Lic-Sec: An enhanced AppArmor Docker security profile generator

Research output: Contribution to journalArticlepeer-review

Abstract

Along with the rapid development of cloud computing technology, containerization technology has drawn much attention from both industry and academia. In this paper, we perform a comparative measurement analysis of Docker-sec, which is a Linux Security Module proposed in 2018, and a new AppArmor profile generator called Lic-Sec, which combines Docker-sec with a modified version of LiCShield, which is also a Linux Security Module proposed in 2015. Docker-sec and LiCShield can be used to enhance Docker container security based on mandatory access control and allows protection of the container without manual configurations. Lic-Sec brings together their strengths and provides stronger protection. We evaluate the effectiveness and performance of Docker-sec and Lic-Sec by testing them with real-world attacks. We generate an exploit database with 40 exploits effective on Docker containers selected from the latest 400 exploits on Exploit-DB. We launch these exploits on containers spawned with Docker-sec and Lic-Sec separately. Our evaluations show that for demanding images, Lic-Sec gives protection for all privilege escalation attacks for which Docker-sec and LiCShield failed to give protection.
Original languageEnglish
Article number102924
JournalJournal of Information Security and Applications
Volume61
Issue number0
DOIs
Publication statusPublished - 2021

Subject classification (UKÄ)

  • Computer Science
  • Computer Systems

Free keywords

  • Docker-sec
  • LiCShield
  • Lic-Sec
  • Container
  • Security evaluation
  • Docker

Fingerprint

Dive into the research topics of 'Lic-Sec: An enhanced AppArmor Docker security profile generator'. Together they form a unique fingerprint.

Cite this