Cryptology ePrint Archive: Report 2020/1147

Lic-Sec: an enhanced AppArmor Docker security profile generator

Hui Zhu and Christian Gehrmann

Abstract: Along with the rapid development of cloud computing technology, containerization technology has drawn much attention from both industry and academia. In this paper, we perform a comparative measurement analysis of Docker-sec, which is a Linux Security Module proposed in 2018, and a new AppArmor profile generator called Lic-Sec, which combines Docker-sec with a modified version of LiCShield, which is also a Linux Security Module proposed in 2015. Docker-sec and LiCShield can be used to enhance Docker container security based on mandatory access control and allows protection of the container without manually configurations. Lic-Sec brings together their strengths and provides stronger protection. We evaluate the effectiveness and performance of Docker-sec and Lic-Sec by testing them with real-world attacks. We generate an exploit database with 42 exploits effective on Docker containers selected from the latest 400 exploits on Exploit-db. We launch these exploits on containers spawned with Docker-sec and Lic-Sec separately. Our evaluations show that for demanding images, Lic Sec gives protection for all privilege escalation attacks for which Docker-sec failed to give protection.

Category / Keywords: applications / Docker-sec, LiCShield, Lic-Sec, Container, Security Evaluation, Docker.

Original Publication (in the same form): https://arxiv.org/abs/2009.11572

Date: received 21 Sep 2020, withdrawn 28 Oct 2020

Contact author: hui zhu at eit lth se

Available format(s): (-- withdrawn --)

Note: There is a double version of the preprint of this paper so we withdrawal this preprint.

Version: 20201028:092501 (All versions of this report)

Short URL: ia.cr/2020/1147


[ Cryptology ePrint archive ]