Abstract—Linux containers is a very important and useful system because of the need for few resources consumption, fast startup times, and high I/O performance especially when it’s compared to virtual machines (VMs) on hypervisors, in multi-tenant environments. This paper is focused on how Linux containers can be secured from attackers who enforced through software kernel mechanisms, by using Intel SGX technology from outside attacks on Docker. This mechanism is called SCONE. SCONE is useful because Linux containers (which are managed by Docker or Kubernetes) do not provide guarantees concerning the security of application data within containers. SCONE offers a secure C standard library interface that encrypts/decrypts I/O data in order to diminish the execution repercussion of thread synchronization and system calls within SGX enclaves and a minimized trusted computing base (TCB). SCONE also supports user-level threading and asynchronous system calls. This paper through the analysis and studying shows an evaluating that it protects unmodified applications with SGX.
Keywords—SCONE SGX, Linux containers, security of Linux containers, small TCB size, enclaves
Many multi-tenant environments use LinuX Containers (LXC) in order to confer performance seclusion of applications. The Docker Swarm is used for development (or Kubernetes) and Docker for packaging of containers. Currently, virtualization container-based is widely used and has become trend. However, containers seem to have better performance compared to improved hardware virtualization (VM) in hypervisor. Containers provide faster start up time, better I/O throughput and better delay. They undoubtedly provide uncertain security benefits than virtual machines (VMs). This is due because of the fact that there is the need for the host operating system (OS) kernel to protect a larger interface and usually uses only software mechanisms for isolation.
Mainly, container seclusion mechanism what they actually do, is to protect the environment from unreliable containers. Tenants from the other side, are protecting not only unreliable mechanisms but also are providing covertness and probity for their application data from unauthorized access from higher-privileged system software as well as the core of the operating system (OS) and the supervisor. Malicious users are primarily looking for unprotected spots in virtualized system software for attacking or maybe they are staking at the authorized administration accreditations.
Lately, was achieved the hardware mechanism to protect in user-level software from the widely preferential system software. Specifically, in 2015 Intel promoted to the market the Software Guard eXtensions (SGX) for their own CPUs. The Software Guard eXtensions (SGX) provide support for secure enclaves. The function of an enclave is to protect application codes and data from entry by other software and to provide higher-privileged software. Into the enclave page cache memory (EPC), there are memory pages which correspond to an enclave, in which there is no possibility for access using code outside of the enclave. So, SGX is recommended as an ideal choice for the security of containers, covertness and probity of the data are assured because the application process of a container can be executed inside an enclave.
The SGX mechanism which is providing security in containers is required to cope up two basic problems. The first problem which this mechanism is facing up is the improving the size of the trusted computing base (TCB) inside an enclave and the protection of existing applications into secure containers. The second problem that might need to face up is the challenge of conservation of low burden overhead in for security of containers by exploiting the possibilities of SGX mechanism.
The trusted computing base (TCB) is a factor which employ in general because of it size. According to other studies the TCB occupies huge size in Windows applications where is executed into enclaves, because of the libraries and the operating system (OS). An appropriate protection for TCB is necessary because otherwise a malicious user may entry into the application data or jeopardize the confidentiality, for that reason is rendered necessary to keep a minimized size of a container’s TBC into an enclave.
A problem that arises from the use of enclaves is its general attribution which resulting by the OS kernel which is not trustworthy. This because of enclave code which cannot implement system calls. The function of an enclave thread is to copy arguments from memory and abandon the enclave before a system call. The transfer of those threads becomes very costly. The reason for this is that these threads perform saving and restoring the enclave’s carry out situation. One more reason which is responsible for the delay except from cache misses, is cache lines which is necessary to be decrypted when transferred from memory. In addition, out of the enclave page cache (EPC) provoke costly page errors.
In order to keeping up a minimized TCB size for secure containers, firstly is notable that containers typically perform network duty (i.e. NGINX, Redis, Memcached and Apache) therefore, is considered essential small interface for backing of the system. The communication is achieved by the outside through network reception or stdin/ stdout streams, secluded or evanescent file systems are used, also do not enter other I/O devices directly. For lightening of secure containers, the enclave code can enter into the memory outside of the enclave without the burden of the performance. Nevertheless, remains costly the overhead of access (whether for leaving or entering) the enclave high system calls frequency in applications.
