Information Leakages of Docker Containers: Characterization and Mitigation Strategies

Compared to classic virtual machines, containers offer lightweight and dynamic execution environments. Hence, they are core building blocks for the development of future softwarized networks and cloud-native applications. However, containers still pose many security challenges, which are less understood compared to other virtualization paradigms. An important aspect often neglected concerns techniques enabling containers to leak data outside their execution perimeters, e.g., to exfiltrate sensitive information or coordinate attacks. In this paper we investigate security impacts of covert communications based on the looser isolation of memory statistics information. Our characterization indicates that the investigation of system calls should be considered a prime tool to reveal the presence of collusive attack schemes. We also elaborate on two mitigation techniques: the first entails prevention via "hardening" configurations of containers, while the second implements a run-time disruption mechanism.