Lic-Sec: An enhanced AppArmor Docker security profile generator
(2021) In Journal of Information Security and Applications 61.- Abstract
- Along with the rapid development of cloud computing technology, containerization technology has drawn much attention from both industry and academia. In this paper, we perform a comparative measurement analysis of Docker-sec, which is a Linux Security Module proposed in 2018, and a new AppArmor profile generator called Lic-Sec, which combines Docker-sec with a modified version of LiCShield, which is also a Linux Security Module proposed in 2015. Docker-sec and LiCShield can be used to enhance Docker container security based on mandatory access control and allows protection of the container without manual configurations. Lic-Sec brings together their strengths and provides stronger protection. We evaluate the effectiveness and performance... (More)
- Along with the rapid development of cloud computing technology, containerization technology has drawn much attention from both industry and academia. In this paper, we perform a comparative measurement analysis of Docker-sec, which is a Linux Security Module proposed in 2018, and a new AppArmor profile generator called Lic-Sec, which combines Docker-sec with a modified version of LiCShield, which is also a Linux Security Module proposed in 2015. Docker-sec and LiCShield can be used to enhance Docker container security based on mandatory access control and allows protection of the container without manual configurations. Lic-Sec brings together their strengths and provides stronger protection. We evaluate the effectiveness and performance of Docker-sec and Lic-Sec by testing them with real-world attacks. We generate an exploit database with 40 exploits effective on Docker containers selected from the latest 400 exploits on Exploit-DB. We launch these exploits on containers spawned with Docker-sec and Lic-Sec separately. Our evaluations show that for demanding images, Lic-Sec gives protection for all privilege escalation attacks for which Docker-sec and LiCShield failed to give protection. (Less)
Please use this url to cite or link to this publication:
https://lup.lub.lu.se/record/31628bce-9790-406f-b24b-55b43668ee2b
- author
- Zhu, Hui LU and Gehrmann, Christian LU
- organization
- publishing date
- 2021-07-22
- type
- Contribution to journal
- publication status
- published
- subject
- keywords
- Docker-sec, LiCShield, Lic-Sec, Container, Security evaluation, Docker
- in
- Journal of Information Security and Applications
- volume
- 61
- article number
- 102924
- publisher
- Elsevier
- external identifiers
-
- scopus:85110180656
- ISSN
- 2214-2126
- DOI
- 10.1016/j.jisa.2021.102924
- project
- Cloudification of Production Engineering for Predictive Digital Manufacturing
- Cyber Security for Next Generation Factory (SEC4FACTORY)
- language
- English
- LU publication?
- yes
- id
- 31628bce-9790-406f-b24b-55b43668ee2b
- date added to LUP
- 2021-08-18 10:21:21
- date last changed
- 2023-04-02 08:39:46
@article{31628bce-9790-406f-b24b-55b43668ee2b, abstract = {{Along with the rapid development of cloud computing technology, containerization technology has drawn much attention from both industry and academia. In this paper, we perform a comparative measurement analysis of Docker-sec, which is a Linux Security Module proposed in 2018, and a new AppArmor profile generator called Lic-Sec, which combines Docker-sec with a modified version of LiCShield, which is also a Linux Security Module proposed in 2015. Docker-sec and LiCShield can be used to enhance Docker container security based on mandatory access control and allows protection of the container without manual configurations. Lic-Sec brings together their strengths and provides stronger protection. We evaluate the effectiveness and performance of Docker-sec and Lic-Sec by testing them with real-world attacks. We generate an exploit database with 40 exploits effective on Docker containers selected from the latest 400 exploits on Exploit-DB. We launch these exploits on containers spawned with Docker-sec and Lic-Sec separately. Our evaluations show that for demanding images, Lic-Sec gives protection for all privilege escalation attacks for which Docker-sec and LiCShield failed to give protection.}}, author = {{Zhu, Hui and Gehrmann, Christian}}, issn = {{2214-2126}}, keywords = {{Docker-sec; LiCShield; Lic-Sec; Container; Security evaluation; Docker}}, language = {{eng}}, month = {{07}}, publisher = {{Elsevier}}, series = {{Journal of Information Security and Applications}}, title = {{Lic-Sec: An enhanced AppArmor Docker security profile generator}}, url = {{http://dx.doi.org/10.1016/j.jisa.2021.102924}}, doi = {{10.1016/j.jisa.2021.102924}}, volume = {{61}}, year = {{2021}}, }