Security analysis of Docker-based containerized environments
Overview
Operating System (OS) virtualization, also known as container-based virtualization, has gained momentum over the past few years thanks to its lightweight nature and support for agility. However, its compelling features come at the price of a reduced isolation level compared to the traditional host-based virtualization techniques, exposing workloads to various faults, such as container escape. Those faults might be manifested as host OS bugs, container runtime vulnerabilities, and/or poor container deployment choices and profile configuration. The latter aspect is particularly critical as deployment and security configuration choices often need to be relaxed to meet the operational requirements of running applications leading hence to a widened attack surface. For example, if a container configured to be run with full privilege (or even with an extended set of capabilities) gets compromised, the latter might take control both of the hosting machine and the co-residing containers. The objective of this project is to perform a security assessment of containerized environments in order to unveil potentially dangerous container deployment and configuration options. This would enable identifying critical containers to closely monitor their behavior and detect erroneous security states as they occur. For more concrete discussions, we consider Docker, which stands out as the most adopted container technology.
Expected deliverables
The expected outcome of this project is twofold. First, the student should come up with several real-life scenarios showcasing how potentially dangerous Docker container configuration and deployment options might be exploited in case of container compromise. Second, the student will collaborate with the team members to write a paper summarizing the findings exemplified by the previously defined scenarios.
Questions and Answers
Where to find answers to Frequently Asked Questions about applying to VSRP?
Contacts
Supervisors
Biography
Paulo Esteves-Veríssimo is a professor in the Computer Science (CS) program at KAUST. Previously, he was a professor and FNR PEARL Chair at the University of Luxembourg's (Uni.lu) Faculty of Science, Technology and Medicine (FSTM). He also led the CritiX Research Lab at the SnT Centre at Uni.lu, which achieved world-class results and established enduring research capacity in resilient computing, cybersecurity, and dependability.
He has also been a professor and a board member of the University of Lisbon (ULisboa), Portugal. At ULisboa, he created the Navigators research group and was the founding director of Laboratório de Sistemas Informáticos de Grande Escala (LaSIGE). From its founding in 1998, the computer science and engineering lab LaSIGE has carried out research in leading-edge areas backed by key indicators of excellence.
He was UNILU-SnT’s representative at the European Cyber Security Organization (ESCO) and member of its Scientific & Technical Committee (STC). He served as Chair of the IFIP WG 10.4 on Dependable Computing and Fault-Tolerance and vice-chair of the Steering Committee of the IEEE/IFIP DSN conference. He is a Fellow of the IEEE, a Fellow of the ACM and an associate editor of IEEE Transactions on Emerging Topics in Computing (TETC).
Research Interests
Professor Esteves-Veríssimo is interested in architectures, middleware and algorithms for resilient modular and distributed computing. In addition to examining paradigms and techniques that reconcile security and dependability, he also explores novel applications of these paradigms and techniques. By doing so, he achieves system resilience in areas such as autonomous vehicles, distributed control systems, digital health and genomics, and blockchain and cryptocurrency.
Dr. Esteves-Veríssimo’s research has featured in over 200 peer-reviewed international publications and five international books. He has delivered over 70 keynote speeches and distinguished lectures at reputable venues. As a systems and engineering specialist, he has contributed to designing and engineering several advanced industrial prototypes of distributed, fault-tolerant, secure or real-time systems developed through research and development.