8,103 research outputs found
Lic-Sec: an enhanced AppArmor Docker security profile generator
Along with the rapid development of cloud computing technology,
containerization technology has drawn much attention from both industry and
academia. In this paper, we perform a comparative measurement analysis of
Docker-sec, which is a Linux Security Module proposed in 2018, and a new
AppArmor profile generator called Lic-Sec, which combines Docker-sec with a
modified version of LiCShield, which is also a Linux Security Module proposed
in 2015. Docker-sec and LiCShield can be used to enhance Docker container
security based on mandatory access control and allows protection of the
container without manually configurations. Lic-Sec brings together their
strengths and provides stronger protection. We evaluate the effectiveness and
performance of Docker-sec and Lic-Sec by testing them with real-world attacks.
We generate an exploit database with 42 exploits effective on Docker containers
selected from the latest 400 exploits on Exploit-db. We launch these exploits
on containers spawned with Docker-sec and Lic-Sec separately. Our evaluations
show that for demanding images, Lic-Sec gives protection for all privilege
escalation attacks for which Docker-sec failed to give protection
Розробка автоматичних засобів забезпечення безпеки Docker
Об’єктом дослідження є забезпечення безпеки Docker.
Предметом дослідження є розробка автоматичного програмного
забезпечення.
Метою дослідження є аналіз існуючих вразливостей Docker, методів та
засобів забезпечення безпеки Docker та розробка універсального
автоматичного програмного забезпечення для налаштування безпеки Docker
після його встановлення або вдосконалення вже існуючих налаштувань, яке
допомогло би пришвидшити процес базового налаштування безпеки та
допомогти захистити свою систему користувачам, які навіть не знайомі з
Docker.
Робота містить опис відомих вразливостей Docker; розбір відомих
методів та засобів забезпечення безпеки Docker, виокремлення найбільш
важливих для поставленої мети дослідження методів та засобів; розгляд
відомих утиліт для сканування системи Docker; розробка універсального
автоматичного програмного забезпечення для налаштування безпеки Docker
на цільовій системі.The object of the study is to ensure the security of Docker.
The subject of research is the development of automated software.
The aim of the study is to analyze existing Docker vulnerabilities, Docker
security methods and tools, and to develop universal automated software to
configure Docker security after installing or upgrading existing settings to help
speed up the basic security configuration process and help protect your system. not
familiar with Docker.
The work describes Docker's known vulnerabilities; analysis of known
methods and tools for security Docker, highlighting the most important for the
purpose of the research methods and tools; review of well-known utilities for
scanning the Docker system; development of universal automated software to
configure Docker security on the target system
Deploying AI Frameworks on Secure HPC Systems with Containers
The increasing interest in the usage of Artificial Intelligence techniques
(AI) from the research community and industry to tackle "real world" problems,
requires High Performance Computing (HPC) resources to efficiently compute and
scale complex algorithms across thousands of nodes. Unfortunately, typical data
scientists are not familiar with the unique requirements and characteristics of
HPC environments. They usually develop their applications with high-level
scripting languages or frameworks such as TensorFlow and the installation
process often requires connection to external systems to download open source
software during the build. HPC environments, on the other hand, are often based
on closed source applications that incorporate parallel and distributed
computing API's such as MPI and OpenMP, while users have restricted
administrator privileges, and face security restrictions such as not allowing
access to external systems. In this paper we discuss the issues associated with
the deployment of AI frameworks in a secure HPC environment and how we
successfully deploy AI frameworks on SuperMUC-NG with Charliecloud.Comment: 6 pages, 2 figures, 2019 IEEE High Performance Extreme Computing
Conferenc
Performance Evaluation of Microservices Architectures using Containers
Microservices architecture has started a new trend for application
development for a number of reasons: (1) to reduce complexity by using tiny
services; (2) to scale, remove and deploy parts of the system easily; (3) to
improve flexibility to use different frameworks and tools; (4) to increase the
overall scalability; and (5) to improve the resilience of the system.
Containers have empowered the usage of microservices architectures by being
lightweight, providing fast start-up times, and having a low overhead.
Containers can be used to develop applications based on monolithic
architectures where the whole system runs inside a single container or inside a
microservices architecture where one or few processes run inside the
containers. Two models can be used to implement a microservices architecture
using containers: master-slave, or nested-container. The goal of this work is
to compare the performance of CPU and network running benchmarks in the two
aforementioned models of microservices architecture hence provide a benchmark
analysis guidance for system designers.Comment: Submitted to the 14th IEEE International Symposium on Network
Computing and Applications (IEEE NCA15). Partially funded by European
Research Council (ERC) under the European Union's Horizon 2020 research and
innovation programme (grant agreement No 639595) - HiEST Projec
- …