Whispers between the containers: High-capacity covert channel attacks in Docker

Abstract

Over the last few years, the cloud computing industry has witnessed the wider adoption of the container-based technologies. And it is obvious to see that Docker has become the de facto standard of the container-based approaches. However, the security mechanism of Docker is far from satisfaction owing to its rapid development without adequate security concerns. This paper primarily identifies several possible covert channels against Docker, which causes critical results like information leak between one container and another (or even the host). Furthermore, we also categorizes the Linux capabilities used by Docker into different groups and find a way to identify the misconfiguration of capabilities based on our classification result. We prove false-negative capabilities to be dangerous by finding a covert channel associated with them. The paper also demonstrates how false-positive capabilities are already well restricted by the current isolating mechanism of Docker via a call analysis approach. So these capabilities can be securely granted to the containers. The experimental results indicate that the proposed covert channels can reach a capacity as high as 733.5b/s at the precision no lower than 90%. At last, the paper discusses what could be done when using Docker to increase its level of security.