Paper 2020/1147

Lic-Sec: an enhanced AppArmor Docker security profile generator

Hui Zhu and Christian Gehrmann

Abstract

Along with the rapid development of cloud computing technology, containerization technology has drawn much attention from both industry and academia. In this paper, we perform a comparative measurement analysis of Docker-sec, which is a Linux Security Module proposed in 2018, and a new AppArmor profile generator called Lic-Sec, which combines Docker-sec with a modified version of LiCShield, which is also a Linux Security Module proposed in 2015. Docker-sec and LiCShield can be used to enhance Docker container security based on mandatory access control and allows protection of the container without manually configurations. Lic-Sec brings together their strengths and provides stronger protection. We evaluate the effectiveness and performance of Docker-sec and Lic-Sec by testing them with real-world attacks. We generate an exploit database with 42 exploits effective on Docker containers selected from the latest 400 exploits on Exploit-db. We launch these exploits on containers spawned with Docker-sec and Lic-Sec separately. Our evaluations show that for demanding images, Lic Sec gives protection for all privilege escalation attacks for which Docker-sec failed to give protection.

Note: There is a double version of the preprint of this paper so we withdrawal this preprint.

Metadata
Available format(s)
-- withdrawn --
Category
Applications
Publication info
Published elsewhere. https://arxiv.org/abs/2009.11572
Keywords
Docker-secLiCShieldLic-SecContainerSecurity EvaluationDocker.
Contact author(s)
hui zhu @ eit lth se
History
2020-10-28: withdrawn
2020-09-25: received
See all versions
Short URL
https://ia.cr/2020/1147
License
Creative Commons Attribution
CC BY
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.