scholarly journals Leadership Hijacking in Docker Swarm and Its Consequences

Entropy ◽  
2021 ◽  
Vol 23 (7) ◽  
pp. 914
Author(s):  
Adi Farshteindiker ◽  
Rami Puzis
Keyword(s):  
Operating System ◽  
High Impact ◽  
System Level ◽  
Software Architectures ◽  
Lateral Movement ◽  
Cloud Infrastructure ◽  
Trust Level ◽  
Full Control ◽  
Cloud Environments ◽  
Container Orchestration

With the advent of microservice-based software architectures, an increasing number of modern cloud environments and enterprises use operating system level virtualization, which is often referred to as container infrastructures. Docker Swarm is one of the most popular container orchestration infrastructures, providing high availability and fault tolerance. Occasionally, discovered container escape vulnerabilities allow adversaries to execute code on the host operating system and operate within the cloud infrastructure. We show that Docker Swarm is currently not secured against misbehaving manager nodes. This allows a high impact, high probability privilege escalation attack, which we refer to as leadership hijacking, the possibility of which is neglected by the current cloud security literature. Cloud lateral movement and defense evasion payloads allow an adversary to leverage the Docker Swarm functionality to control each and every host in the underlying cluster. We demonstrate an end-to-end attack, in which an adversary with access to an application running on the cluster achieves full control of the cluster. To reduce the probability of a successful high impact attack, container orchestration infrastructures must reduce the trust level of participating nodes and, in particular, incorporate adversary immune leader election algorithms.

scholarly journals Leadership Hijacking in Docker Swarm and Its Consequences

2021 ◽  
Author(s):  
Adi Farshteindiker ◽  
Rami Puzis
Keyword(s):  
Operating System ◽  
High Impact ◽  
System Level ◽  
Software Architectures ◽  
Lateral Movement ◽  
Cloud Infrastructure ◽  
Trust Level ◽  
Full Control ◽  
Cloud Environments ◽  
Container Orchestration

With the advent of microservice-based software architectures, an increasing number of modern cloud environments and enterprises use operating system level virtualization, often referred to as containers. Docker Swarm is one of the most popular container orchestration infrastructures, providing high availability and fault tolerance. Occasionally discovered container escape vulnerabilities allow adversaries to execute code on the host operating system and operate within the cloud infrastructure. We show that docker swarm is currently not secured against misbehaving manager nodes and allows a high impact, high probability privilege escalation attack that we refer to as leadership hijacking. Cloud lateral movement and defense evasion payloads allow an adversary to leverage the docker swarm functionality to control each and every host in the underlying cluster. We demonstrate an end-to-end attack, in which an adversary with access to an application running on the cluster achieves full control of the cluster. To reduce the probability of a successful high impact attack, container orchestration infrastructures must reduce the trust level of participating nodes and in particular, incorporate adversary immune leader election algorithms.

Container Orchestration With Cost-Efficient Autoscaling in Cloud Computing Environments

2020 ◽  
pp. 190-213
Author(s):  
Maria Rodriguez ◽  
Rajkumar Buyya
Keyword(s):  
Cluster Size ◽  
Large Scale ◽  
Management Approach ◽  
Public Cloud ◽  
Cloud Infrastructure ◽  
Initial Placement ◽  
Cloud Environments ◽  
Computing Environments ◽  
Cost Efficient ◽  
Container Orchestration

Containers are widely used by organizations to deploy diverse workloads such as web services, big data, and IoT applications. Container orchestration platforms are designed to manage the deployment of containerized applications in large-scale clusters. The majority of these platforms optimize the scheduling of containers on a fixed-sized cluster and are not enabled to autoscale the size of the cluster nor to consider features specific to public cloud environments. This chapter presents a resource management approach with three objectives: 1) optimize the initial placement of containers by efficiently scheduling them on existing resources, 2) autoscale the number of resources at runtime based on the cluster's workload, and 3) consolidate applications into fewer VMs at runtime. The framework was implemented as a Kubernetes plugin and its efficiency was evaluated on an Australian cloud infrastructure. The experiments demonstrate that a reduction of 58% in cost can be achieved by dynamically managing the cluster size and placement of applications.

scholarly journals Technology of computing risks visualization for distributed production infrastructures

2018 ◽  
Vol 224 ◽  
pp. 02071
Author(s):  
Dmitrii Voronin ◽  
Victoria Shevchenko ◽  
Olga Chengar
Keyword(s):  
Large Scale ◽  
Multidimensional Data ◽  
Cloud Infrastructure ◽  
Visualization Technique ◽  
Multidimensional Data Visualization ◽  
Cloud Environments ◽  
Research Gap ◽  
Radar Chart ◽  
Distributed Production ◽  
Support Decision Making

Scientific problems related to the classification, assessment, visualization and management of risks in the cloud environments have been considered. The analysis of the state-of-the-art methods, offered for these problems solving, has been carried out taking into account the specificity of the cloud infrastructure oriented on large-scale tasks processing in distributed production infrastructures. Unfortunately, not much of scientific and objective researches had been focused on the developing of effective approaches for cloud risks visualization providing the necessary information to support decision-making in distributed production infrastructures. In order to fill this research gap, this study attempts to propose a risks visualization technique that is based on radar chart implementation for multidimensional data visualization.

scholarly journals Organizational cloud security and control: a proactive approach

