About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
Publication
TrustCom/BigDataSE/ISPA 2016
Conference paper
Whispers between the containers: High-capacity covert channel attacks in Docker
Abstract
Over the last few years, the cloud computing industry has witnessed the wider adoption of the container-based technologies. And it is obvious to see that Docker has become the de facto standard of the container-based approaches. However, the security mechanism of Docker is far from satisfaction owing to its rapid development without adequate security concerns. This paper primarily identifies several possible covert channels against Docker, which causes critical results like information leak between one container and another (or even the host). Furthermore, we also categorizes the Linux capabilities used by Docker into different groups and find a way to identify the misconfiguration of capabilities based on our classification result. We prove false-negative capabilities to be dangerous by finding a covert channel associated with them. The paper also demonstrates how false-positive capabilities are already well restricted by the current isolating mechanism of Docker via a call analysis approach. So these capabilities can be securely granted to the containers. The experimental results indicate that the proposed covert channels can reach a capacity as high as 733.5b/s at the precision no lower than 90%. At last, the paper discusses what could be done when using Docker to increase its level of security.