Secure Cloud Container: Runtime Behavior Monitoring Using Most Privileged Container (MPC)

摘要

Hypervisor-based virtualization rapidly becomes a commodity, and it turns valuable in many scenarios such as resource optimization, uptime maximization, and consolidation. Container-based application virtualization is an appropriate solution to develop a light weighted partitioning by providing application isolation with less overhead. Undoubtedly, container based virtualization delivers a lightweight and efficient environment, however raises some security concerns as it allows isolated processes to utilize an underlying host kernel. A new security layer with the Most Privileged Container (MPC) is proposed in this article. The proposed MPC layer exhibits three main functional blocks: Access policies, Black list database, and Runtime monitoring. The introduced MPC layer implements privilege based access control and assigns resource access permissions based on policies and the security profiles of containerized application user processes. Furthermore, the monitoring block examines the runtime behavior of containers and black list database is updated if the container violets its policies. The proposed MPC layer provides higher level of application container security against potential threats.