| NSF Org: |
CNS Division Of Computer and Network Systems |
| Recipient: |
|
| Initial Amendment Date: | October 27, 2020 |
| Latest Amendment Date: | October 27, 2020 |
| Award Number: | 2054657 |
| Award Instrument: | Standard Grant |
| Program Manager: |
Karen Karavanic
kkaravan@nsf.gov (703)292-2594 CNS Division Of Computer and Network Systems CSE Directorate for Computer and Information Science and Engineering |
| Start Date: | August 16, 2020 |
| End Date: | May 31, 2024 (Estimated) |
| Total Intended Award Amount: | $152,097.00 |
| Total Awarded Amount to Date: | $152,097.00 |
| Funds Obligated to Date: |
|
| History of Investigator: |
|
| Recipient Sponsored Research Office: |
550 S COLLEGE AVE NEWARK DE US 19713-1324 (302)831-2136 |
| Sponsor Congressional District: |
|
| Primary Place of Performance: |
DE US 19716-0099 |
| Primary Place of
Performance Congressional District: |
|
| Unique Entity Identifier (UEI): |
|
| Parent UEI: |
|
| NSF Program(s): | Secure &Trustworthy Cyberspace |
| Primary Program Source: |
|
| Program Reference Code(s): |
|
| Program Element Code(s): |
|
| Award Agency Code: | 4900 |
| Fund Agency Code: | 4900 |
| Assistance Listing Number(s): | 47.070 |
ABSTRACT
Container technology provides a lightweight operating system level virtual hosting environment. It has been broadly adopted in various computation scenarios, including edge computing, serverless computing, and commercial clouds. Containers depend on multiple building blocks in the Linux kernel for resource isolation and control. Particularly, Linux Control Groups (i.e., cgroups) are leveraged to apply resource limits and account for resource usage for containers. However, those features in the Linux kernel may not provide the same level of security guarantees as conventional virtual machines. For example, breaking the resource control of cgroups would not only cause unfair resource sharing among multiple container instances, but also significantly reduce containers? performance. This project intends to secure containers by systematically investigating security implications in cgroups and developing new defending systems to mitigate potential security threats in multi-tenant container environments. The research is expected to identify and address new security challenges in containers, and thus benefit both container service providers and customers. Educational and outreach activities include curriculum development in systems programming and cloud security, and research experience opportunities for women and minority students as well as for high school students.
The project would systematically explore methods to break the resource rein of the existing cgroups mechanism, and comprehensively understand the security impacts on Linux containers. It develops a set of exploiting strategies to generate out-of-band workloads to escape cgroups. Novel kernel code analysis techniques are developed that use a combination of data flow, control flow and program dependency graphs to automatically uncover feasible exploitation cases available inside unprivileged containers with a set of cgroup resource controllers enabled. All potential exploits are quantitatively evaluated on multiple testbeds in realistic container environments under various attack scenarios. Specifically, a variety of real-world workloads are evaluated to understand the impact and severity of vulnerabilities. With better knowledge of the inadequacies in existing cgroup mechanism and related exploitations, the project develops lightweight defense mechanisms to secure containers and mitigate potential security threats. The proposed system is evaluated in terms of multiple aspects including performance and security.
This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH
Note:
When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external
site maintained by the publisher. Some full text articles may not yet be available without a
charge during the embargo (administrative interval).
Some links on this page may take you to non-federal websites. Their policies may differ from
this site.
PROJECT OUTCOMES REPORT
Disclaimer
This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.
Container technology has gained significant popularity and importance across various domains including cloud computing and software development. Ensuring the security of containers is crucial, as they should provide robust isolation and protection, particularly in multi-tenant environments where multiple users share the same physical infrastructure. This project investigates security issues in Linux containers such as Docker, and aims to develop lightweight systems that enhance container security.
In this project, we have designed, developed, and open-sourced several tools to identify and mitigate potential security issues in Linux containers. Specifically, we have created a fuzzing tool for Linux containers to automatically detect out-of-band workloads that can escape resource control. This tool generates containerized workloads and mutates sequences of system calls to breach isolation boundaries, combining traditional code coverage feedback with resource utilization measurements. The tool also supports parallel execution and is compatible with multiple container runtimes, including both native and sandboxed environments. It has successfully identified several previously unknown vulnerabilities. Additionally, we have researched potential security issues in container registries -- platforms that allow developers to publish, maintain, and manage container images. Our empirical studies on both public and private container registries have focused on the issue of typosquatting, where users inadvertently download malicious container images due to typographical errors. We have developed a lightweight tool that can be integrated into Docker CLI to mitigate the potential issues.
We have investigated container-related security issues in various scenarios such as cloud and serverless computing. For instance, we have developed a secured container sharing system designed to enhance serverless computing performance. By incorporating multiple practical optimizations from modern caching and leveraging deep learning techniques, this system supports secure function instance sharing among different tenants while reducing container cold starts. Trace-driven experiments with serverless computing benchmarks across multiple scenarios demonstrate the system's substantial performance improvements. Furthermore, we have researched the improper use of containers and their potential security issues in the software development process, where containers are commonly used as sandboxes. Improper usage can lead to serious problems, such as privilege escalation or sensitive data leakage. To address this, we developed tools to identify security issues across various continuous integration platforms and disclosed several vulnerabilities. Moreover, we have also investigated new side-channel attacks in computer systems within multi-tenant cloud environments.
Finally, this project has created new educational opportunities, supporting multiple Ph.D. and undergraduate students. Portions of the project have been incorporated into the curriculum at the University of Delaware. Specifically, the PI has developed hands-on labs to offer practical experience with Linux containers and their associated security issues. Additionally, the PI has given public lectures to engage a broader audience in cybersecurity research.
Last Modified: 08/06/2024
Modified by: Xing Gao
Please report errors in award information by writing to: awardsearch@nsf.gov.
