Co-residency Attacks on Containers are Real
| Autor: | Kevin R. B. Butler, Patrick McDaniel, Thomas F. La Porta, Sushrut Shringarputale |
|---|---|
| Rok vydání: | 2020 |
| Předmět: |
Computer science
business.industry Containerization 020206 networking & telecommunications Hypervisor Cloud computing 02 engineering and technology Virtualization computer.software_genre Computer security Virtual machine 0202 electrical engineering electronic engineering information engineering 020201 artificial intelligence & image processing Orchestration (computing) Side channel attack business computer Vulnerability (computing) |
| Zdroj: | CCSW@CCS |
| Popis: | Public clouds are inherently multi-tenant: applications deployed by different parties (including malicious ones) may reside on the same physical machines and share various hardware resources. With the introduction of newer hypervisors, containerization frameworks like Docker, and managed/orchestrated clusters using systems like Kubernetes, cloud providers downplay the feasibility of co-tenant attacks by marketing a belief that applications do not operate on shared hardware. In this paper, we challenge the conventional wisdom that attackers cannot confirm co-residency with a victim application from inside state-of-the-art containers running on virtual machines. We analyze the degree of vulnerability present in containers running on various systems including within a broad range of commercially utilized orchestrators. Our results show that on commercial cloud environments including AWS and Azure, we can obtain over 90% success rates for co-residency detection using real-life workloads. Our investigation confirms that co-residency attacks are a significant concern on containers running on modern orchestration systems. |
| Databáze: | OpenAIRE |
| Externí odkaz: |
|