Co-residency Attacks on Containers are Real

Sushrut Shringarputale, Patrick Mcdaniel, Kevin Butler, Thomas La Porta

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Public clouds are inherently multi-tenant: applications deployed by different parties (including malicious ones) may reside on the same physical machines and share various hardware resources. With the introduction of newer hypervisors, containerization frameworks like Docker, and managed/orchestrated clusters using systems like Kubernetes, cloud providers downplay the feasibility of co-tenant attacks by marketing a belief that applications do not operate on shared hardware. In this paper, we challenge the conventional wisdom that attackers cannot confirm co-residency with a victim application from inside state-of-the-art containers running on virtual machines. We analyze the degree of vulnerability present in containers running on various systems including within a broad range of commercially utilized orchestrators. Our results show that on commercial cloud environments including AWS and Azure, we can obtain over 90% success rates for co-residency detection using real-life workloads. Our investigation confirms that co-residency attacks are a significant concern on containers running on modern orchestration systems.

Original languageEnglish (US)
Title of host publicationCCSW 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop
PublisherAssociation for Computing Machinery, Inc
Pages53-66
Number of pages14
ISBN (Electronic)9781450380843
DOIs
StatePublished - Nov 9 2020
Event11th ACM SIGSAC Conference on Cloud Computing Security Workshop, CCSW 2020 - Virtual, Online, United States
Duration: Nov 9 2020 → …

Publication series

NameCCSW 2020 - Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop

Conference

Conference11th ACM SIGSAC Conference on Cloud Computing Security Workshop, CCSW 2020
CountryUnited States
CityVirtual, Online
Period11/9/20 → …

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'Co-residency Attacks on Containers are Real'. Together they form a unique fingerprint.

Cite this