Abstract
OS-level virtualization (a.k.a. container) has become a fundamental technology in cloud computing due to the efficiency provided by the shared-kernel design. However, this design results in containers sharing thousands of kernel variables and data structures (termed <italic>abstract resources</italic>), which are prevalent but under-protected. Without exploiting other kernel vulnerabilities, a non-privileged container can easily exhaust abstract resources to cause DoS attacks against other containers. Even worse, our experiments demonstrate that abstract resource attacks are a broad class of attacks that affect Linux, FreeBSD, Fuchsia, and all shared-kernel container environments on the top four cloud vendors. To defend against the abstract resource attack, we automatically analyze vulnerable abstract resources in the Linux kernel and detect 501 container-exhaustible resources. To confine these abstract resources dynamically, we propose two new techniques: the flexible in-kernel attachment for flexible resource consumption attachment and the tree-based resource accounting for efficient usage retrieval. Based on these two techniques, we design and implement a <underline>fl</underline>exible <underline>a</underline>bstract re<underline>s</underline>ource confinement framewor<underline>k</underline>, named Flask, to achieve flexible and efficient abstract resource confinement. Our evaluation shows Flask can efficiently limit abstract resource usage with less than 0.6% performance overhead.
Original language | English (US) |
---|---|
Pages (from-to) | 1-17 |
Number of pages | 17 |
Journal | IEEE Transactions on Dependable and Secure Computing |
DOIs | |
State | Accepted/In press - 2024 |
Bibliographical note
Publisher Copyright:IEEE
Keywords
- Abstract resource attack
- OS-level virtualization
- shared kernel