In this paper SCONE is mostly presented. The Secure CONtainer Environment (SCONE) which is for Docker uses the Software Guard eXtensions SGX mechanism in order to run Linux applications in secure containers. SCONE mechanism contains various benefits that are necessary.
The first benefit of the SCONE is the minimized size of the TCB. SCONE is providing a C standard library interface for container’s application. The C standard library is programmed with static linking way (with the use of libC library) inside the enclave. In addition, System calls are safe despite they are carry out out of the enclaves because of the programmed function of encryption -decryption. This function is done based on the description of every file. In more details for that benefit is that except from the encryption of the files that are being out of the enclaves, the network transportation is also secured by transport layer security (TLS). Evanescent semantic file system is supplied by SCONE.
The second benefit is related with the frequent movement of enclave threads and the resulting outcome is that it causes a long delay which is not desirable. Here, it comes the solution by SCONE mechanism again. SCONE give the ability to increase the time while threads are into the enclave by a threading implementation which is also provided.
SCONE provide a mode of operation so as there is no problem with the thread synchronization deviation. In order to do this, SCONE corresponds the application threads with operation system (OS) threads into an enclave modifying OS threads and application threads. By using of SCONE there is no longer the need for enclave threads to be on the outside part of the enclave. To make this happen carries out asynchronous system calls where OS threads out part of the enclave perform system calls. SCONE mechanism also is minimizing the cost of frequent memory access from the enclaves. The cause is the encryption of the application data (i.e. network buffers, cached files).
The third benefit of SCONE mechanism is based on Docker and secure containers. Into the Docker engine the secure containers looks like common containers. Container images are reliable because are created from specialists, so non consultant users can easily can advantage of SCONE because it provide security in container image. For secure containers SCONE necessity need the Intel CPUs with SGX-enabled. The SGX provide a driver and an optional kernel in order to do asynchronous system calls.
Subsequently, an experimental evaluation of SCONE mechanism on SGX will carried out in order to find out performance of well-known software (i.e. Memcached, Redis, NGINX) which is 0,6-1,2 optimization and 0,6–2 code size, although there are execution limitations in implementations. In general, SCONE mechanism produces those benefits where were mentioned above more specifically asynchronous system calls, security in containers and encrypted TLC user connections.
This paper is structured as follows. In Section II is mostly the theoretical background for secure Linux containers, SGX mechanism and TCB that are used in SCONE mechanism. Section III deals with SCONE mechanism and how it works. In Section IV focuses at the Evaluation of the SCONE mechanism and the way of it approach. Section VI details at the Related Works. Final Section VII concludes this survey emphasizing on highlights of this paper.
II. SECURITY IN LINUX CONTAINERS
The target of this paper is to study in depth the way that security in container may supervene and to confirm probity and trustiness of the system of the memory, code, implementation out of the enclaves and network I/O. This is very important because there is the need for protection of the malicious users.
A. LinuX Containers (LXC)
LinuX Containers (LXC) is an operation system (OS) virtualization method. In this method multiple isolated containers (Linux systems) are executed in a central computer with a Linux kernel. This method is well-known for packaging, development and domineer different services (i.e. web servers). In Virtual Machines (VMs) is known that they require hypervisor or some special operating system kernel, this does not happen in Linux containers. Actually, Linux containers are based on some properties of Linux kernel in order to insulate some processes. In this way is achieved no worries for system calls or need for hardware devices. What comes out is that now processes into the container can perform like normal processes, despite some characteristics of the process (i.e. file systems) may cause delay. Linux containers in general offer a functional environment. They use a central operating system for I/O services and for the resources.
LinuX Containers (LXC) and Docker by using some special characteristics of Linux kernel, C interfaces and namespaces, produce the containers. The namespace characteristic of Linux kernel is responsible for the right resource management. Actually, a parent produce a child which has a specific number of resource and a root file system virtual network devices. Insulation execution into the containers offers the C interface characteristic, by using a scheduler which there is into the Linux kernel.
Kubernetes and Docker Swarm frameworks need for composition and implementation of containers, in order to produce and regulate the association between the containers in a cluster. Architectures of a micro-service are as follows. There are containers which are occupy a small number of resources and a well organized network interfaces.
B. Intel Software Guard eXtensions (SGX)
The Intel CPU’s Software Guard eXtensions (SGX) donate the ability to the application to confirm the privacy and the probity under the risk of operating system, hypervisor to be staken. This mechanism also provides security from malicious users with physical access, under the condition that the CPU is not ruptured.