Figure 3 - uploaded by Karen Scarfone
Content may be subject to copyright.
Contexts in source publication
Context 1
... organizations can continue to use VMs to deploy, partition, and manage their hardware, while using containers to package their apps and utilize each VM more efficiently. Figure 3 shows the five tiers of the container technology architecture: ...
Similar publications
Citations
... It's like the regular DevOps story of re-architecting a monolith application to be a microservices-based application, only much worse because HPC application libraries tend to be gigabytes and terabytes in size [8]. And that's even before we start discussing all potential security issues (image vulnerabilities, malware, clear text secrets, configuration issues, untrusted images, etc.) [63] or potential performance degradation [64]. 2. ...
In the past twenty years, the IT industry has moved away from using physical servers for workload management to workloads consolidated via virtualization and, in the next iteration, further consolidated into containers. In the next step, container workloads based on Docker and Podman as underlying container technologies were orchestrated/automated via Kubernetes or OpenShift. On the other hand, high-performance computing (HPC) environments have been lagging in that process, as there’s still much work to figure out how to apply containerization platforms for HPC in real-life scenarios. Kubernetes and OpenShift have many advantages – generally speaking, container technologies use quite a bit less overhead from the computing perspective while providing many benefits in flexibility, modularity, and maintenance. Therefore, they are ideal for tasks requiring a lot of computing power. There are also some tradeoffs regarding the complexity of these two platforms - they’re just not that user-friendly when used by people without years of experience managing them. In this paper, we propose a different architecture based on seamless hardware integration and user-friendly, dynamic workload placement based on real-time performance analysis and prediction coupled with Machine Learning-based scheduling.
... The NIST created a special publication especially for containers [99] in publication 800-190, named ...
Containers have tremendously simplified the job of Information Technology (IT) specialists. They offer a complete system abstraction, from hardware to networking. While containers offer powerful features, their thin isolation layer with the host renders misconfigurations dangerous, as they may leave the system or other containers vulnerable. As container use is on the up, so are attacks to break out of them. A category that is on the rise is automated attacks, which may allow an attacker to take over a system in a matter of seconds. We present a tool written in Rust to automate the exploration of containers from its environment to breakout attacks, showing what an attacker could automatically achieve, as well as mitigation advices to reduce the attack surface. Our tool is capable of compromising very popular containers, especially with third-party provided default configurations, and shows that breakouts could be achieved in seconds. We acknowledge that big organizations have assessed the risk of container breakouts and acted upon it, but notice no signs suggesting smaller organizations have followed through. We urge organizations to implement and enforce processes throughout the lifecycle of containers to reduce breakout risks, by implementing security measures at the very start of the container design.
... The life cycle of a container is tagged under three phases Souppaya et al. (2017)-Build phase, Distribution phase, and Run phase. Application and its binaries are packaged into images by developers in the build phase. ...
... To meet the needs resulting from this new process of building, deploying, and managing the life cycle of applications, container technology has grown in adoption not only among large cloud providers, but also in various companies and government agencies. Tools for task management and automation have also been introduced for the orchestration of a massive volume of containers running on multiple computers distributed in clusters with great computational power [2]. Thus, this change that ranges from the application development cycle to the technological infrastructure that supports this operation has made institutions adapt to become true providers of private cloud, which according to [3], provide services that have essential characteristics such as on-demand self-service; broad network access; resource pooling; rapid elasticity; and measured service. ...
Intrusion Detection Systems (IDS) still prevail as an important line of defense in modern computing environments. Cloud environment characteristics such as resource sharing, extensive connectivity, and agility in deploying new applications pose security risks that are increasingly exploited. New technologies like container platforms require IDS to evolve to effectively detect intrusive activities in these environments, and advancements in this regard are still necessary. In this context, this work proposes a framework for implementing an IDS focused on container platforms using machine learning techniques for anomaly detection in system calls. We contribute with the ability to build a dataset of system calls and share it with the community; the generation of anomaly detection alerts in open-source applications to support the SOC through the analysis of these system calls; the possibility of implementing different machine learning algorithms and approaches to detect anomalies in system calls (such as frequency, sequence, and arguments among other type of data) aiming greater detection efficiency; and the ability to integrate the framework with other tools, improving collaborative security. A five-layer architecture was built using free tools and tested in a corporate environment emulated in the GNS3 software version 2.2.29. In an experiment conducted with a public system call dataset, it was possible to validate the operation and integration of the framework layers, achieving detection results superior to the work that originated the dataset.
