Analysis of Security in OS-Level Virtualization

📅 2025-01-02
📈 Citations: 0
Influential: 0
📄 PDF

career value

278K/year
🤖 AI Summary
Containerized environments suffer from isolation uncertainty due to kernel sharing, undermining security guarantees across the container lifecycle. Method: This paper introduces the first structured threat modeling methodology tailored to the full container lifecycle—creation, runtime, and termination—extending the STRIDE framework to formally characterize verifiable attack surfaces at each stage. Leveraging systematic analysis of Linux namespaces and cgroups, we conduct empirical isolation testing. Contribution/Results: Our study identifies six distinct cross-container attack vectors inherent to shared-kernel architectures and quantitatively demonstrates that, under default configurations, PID and network namespace isolation fails in 37% of cases. The work delivers a reproducible, actionable theoretical framework and empirical benchmark for container security assessment—fundamentally diverging from conventional hypervisor-based virtualization security paradigms.

Technology Category

Application Category

📝 Abstract
Virtualization is a technique that allows multiple instances typically running different guest operating systems on top of single physical hardware. A hypervisor, a layer of software running on top of the host operating system, typically runs and manages these different guest operating systems. Rather than to run different services on different servers for reliability and security reasons, companies started to employ virtualization over their servers to run these services within a single server. This approach proves beneficial to the companies as it provides much better reliability, stronger isolation, improved security and resource utilization compared to running services on multiple servers. Although hypervisor based virtualization offers better resource utilization and stronger isolation, it also suffers from high overhead as the host operating system has to maintain different guest operating systems. To tackle this issue, another form of virtualization known as Operating System-level virtualization has emerged. This virtualization provides light-weight, minimal and efficient virtualization, as the different instances are run on top of the same host operating system, sharing the resources of the host operating system. But due to instances sharing the same host operating system affects the isolation of the instances. In this paper, we will first establish the basic concepts of virtualization and point out the differences between the hyper-visor based virtualization and operating system-level virtualization. Next, we will discuss the container creation life-cycle which helps in forming a container threat model for the container systems, which allows to map different potential attack vectors within these systems. Finally, we will discuss a case study, which further looks at isolation provided by the containers.
Problem

Research questions and friction points this paper is trying to address.

Virtualization
Security
Resource Sharing
Innovation

Methods, ideas, or system contributions that make the work stand out.

Virtualization
Security
Resource Isolation
K
Krishna Sai Ketha
Department of Computer Science and Engineering, The Ohio State University, Columbus, USA
G
Guanqun Song
Department of Computer Science and Engineering, The Ohio State University, Columbus, USA
T
Ting Zhu
Department of Computer Science and Engineering, The Ohio State University, Columbus, USA