Zhi Li (Huazhong University of Science and Technology), Zhen Xu (Huazhong University of Science and Technology), Weijie Liu (Nankai University), XiaoFeng Wang (Nanyang Technological University), Hai Jin (Huazhong University of Science and Technology), Zheli Liu (Nankai University)

The isolation offered by containers today is achieved through leveraging Linux namespaces and cgroups in a highly coordinated way. This foundation for container protection, however, has been shaken by the evolution of computing paradigms, particularly the emergence of serverless computing with strong demands for resource sharing across namespaces. Such sharing weakens the container’s isolation model, inducing namespace-cgroup desynchronization (NCD) vulnerabilities, as discovered in our research. In this paper, we present a study on such risks, aiming at identifying their root causes and understanding their implications. Our research reveals that popular container tools all suffer from NCD risks, as evidenced by our discovery of four new vulnerabilities and one bug. Fundamentally, namespace sharing expands a container’s isolation boundary, which may contravene the restrictions set by the cgroups, thereby undermining the combined protection provided by both mechanisms. This contention often cannot be reconciled by existing container tools.

To address this challenge and meet the demands for namespace sharing, we propose a kernel-level solution to unify the fragmented responsibilities of namespaces and cgroups in monitoring the resources for container instances. Our design bonds the resource management handled by namespaces with the resource restrictions enforced by cgroups, and identifies the collaborative policies that they should follow. The analysis and evaluation demonstrate that our approach effectively mitigates the NCD risks, as well as incurs a negligible cost to the Linux kernel, mainstream container tools, and real-world applications, maintaining full compatibility with these systems.

View More Papers

Kangaroo: A Private and Amortized Inference Framework over WAN...

Wei Xu (Xidian University), Hui Zhu (Xidian University), Yandong Zheng (Xidian University), Song Bian (Beihang University), Ning Sun (Xidian University), Hao Yuan (Xidian University), Dengguo Feng (School of Cyber Science and Technology), Hui Li (Xidian University)

Read More

MVP-ORAM: a Wait-free Concurrent ORAM for Confidential BFT Storage

Robin Vassantlal (LASIGE, Faculdade de Ciências, Universidade de Lisboa, Portugal), Hasan Heydari (LASIGE, Faculdade de Ciências, Universidade de Lisboa, Portugal), Bernardo Ferreira (LASIGE, Faculdade de Ciências, Universidade de Lisboa, Portugal), Alysson Bessani (LASIGE, Faculdade de Ciências, Universidade de Lisboa, Portugal)

Read More

BKPIR: Keyword PIR for Private Boolean Retrieval

Jie Song (Institute of Information Engineering, Chinese Academy of Sciences; Intelligent Policing Key Laboratory of Sichuan Province, Sichuan Police College; School of Cyber Security, University of Chinese Academy of Sciences), Zhen Xu (Institute of Information Engineering, Chinese Academy of Sciences), Yan Zhang (Institute of Information Engineering, Chinese Academy of Sciences; School of Cyber Security, University…

Read More