Secure yet usable: Protecting servers and Linux containers

摘要

Many computer security systems are considered a burden. Their inherent intrusiveness may often have an impact on the overall system stability and may conflict with a continuous stream of updates to a server operating system and components. Additionally, their complexity, and the lack of sufficient understanding of how to operate them efficiently, leads to subpar utilization of their full potential. We claim that a computer security system must make usability one of its top priorities, arguably the first, to have any chance of being correctly and fully used. In this paper, we describe Starlight, a protection tool that has usability as its core trait. We discuss the tradeoffs between security and usability and how we addressed them. Starlight monitors the behavior of a running system and creates a customized security policy, a set of operating system execution rules that accurately defines the execution boundaries of the system. We demonstrate the capabilities of our system to protect the runtime environments of servers with Linux ® containers, which add kernel exploits risks via exposure to vulnerable or rogue applications.