Skip to main content

Lund University Publications

LUND UNIVERSITY LIBRARIES

Lic-Sec: An enhanced AppArmor Docker security profile generator

Zhu, Hui LU and Gehrmann, Christian LU (2021) In Journal of Information Security and Applications 61.
Abstract
Along with the rapid development of cloud computing technology, containerization technology has drawn much attention from both industry and academia. In this paper, we perform a comparative measurement analysis of Docker-sec, which is a Linux Security Module proposed in 2018, and a new AppArmor profile generator called Lic-Sec, which combines Docker-sec with a modified version of LiCShield, which is also a Linux Security Module proposed in 2015. Docker-sec and LiCShield can be used to enhance Docker container security based on mandatory access control and allows protection of the container without manual configurations. Lic-Sec brings together their strengths and provides stronger protection. We evaluate the effectiveness and performance... (More)
Along with the rapid development of cloud computing technology, containerization technology has drawn much attention from both industry and academia. In this paper, we perform a comparative measurement analysis of Docker-sec, which is a Linux Security Module proposed in 2018, and a new AppArmor profile generator called Lic-Sec, which combines Docker-sec with a modified version of LiCShield, which is also a Linux Security Module proposed in 2015. Docker-sec and LiCShield can be used to enhance Docker container security based on mandatory access control and allows protection of the container without manual configurations. Lic-Sec brings together their strengths and provides stronger protection. We evaluate the effectiveness and performance of Docker-sec and Lic-Sec by testing them with real-world attacks. We generate an exploit database with 40 exploits effective on Docker containers selected from the latest 400 exploits on Exploit-DB. We launch these exploits on containers spawned with Docker-sec and Lic-Sec separately. Our evaluations show that for demanding images, Lic-Sec gives protection for all privilege escalation attacks for which Docker-sec and LiCShield failed to give protection. (Less)
Please use this url to cite or link to this publication:
author
and
organization
publishing date
type
Contribution to journal
publication status
published
subject
keywords
Docker-sec, LiCShield, Lic-Sec, Container, Security evaluation, Docker
in
Journal of Information Security and Applications
volume
61
article number
102924
publisher
Elsevier
external identifiers
  • scopus:85110180656
ISSN
2214-2126
DOI
10.1016/j.jisa.2021.102924
project
Cloudification of Production Engineering for Predictive Digital Manufacturing
Cyber Security for Next Generation Factory (SEC4FACTORY)
language
English
LU publication?
yes
id
31628bce-9790-406f-b24b-55b43668ee2b
date added to LUP
2021-08-18 10:21:21
date last changed
2023-04-02 08:39:46
@article{31628bce-9790-406f-b24b-55b43668ee2b,
  abstract     = {{Along with the rapid development of cloud computing technology, containerization technology has drawn much attention from both industry and academia. In this paper, we perform a comparative measurement analysis of Docker-sec, which is a Linux Security Module proposed in 2018, and a new AppArmor profile generator called Lic-Sec, which combines Docker-sec with a modified version of LiCShield, which is also a Linux Security Module proposed in 2015. Docker-sec and LiCShield can be used to enhance Docker container security based on mandatory access control and allows protection of the container without manual configurations. Lic-Sec brings together their strengths and provides stronger protection. We evaluate the effectiveness and performance of Docker-sec and Lic-Sec by testing them with real-world attacks. We generate an exploit database with 40 exploits effective on Docker containers selected from the latest 400 exploits on Exploit-DB. We launch these exploits on containers spawned with Docker-sec and Lic-Sec separately. Our evaluations show that for demanding images, Lic-Sec gives protection for all privilege escalation attacks for which Docker-sec and LiCShield failed to give protection.}},
  author       = {{Zhu, Hui and Gehrmann, Christian}},
  issn         = {{2214-2126}},
  keywords     = {{Docker-sec; LiCShield; Lic-Sec; Container; Security evaluation; Docker}},
  language     = {{eng}},
  month        = {{07}},
  publisher    = {{Elsevier}},
  series       = {{Journal of Information Security and Applications}},
  title        = {{Lic-Sec: An enhanced AppArmor Docker security profile generator}},
  url          = {{http://dx.doi.org/10.1016/j.jisa.2021.102924}},
  doi          = {{10.1016/j.jisa.2021.102924}},
  volume       = {{61}},
  year         = {{2021}},
}