Visible to the public ConfigRand: A Moving Target Defense Framework against the Shared Kernel Information Leakages for Container-based Cloud

TitleConfigRand: A Moving Target Defense Framework against the Shared Kernel Information Leakages for Container-based Cloud
Publication TypeConference Paper
Year of Publication2020
AuthorsKong, Tong, Wang, Liming, Ma, Duohe, Chen, Kai, Xu, Zhen, Lu, Yijun
Conference Name2020 IEEE 22nd International Conference on High Performance Computing and Communications; IEEE 18th International Conference on Smart City; IEEE 6th International Conference on Data Science and Systems (HPCC/SmartCity/DSS)
KeywordsAccess Control, cloud computing, cloud computing security, Conferences, container, Containers, Degradation, High performance computing, Linux, Metrics, moving target defense, Network security, pubcrawl, Scalability
AbstractLightweight virtualization represented by container technology provides a virtual environment for cloud services with more flexibility and efficiency due to the kernel-sharing property. However, the shared kernel also means that the system isolation mechanisms are incomplete. Attackers can scan the shared system configuration files to explore vulnerabilities for launching attacks. Previous works mainly eliminate the problem by fixing operating systems or using access control policies, but these methods require significant modifications and cannot meet the security needs of individual containers accurately. In this paper, we present ConfigRand, a moving target defense framework to prevent the information leakages due to the shared kernel in the container-based cloud. The ConfigRand deploys deceptive system configurations for each container, bounding the scan of attackers aimed at the shared kernel. In design of ConfigRand, we (1) propose a framework applying the moving target defense philosophy to periodically generate, distribute, and deploy the deceptive system configurations in the container-based cloud; (2) establish a model to formalize these configurations and quantify their heterogeneity; (3) present a configuration movement strategy to evaluate and optimize the variation of configurations. The results show that ConfigRand can effectively prevent the information leakages due to the shared kernel and apply to typical container applications with minimal system modification and performance degradation.
DOI10.1109/HPCC-SmartCity-DSS50907.2020.00104
Citation Keykong_configrand_2020