Lic-Sec: An enhanced AppArmor Docker security profile generator

Zhu, Hui; Gehrmann, Christian

Lic-Sec: An enhanced AppArmor Docker security profile generator

Mark

Zhu, Hui ^LU and Gehrmann, Christian ^LU (2021) In Journal of Information Security and Applications 61.

Abstract: Along with the rapid development of cloud computing technology, containerization technology has drawn much attention from both industry and academia. In this paper, we perform a comparative measurement analysis of Docker-sec, which is a Linux Security Module proposed in 2018, and a new AppArmor profile generator called Lic-Sec, which combines Docker-sec with a modified version of LiCShield, which is also a Linux Security Module proposed in 2015. Docker-sec and LiCShield can be used to enhance Docker container security based on mandatory access control and allows protection of the container without manual configurations. Lic-Sec brings together their strengths and provides stronger protection. We evaluate the effectiveness and performance... (More); Along with the rapid development of cloud computing technology, containerization technology has drawn much attention from both industry and academia. In this paper, we perform a comparative measurement analysis of Docker-sec, which is a Linux Security Module proposed in 2018, and a new AppArmor profile generator called Lic-Sec, which combines Docker-sec with a modified version of LiCShield, which is also a Linux Security Module proposed in 2015. Docker-sec and LiCShield can be used to enhance Docker container security based on mandatory access control and allows protection of the container without manual configurations. Lic-Sec brings together their strengths and provides stronger protection. We evaluate the effectiveness and performance of Docker-sec and Lic-Sec by testing them with real-world attacks. We generate an exploit database with 40 exploits effective on Docker containers selected from the latest 400 exploits on Exploit-DB. We launch these exploits on containers spawned with Docker-sec and Lic-Sec separately. Our evaluations show that for demanding images, Lic-Sec gives protection for all privilege escalation attacks for which Docker-sec and LiCShield failed to give protection. (Less)

Please use this url to cite or link to this publication: https://lup.lub.lu.se/record/31628bce-9790-406f-b24b-55b43668ee2b

author

Zhu, Hui ^LU and Gehrmann, Christian ^LU

organization

Networks and Security (research group)

publishing date

2021-07-22

type

Contribution to journal

publication status

published

subject

keywords

Docker-sec, LiCShield, Lic-Sec, Container, Security evaluation, Docker

in

Journal of Information Security and Applications

volume

61

article number

102924

publisher

Elsevier

external identifiers

scopus:85110180656

ISSN

2214-2126

DOI

10.1016/j.jisa.2021.102924

project

Cloudification of Production Engineering for Predictive Digital Manufacturing

Cyber Security for Next Generation Factory (SEC4FACTORY)

language

English

LU publication?

yes

id

31628bce-9790-406f-b24b-55b43668ee2b

date added to LUP

2021-08-18 10:21:21

date last changed

2023-04-02 08:39:46

@article{31628bce-9790-406f-b24b-55b43668ee2b,
  abstract     = {{Along with the rapid development of cloud computing technology, containerization technology has drawn much attention from both industry and academia. In this paper, we perform a comparative measurement analysis of Docker-sec, which is a Linux Security Module proposed in 2018, and a new AppArmor profile generator called Lic-Sec, which combines Docker-sec with a modified version of LiCShield, which is also a Linux Security Module proposed in 2015. Docker-sec and LiCShield can be used to enhance Docker container security based on mandatory access control and allows protection of the container without manual configurations. Lic-Sec brings together their strengths and provides stronger protection. We evaluate the effectiveness and performance of Docker-sec and Lic-Sec by testing them with real-world attacks. We generate an exploit database with 40 exploits effective on Docker containers selected from the latest 400 exploits on Exploit-DB. We launch these exploits on containers spawned with Docker-sec and Lic-Sec separately. Our evaluations show that for demanding images, Lic-Sec gives protection for all privilege escalation attacks for which Docker-sec and LiCShield failed to give protection.}},
  author       = {{Zhu, Hui and Gehrmann, Christian}},
  issn         = {{2214-2126}},
  keywords     = {{Docker-sec; LiCShield; Lic-Sec; Container; Security evaluation; Docker}},
  language     = {{eng}},
  month        = {{07}},
  publisher    = {{Elsevier}},
  series       = {{Journal of Information Security and Applications}},
  title        = {{Lic-Sec: An enhanced AppArmor Docker security profile generator}},
  url          = {{http://dx.doi.org/10.1016/j.jisa.2021.102924}},
  doi          = {{10.1016/j.jisa.2021.102924}},
  volume       = {{61}},
  year         = {{2021}},
}

Lund University Publications

LUND UNIVERSITY LIBRARIES

Lic-Sec: An enhanced AppArmor Docker security profile generator