TY - GEN
T1 - Security namespace
T2 - 27th USENIX Security Symposium
AU - Sun, Yuqiong
AU - Safford, David
AU - Zohar, Mimi
AU - Pendarakis, Dimitrios
AU - Gu, Zhongshu
AU - Jaeger, Trent
PY - 2018/1/1
Y1 - 2018/1/1
N2 - Lightweight virtualization (i.e., containers) offers a virtual host environment for applications without the need for a separate kernel, enabling better resource utilization and improved efficiency. However, the shared kernel also prevents containers from taking advantage of security features that are available to traditional VMs and hosts. Containers cannot apply local policies to govern integrity measurement, code execution, mandatory access control, etc. to prevent application-specific security problems. Changes have been proposed to make kernel security mechanisms available to containers, but such changes are often adhoc and expose the challenges of trusting containers to make security decisions without compromising host system or other containers. In this paper, we propose security namespaces, a kernel abstraction that enables containers to have an autonomous control over their security. The security namespace relaxes the global and mandatory assumption of kernel security frameworks, thus enabling containers to independently define security policies and apply them to a limited scope of processes. To preserve security, we propose a routing mechanism that can dynamically dispatch an operation to a set of containers whose security might be affected by the operation, therefore ensuring the security decision made by one container cannot compromise the host or other containers. We demonstrate security namespace by developing namespaces for integrity measurement and mandatory access control in the Linux kernel for use by Docker containers. Results show that security namespaces can effectively mitigate security problems within containers (e.g., malicious code execution) with less than 0.7% additional latency to system call and almost identical application throughput. As a result, security namespaces enable containers to obtain autonomous control over their security without compromising the security of other containers or the host system.
AB - Lightweight virtualization (i.e., containers) offers a virtual host environment for applications without the need for a separate kernel, enabling better resource utilization and improved efficiency. However, the shared kernel also prevents containers from taking advantage of security features that are available to traditional VMs and hosts. Containers cannot apply local policies to govern integrity measurement, code execution, mandatory access control, etc. to prevent application-specific security problems. Changes have been proposed to make kernel security mechanisms available to containers, but such changes are often adhoc and expose the challenges of trusting containers to make security decisions without compromising host system or other containers. In this paper, we propose security namespaces, a kernel abstraction that enables containers to have an autonomous control over their security. The security namespace relaxes the global and mandatory assumption of kernel security frameworks, thus enabling containers to independently define security policies and apply them to a limited scope of processes. To preserve security, we propose a routing mechanism that can dynamically dispatch an operation to a set of containers whose security might be affected by the operation, therefore ensuring the security decision made by one container cannot compromise the host or other containers. We demonstrate security namespace by developing namespaces for integrity measurement and mandatory access control in the Linux kernel for use by Docker containers. Results show that security namespaces can effectively mitigate security problems within containers (e.g., malicious code execution) with less than 0.7% additional latency to system call and almost identical application throughput. As a result, security namespaces enable containers to obtain autonomous control over their security without compromising the security of other containers or the host system.
UR - http://www.scopus.com/inward/record.url?scp=85062526209&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85062526209&partnerID=8YFLogxK
M3 - Conference contribution
T3 - Proceedings of the 27th USENIX Security Symposium
SP - 1423
EP - 1439
BT - Proceedings of the 27th USENIX Security Symposium
PB - USENIX Association
Y2 - 15 August 2018 through 17 August 2018
ER -