2019 ◽  
Vol 32 (3) ◽  
pp. 516-537 ◽  
Author(s):  
Konstantina Spanaki ◽  
Zeynep Gürgüç ◽  
Catherine Mulligan ◽  
Emil Lupu
Keyword(s):  
Data Collection ◽  
Ethical Behavior ◽  
Large Scale ◽  
Influencing Factor ◽  
Cloud Security ◽  
Decision Makers ◽  
Cloud Infrastructure ◽  
Content Type ◽  
Cloud Environments ◽  
Sharing Responsibility

Purpose The purpose of this paper is to unfold the perceptions around additional security in cloud environments by highlighting the importance of controlling mechanisms as an approach to the ethical use of the systems. The study focuses on the effects of the controlling mechanisms in maintaining an overall secure position for the cloud and the mediating role of the ethical behavior in this relationship. Design/methodology/approach A case study was conducted, examining the adoption of managed cloud security services as a means of control, as well as a large-scale survey with the views of IT decision makers about the effects of such adoption to the overall cloud security. Findings The findings indicate that there is indeed a positive relationship between the adoption of controlling mechanisms and the maintenance of overall cloud security, which increases when the users follow an ethical behavior in the use of the cloud. A framework based on the findings is built suggesting a research agenda for the future and a conceptualization of the field. Research limitations/implications One of the major limitations of the study is the fact that the data collection was based on the perceptions of IT decision makers from a cross-section of industries; however the proposed framework should also be examined in industry-specific context. Although the firm size was indicated as a high influencing factor, it was not considered for this study, as the data collection targeted a range of organizations from various sizes. Originality/value This study extends the research of IS security behavior based on the notion that individuals (clients and providers of cloud infrastructure) are protecting something separate from themselves, in a cloud-based environment, sharing responsibility and trust with their peers. The organization in this context is focusing on managed security solutions as a proactive measurement to preserve cloud security in cloud environments.

scholarly journals Approaches for containerized scientific workflows in cloud environments with applications in life science

2018 ◽  
Author(s):  
Ola Spjuth ◽  
Marco Capuccini ◽  
Matteo Carone ◽  
Anders Larsson ◽  
Wesley Schaal ◽  
...  
Keyword(s):  
Data Analysis ◽  
Life Science ◽  
Science Research ◽  
End Users ◽  
Scientific Workflows ◽  
Life Science Research ◽  
Cloud Environments ◽  
Container Orchestration

Containers are gaining popularity in life science research as they encompass all dependencies of provisioned tools and simplifies software installations for end users, as well as offering a form of isolation between processes. Scientific workflows are ideal to chain containers into data analysis pipelines to sustain reproducible science. In this manuscript we review the different approaches to use containers inside the workflow tools Nextflow, Galaxy, Pachyderm, Luigi, and SciPipe when deployed in cloud environments. A particular focus is placed on the workflow tool’s interaction with the Kubernetes container orchestration framework.

scholarly journals Using Kubernetes as an ATLAS computing site

2020 ◽  
Vol 245 ◽  
pp. 07025
Author(s):  
Fernando Harald Barreiro Megino ◽  
Jeffrey Ryan Albert ◽  
Frank Berghaus ◽  
Kaushik De ◽  
FaHui Lin ◽  
...  
Keyword(s):  
Cloud Computing ◽  
Job Scheduling ◽  
Lessons Learned ◽  
Tier 2 ◽  
Cloud Infrastructure ◽  
Atlas Experiment ◽  
Computing Services ◽  
The Status ◽  
Cloud Environments ◽  
The University

In recent years containerization has revolutionized cloud environments, providing a secure, lightweight, standardized way to package and execute software. Solutions such as Kubernetes enable orchestration of containers in a cluster, including for the purpose of job scheduling. Kubernetes is becoming a de facto standard, available at all major cloud computing providers, and is gaining increased attention from some WLCG sites. In particular, CERN IT has integrated Kubernetes into their cloud infrastructure by providing an interface to instantly create Kubernetes clusters, and the University of Victoria is pursuing an infrastructure-as-code approach to deploying Kubernetes as a flexible and resilient platform for running services and delivering resources. The ATLAS experiment at the LHC has partnered with CERN IT and the University of Victoria to explore and demonstrate the feasibility of running an ATLAS computing site directly on Kubernetes, replacing all grid computing services. We have interfaced ATLAS’ workload submission engine PanDA with Kubernetes, to directly submit and monitor the status of containerized jobs. We describe the integration and deployment details, and focus on the lessons learned from running a wide variety of ATLAS production payloads on Kubernetes using clusters of several thousand cores at CERN and the Tier 2 computing site in Victoria.

scholarly journals Provides a New Way to Enhance Security in the Linux Operating System

2018 ◽  
Vol 2 (5) ◽  
pp. 295
Author(s):  
Hamid Reza Ganji ◽  
Kiarash Aghakhani
Keyword(s):  
Operating System ◽  
Performance Analysis ◽  
Operating Systems ◽  
System Level ◽  
Important Thing ◽  
Evaluation Parameters ◽  
Or Applications ◽  
Cyber Criminals

The security of the configuration of files in the Linux operating system depends on many factors that can be referenced to the system level and the applicable level. The most important thing about the security of Linux operating systems is its dynamism, for example, when you secure your Linux system, it will not stay safe forever, because applications and cyber criminals through new threats and/or new exploits that are packaged Systems or applications that cause the operating system to become unsafe, for this reason, we need a secure operating system. The main purpose of this article is to provide a new way to enhance the security of the Linux operating system. For this purpose, how can simple, continuous, and practical Linux environment be secured, solutions are presented, also based on performance analysis of the proposed method and evaluation parameters for existing systems against the proposed system, the superiority of this method is introduced.

Sign in / Sign up

Export Citation Format

Share Document