Container technology provides a lightweight operating system level virtual hosting environment. Its emergence profoundly changes the development and deployment paradigms of multi-tier distributed applications. However, due to the incomplete implementation of system resource isolation mechanisms in the Linux kernel, some security concerns still exist for multiple containers sharing an operating system kernel on a multi-tenancy container-based cloud service. In this paper, we first present the information leakage channels we discovered that are accessible within containers. Such channels expose a spectrum of system-wide host information to containers without proper resource partitioning. By exploiting such leaked host information, it becomes much easier for malicious adversaries (acting as tenants in a container cloud) to launch attacks that might impact the reliability of cloud services. We demonstrate that the information leakage channels could be exploited to infer private data, detect and verify co-residence, build covert channels, and launch more advanced cloud-based attacks. We discuss the root causes of the containers’ information leakage and propose a two-stage defense approach. As demonstrated in the evaluation, our defense is effective and incurs trivial performance overhead.

中文翻译：

---

容器云信息泄露安全隐患研究

容器技术提供了一个轻量级的操作系统级虚拟托管环境。它的出现深刻地改变了多层分布式应用程序的开发和部署范式。然而，由于Linux内核中系统资源隔离机制的实现不完整，在基于容器的多租户云服务上，多个容器共享一个操作系统内核，仍然存在一些安全问题。在本文中，我们首先介绍了我们发现的可在容器内访问的信息泄漏渠道。此类通道向容器公开了一系列系统范围的主机信息，而无需进行适当的资源分区。通过利用这种泄露的主机信息，恶意攻击者（作为容器云中的租户）发起可能会影响云服务可靠性的攻击变得更加容易。我们证明可以利用信息泄漏渠道来推断私人数据、检测和验证共同居住、建立隐蔽渠道以及发起更高级的基于云的攻击。我们讨论了容器信息泄漏的根本原因，并提出了一种两阶段防御方法。正如评估中所证明的，我们的防御是有效的，并且会产生微不足道的性能开销。我们讨论了容器信息泄漏的根本原因，并提出了一种两阶段防御方法。正如评估中所证明的，我们的防御是有效的，并且会产生微不足道的性能开销。我们讨论了容器信息泄漏的根本原因，并提出了一种两阶段防御方法。正如评估中所证明的，我们的防御是有效的，并且会产生微不足道的性能开销。