Lic-Sec: an enhanced AppArmor Docker security profile generator

Along with the rapid development of cloud computing technology, containerization technology has drawn much attention from both industry and academia. In this paper, we perform a comparative measurement analysis of Docker-sec, which is a Linux Security Module proposed in 2018, and a new AppArmor profile generator called Lic-Sec, which combines Docker-sec with a modified version of LiCShield, which is also a Linux Security Module proposed in 2015. Docker-sec and LiCShield can be used to enhance Docker container security based on mandatory access control and allows protection of the container without manually configurations. Lic-Sec brings together their strengths and provides stronger protection. We evaluate the effectiveness and performance of Docker-sec and Lic-Sec by testing them with real-world attacks. We generate an exploit database with 42 exploits effective on Docker containers selected from the latest 400 exploits on Exploit-db. We launch these exploits on containers spawned with Docker-sec and Lic-Sec separately. Our evaluations show that for demanding images, Lic-Sec gives protection for all privilege escalation attacks for which Docker-sec failed to give protection

Розробка автоматичних засобів забезпечення безпеки Docker

Об’єктом дослідження є забезпечення безпеки Docker. Предметом дослідження є розробка автоматичного програмного забезпечення. Метою дослідження є аналіз існуючих вразливостей Docker, методів та засобів забезпечення безпеки Docker та розробка універсального автоматичного програмного забезпечення для налаштування безпеки Docker після його встановлення або вдосконалення вже існуючих налаштувань, яке допомогло би пришвидшити процес базового налаштування безпеки та допомогти захистити свою систему користувачам, які навіть не знайомі з Docker. Робота містить опис відомих вразливостей Docker; розбір відомих методів та засобів забезпечення безпеки Docker, виокремлення найбільш важливих для поставленої мети дослідження методів та засобів; розгляд відомих утиліт для сканування системи Docker; розробка універсального автоматичного програмного забезпечення для налаштування безпеки Docker на цільовій системі.The object of the study is to ensure the security of Docker. The subject of research is the development of automated software. The aim of the study is to analyze existing Docker vulnerabilities, Docker security methods and tools, and to develop universal automated software to configure Docker security after installing or upgrading existing settings to help speed up the basic security configuration process and help protect your system. not familiar with Docker. The work describes Docker's known vulnerabilities; analysis of known methods and tools for security Docker, highlighting the most important for the purpose of the research methods and tools; review of well-known utilities for scanning the Docker system; development of universal automated software to configure Docker security on the target system

Deploying AI Frameworks on Secure HPC Systems with Containers

The increasing interest in the usage of Artificial Intelligence techniques (AI) from the research community and industry to tackle "real world" problems, requires High Performance Computing (HPC) resources to efficiently compute and scale complex algorithms across thousands of nodes. Unfortunately, typical data scientists are not familiar with the unique requirements and characteristics of HPC environments. They usually develop their applications with high-level scripting languages or frameworks such as TensorFlow and the installation process often requires connection to external systems to download open source software during the build. HPC environments, on the other hand, are often based on closed source applications that incorporate parallel and distributed computing API's such as MPI and OpenMP, while users have restricted administrator privileges, and face security restrictions such as not allowing access to external systems. In this paper we discuss the issues associated with the deployment of AI frameworks in a secure HPC environment and how we successfully deploy AI frameworks on SuperMUC-NG with Charliecloud.Comment: 6 pages, 2 figures, 2019 IEEE High Performance Extreme Computing Conferenc

Performance Evaluation of Microservices Architectures using Containers

Microservices architecture has started a new trend for application development for a number of reasons: (1) to reduce complexity by using tiny services; (2) to scale, remove and deploy parts of the system easily; (3) to improve flexibility to use different frameworks and tools; (4) to increase the overall scalability; and (5) to improve the resilience of the system. Containers have empowered the usage of microservices architectures by being lightweight, providing fast start-up times, and having a low overhead. Containers can be used to develop applications based on monolithic architectures where the whole system runs inside a single container or inside a microservices architecture where one or few processes run inside the containers. Two models can be used to implement a microservices architecture using containers: master-slave, or nested-container. The goal of this work is to compare the performance of CPU and network running benchmarks in the two aforementioned models of microservices architecture hence provide a benchmark analysis guidance for system designers.Comment: Submitted to the 14th IEEE International Symposium on Network Computing and Applications (IEEE NCA15). Partially funded by European Research Council (ERC) under the European Union's Horizon 2020 research and innovation programme (grant agreement No 639595) - HiEST Projec