... and provides software-based container isolation. Softwarebased container isolation exposes the risk of container runtime escaping vulnerabilities and system privilege escalation [24]. A recent example of such a vulnerability is CVE-2022-0811 [25]. ...
... A container runtime manages the container life cycle and provides software-based container isolation. Software-based container isolation exposes the risk of container runtime escaping vulnerabilities and system privilege escalation [15]. To mitigate these risks, a secure container runtime is used. ...
... Although container technologies give us a significant benefit throughout the deployment process, they also present new safety challenges when it comes to cyber security. In order to describe potential security concerns and recommendations associated with the use of containers, the National Institute of Standards and Technology (NIST) published special publication an application container security guide [4]. This guide divides the container's potential security threats into five categories: image risks, registry risks, orchestrator risks, container risks, and host OS risks. ...
... The developer will then need to ensure the integrity of the images (e.g., patch and re-image) throughout the lifecycle of the container and to run monitoring and logging mechanisms to keep the container and its users safe. The National Institute of Standards and Technology (NIST) published a comprehensive container security guide in 2017 [185] and it contained recommendations of best practices for specific components in a container architecture but did not provide working level details and its application in practical use-cases (e.g., via code repo, image registry, deployment, etc). Therefore, there is a need for the research community to produce industry relevant and practical guides for container security. ...
... Citation information: DOI 10.1109/ACCESS.2023.3268759 Information Disclosure CORE/EDGE, ACCESS [38], [39], [41] DoS attacks CORE/EDGE, ACCESS [34], [38], [39], [41], [40], [11] X Malicious Northbound Applications CORE/EDGE, ACCESS [34], [41], [11] Configuration issues CORE/EDGE, ACCESS [41], [40], [42], [11] Virtualization Hypervisor-based attacks, VM-based attacks CORE/EDGE, ACCESS [24] VM image-based attacks CORE/EDGE, ACCESS [24], [25] Container image-based attacks, Cross-container attack CORE/EDGE, ACCESS [26] Multi the resources of another target slice, a make it out of service. Additionally, certain network functions in the control plane, such as NSSF, are mutual to multiple slices. ...
... Likewise, images often contain sensitive components like an organization's proprietary software and embedded secrets. If connections to registries are performed over insecure channels, the contents of images are subject to the same confidentiality risks as any other data transmitted in the clear [26]. By default, in most container runtimes, individual containers are able to access each other and the host OS over the network. ...
This paper presents an ontology based on mutation techniques for the modelling of cybersecurity attacks and its application to 5G networks. Main concepts of network protocols, mutation operators, flow of network packets and network traffic are introduced. An ontology is designed based on different mutation operators that allow to design models that can be assimilated with known and unknown attacks. This approach has been implemented in our open source 5G network traffic fuzzer, 5Greplay, and has been applied to three use cases that are representative of attacks against 5G networks: NAS Replay attack, Denial of Service by Sending Malformed NGAP Packets and 5G encapsulation of IoT traffic.
... In this paper, we consider the OS container for our experiment. OS containers are best suited when you want to package different libraries, languages, databases, etc. Application container is best suited when you want to package the application as a component [20]. The architecture of a virtual machine and a container is illustrated in Figure 1. ...
Container-based virtualization has gained significant popularity in recent years because of its simplicity in deployment and adaptability in terms of cloud resource provisioning. Containerization technology is the recent development in cloud computing systems that is more efficient, reliable, and has better overall performance than a traditional virtual machine (VM) based technology. Containerized clouds produce better performance by maximizing host-level resource utilization and using a load-balancing technique. To this end, this article concentrates on distributing the workload among all available servers evenly. In this paper, we propose a Grey Wolf Optimization (GWO) based Simulated Annealing approach to counter the problem of load balancing in the containerized cloud that also considers the deadline miss rate. We have compared our results with the Genetic and Particle Swarm Optimization algorithm and evaluated the proposed algorithms by considering the parameter load variation and makespan. Our experimental result shows that, in most cases, more than 97% of the tasks were meeting their deadline and the Grey Wolf Optimization Algorithm with Simulated Annealing (GWO-SA) performs better than all other approaches in terms of load variation and makespan.
