacks are a significant concern on containers running on modern orchestration systems.
AB - Public clouds are inherently multi-tenant: applications deployed by different parties (including malicious ones) may reside on the same physical machines and share various hardware resources. With the introduction of newer hypervisors, containerization frameworks like Docker, and managed/orchestrated clusters using systems like Kubernetes, cloud providers downplay the feasibility of co-tenant attacks by marketing a belief that applications do not operate on shared hardware. In this paper, we challenge the conventional wisdom that attackers cannot confirm co-residency with a victim application from inside state-of-the-art containers running on virtual machines. We analyze the degree of vulnerability present in containers running on various systems including within a broad range of commercially utilized orchestrators. Our results show that on commercial cloud environments including AWS and Azure, we can obtain over 90% success rates for co-residency detection using real-life workloads. Our investigation confirms that co-residency attacks are a significant concern on containers running on modern orchestration systems.
UR - http://www.scopus.com/inward/record.url?scp=85097385327&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85097385327&partnerID=8YFLogxK
U2 - 10.1145/3411495.3421357
DO - 10.1145/3411495.3421357
M3 - Conference contribution
AN - SCOPUS:85097385327
T3 - CCSW 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop
SP - 53
EP - 66
BT - CCSW 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop
PB - Association for Computing Machinery, Inc
T2 - 11th ACM SIGSAC Conference on Cloud Computing Security Workshop, CCSW 2020
Y2 - 9 November 2020
ER -