Date of Award

12-2024

Document Type

Project

Degree Name

Master of Science in Information Systems and Technology

Department

Information and Decision Sciences

First Reader/Committee Chair

Dr. Shayo, Conrad

Abstract

Although containers have revolutionized application deployment by allowing for rapid and consistent deployment, their growing adoption has also raised significant security concerns. Each container is an isolated instance of an operating system that comes pre-packaged with the users desired applications. With multiple containers running on a host machine, an adversary can potentially break out of the container into the host machine. This project investigates the effectiveness of user namespace isolation as a security mechanism to mitigate container escape vulnerabilities that target the container’s runtime.

The research questions are: Question 1, does user namespace isolation mitigate container runtime vulnerabilities that target file descriptor mishandling (Reeves, 2021)? Question 2, does user namespace isolation mitigate container escape in containers that are missing access controls (Reeves, 2021)? Question 3, does user namespace isolation prevent container escape from occurring against vulnerabilities that target host execution in the container context? (Reeves, 2021)

The findings are that: Question 1, user namespace isolation mitigated file descriptor vulnerabilities; Question 2, user namespace isolation successfully mitigated vulnerabilities with missing access controls; Question 3, user namespace isolation mitigated vulnerabilities that targeted host execution in the container context.

The conclusion is that user namespace isolation is a valuable security mechanism that can successfully mitigate each of the types of runtime vulnerabilities within containers. While this project does not prove that user namespace isolation mitigates all container escape vulnerabilities, it can still be stated that an infrastructure that implements user namespace isolation is more secure than an infrastructure that does not.

Areas for further study include studying the increase in resource usage that comes from enabling user namespace isolation, testing user namespace isolation against other vulnerabilities, and testing for vulnerabilities within user namespace isolation.

Share

COinS