Converting Hardware to a Container Solution and its Security Implication
(2021) EITM01 20211Department of Electrical and Information Technology
- Abstract
- Hardware today can be inaccessible to users due to cost or the customer’s desire for
flexibility. By using virtualization one can reduce customer costs while increasing
flexibility. To do this, companies might need to redesign or migrate their hardware
to suit a virtualized environment. However, migration from custom to virtual
hardware introduces security risks. This thesis, therefore, explores the possibility
to transform a hardware solution into a container solution while retaining sufficient
security.
The execution was divided into two steps, to gain knowledge on how one can
protect the container and implementing the container. Two tools were considered
to increase security: SCONE and Lic-Sec. The former one utilizes Intel SGX... (More) - Hardware today can be inaccessible to users due to cost or the customer’s desire for
flexibility. By using virtualization one can reduce customer costs while increasing
flexibility. To do this, companies might need to redesign or migrate their hardware
to suit a virtualized environment. However, migration from custom to virtual
hardware introduces security risks. This thesis, therefore, explores the possibility
to transform a hardware solution into a container solution while retaining sufficient
security.
The execution was divided into two steps, to gain knowledge on how one can
protect the container and implementing the container. Two tools were considered
to increase security: SCONE and Lic-Sec. The former one utilizes Intel SGX on
the container to mitigate attacks from the host machine, while the latter is a tool
that generates a profile for AppArmor that can shield it from other containers. The
container was developed with Podman as its container engine since it enforces user
namespace and allows the container to use systemd which was a requirement for
the container to function.
The development of the container was a success, however, due to the structure
of the container, neither tool could be used to enhance its security. Nevertheless,
the thesis shows that systems can run on a container, although modifications to
the hardware running the container or other tools are needed to obtain sufficient
security for public use. Future research is needed to deduce if it is possible to
replace a single container with a cluster which could increase security. (Less)
Please use this url to cite or link to this publication:
http://lup.lub.lu.se/student-papers/record/9065214
- author
- Strömberg, Gustav LU
- supervisor
- organization
- course
- EITM01 20211
- year
- 2021
- type
- H2 - Master's Degree (Two Years)
- subject
- keywords
- Security, Container, Intel SGX, Lic-Sec, SCONE, Axis
- report number
- LU/LTH-EIT 2021-844
- language
- English
- id
- 9065214
- date added to LUP
- 2021-09-14 09:57:11
- date last changed
- 2021-09-24 10:13:49
@misc{9065214,
abstract = {{Hardware today can be inaccessible to users due to cost or the customer’s desire for
flexibility. By using virtualization one can reduce customer costs while increasing
flexibility. To do this, companies might need to redesign or migrate their hardware
to suit a virtualized environment. However, migration from custom to virtual
hardware introduces security risks. This thesis, therefore, explores the possibility
to transform a hardware solution into a container solution while retaining sufficient
security.
The execution was divided into two steps, to gain knowledge on how one can
protect the container and implementing the container. Two tools were considered
to increase security: SCONE and Lic-Sec. The former one utilizes Intel SGX on
the container to mitigate attacks from the host machine, while the latter is a tool
that generates a profile for AppArmor that can shield it from other containers. The
container was developed with Podman as its container engine since it enforces user
namespace and allows the container to use systemd which was a requirement for
the container to function.
The development of the container was a success, however, due to the structure
of the container, neither tool could be used to enhance its security. Nevertheless,
the thesis shows that systems can run on a container, although modifications to
the hardware running the container or other tools are needed to obtain sufficient
security for public use. Future research is needed to deduce if it is possible to
replace a single container with a cluster which could increase security.}},
author = {{Strömberg, Gustav}},
language = {{eng}},
note = {{Student Paper}},
title = {{Converting Hardware to a Container Solution and its Security Implication}},
year = {{2021}},
}