SaTC: TTP: Medium: Reducing Container Kernel Attack Surface with TRACKS
New York University, New York NY
Investigators
Abstract
The infrastructure that powers modern cloud computing environments uses isolated environments called containers to help keep users' data safe. Unfortunately, containers are still vulnerable to flaws in the core operating system (the Linux kernel), which can be used to compromise the security and integrity of container environments. The TRACKS (TRimming Augments Container Kernel Security) project aims to strengthen the security of container environments by hardening the Linux kernel. The project's novelties are its use of how frequently code is encountered as a way to measure how likely it is to have security flaws. Prior NSF-supported research has found that frequently-used code is less likely to have serious security vulnerabilities; TRACKS will transition this security metric to practice by placing security monitoring and additional checks into the portions of the Linux kernel that are most likely to be vulnerable and working to incorporate these kernels into real-world cloud environments. One benefit of this approach is that since the checks are placed in code that is rarely used, the additional security comes at a very low performance cost. The project's impacts are expected to be a significant improvement in the security of containers using the Linux kernel, which in turn will help protect the safety and privacy of millions of users. TRACKS works by first profiling the execution of the Linux kernel under a wide variety of common container workloads, creating a profile of the most commonly executed code paths. Next, the least commonly used code is instrumented using an LLVM-based compiler pass that can, according to user-defined policies, insert logging, add exploit mitigations such as bounds checking and control flow integrity, or even trigger a shut down of the container when rare code is encountered. In prior work, the investigators found that around 95% of kernel vulnerabilities were located in rarely executed code; as a result, the investigators expect that by creating these hardened kernels and working with cloud infrastructure providers to incorporate them into production environments, a significant improvement in cloud container security can be achieved. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
View original record on NSF Award Search →