Towards Understanding and Defeating Abstract Resource Attacks for Container Platforms

Wenbo Shen, Yifei Wu, Yutian Yang, Qirui Liu, Nanzi Yang, Jinku Li, Kangjie Lu, Jianfeng Ma

Research output: Contribution to journalArticlepeer-review

Abstract

OS-level virtualization (a.k.a. container) has become a fundamental technology in cloud computing due to the efficiency provided by the shared-kernel design. However, this design results in containers sharing thousands of kernel variables and data structures (termed <italic>abstract resources</italic>), which are prevalent but under-protected. Without exploiting other kernel vulnerabilities, a non-privileged container can easily exhaust abstract resources to cause DoS attacks against other containers. Even worse, our experiments demonstrate that abstract resource attacks are a broad class of attacks that affect Linux, FreeBSD, Fuchsia, and all shared-kernel container environments on the top four cloud vendors. To defend against the abstract resource attack, we automatically analyze vulnerable abstract resources in the Linux kernel and detect 501 container-exhaustible resources. To confine these abstract resources dynamically, we propose two new techniques: the flexible in-kernel attachment for flexible resource consumption attachment and the tree-based resource accounting for efficient usage retrieval. Based on these two techniques, we design and implement a <underline>fl</underline>exible <underline>a</underline>bstract re<underline>s</underline>ource confinement framewor<underline>k</underline>, named Flask, to achieve flexible and efficient abstract resource confinement. Our evaluation shows Flask can efficiently limit abstract resource usage with less than 0.6&#x0025; performance overhead.

Original languageEnglish (US)
Pages (from-to)1-17
Number of pages17
JournalIEEE Transactions on Dependable and Secure Computing
DOIs
StateAccepted/In press - 2024

Bibliographical note

Publisher Copyright:
IEEE

Keywords

  • Abstract resource attack
  • OS-level virtualization
  • shared kernel

Fingerprint

Dive into the research topics of 'Towards Understanding and Defeating Abstract Resource Attacks for Container Platforms'. Together they form a unique fingerprint.

Cite this