Papers
Topics
Authors
Recent
Search
2000 character limit reached

Exploiting Kubernetes' Image Pull Implementation to Deny Node Availability

Published 19 Jan 2024 in cs.CR | (2401.10582v1)

Abstract: Kubernetes (K8s) has grown in popularity over the past few years to become the de-facto standard for container orchestration in cloud-native environments. While research is not new to topics such as containerization and access control security, the Application Programming Interface (API) interactions between K8s and its runtime interfaces have not been studied thoroughly. In particular, the CRI-API is responsible for abstracting the container runtime, managing the creation and lifecycle of containers along with the downloads of the respective images. However, this decoupling of concerns and the abstraction of the container runtime renders K8s unaware of the status of the downloading process of the container images, obstructing the monitoring of the resources allocated to such process. In this paper, we discuss how this lack of status information can be exploited as a Denial of Service attack in a K8s cluster. We show that such attacks can generate up to 95% average CPU usage, prevent downloading new container images, and increase I/O and network usage for a potentially unlimited amount of time. Finally, we propose two possible mitigation strategies: one, implemented as a stopgap solution, and another, requiring more radical architectural changes in the relationship between K8s and the CRI-API.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (28)
  1. B. Burns, B. Grant, D. Oppenheimer, E. Brewer, and J. Wilkes, “Borg, Omega, and Kubernetes,” Communications of the ACM, vol. 59, no. 5, pp. 50–57, Apr. 2016. [Online]. Available: https://dl.acm.org/doi/10.1145/2890784
  2. A. Rahman, S. I. Shamim, D. B. Bose, and R. Pandita, “Security Misconfigurations in Open Source Kubernetes Manifests: An Empirical Study,” ACM Transactions on Software Engineering and Methodology, vol. 32, no. 4, pp. 99:1–99:36, May 2023. [Online]. Available: https://doi.org/10.1145/3579639
  3. Y. He, R. Guo, Y. Xing, X. Che, K. Sun, Z. Liu, K. Xu, and Q. Li, “Cross Container Attacks: The Bewildered eBPF on Clouds,” in Proceedings of the 32nd USENIX Security Symposium, 2023, pp. 5971–5988. [Online]. Available: https://www.usenix.org/conference/usenixsecurity23/presentation/he
  4. J. Xiao, N. Yang, W. Shen, J. Li, X. Guo, Z. Dong, F. Xie, and J. Ma, “Attacks are Forwarded: Breaking the Isolation of MicroVM-based Containers Through Operation Forwarding,” in Proceedings of the 32nd USENIX Security Symposium, 2023, pp. 7517–7534. [Online]. Available: https://www.usenix.org/conference/usenixsecurity23/presentation/xiao-jietao
  5. J. G. Almaraz-Rivera, “An Anomaly-based Detection System for Monitoring Kubernetes Infrastructures,” IEEE Latin America Transactions, vol. 21, no. 3, pp. 457–465, Mar. 2023, number: 3. [Online]. Available: https://latamt.ieeer9.org/index.php/transactions/article/view/7408
  6. C. Carrión, “Kubernetes Scheduling: Taxonomy, Ongoing Issues and Challenges,” ACM Computing Surveys, vol. 55, no. 7, pp. 1–37, Jul. 2023. [Online]. Available: https://dl.acm.org/doi/10.1145/3539606
  7. F. Minna, A. Blaise, F. Rebecchi, B. Chandrasekaran, and F. Massacci, “Understanding the Security Implications of Kubernetes Networking,” IEEE Security & Privacy, vol. 19, no. 5, pp. 46–56, Sep. 2021. [Online]. Available: https://ieeexplore.ieee.org/document/9497237
  8. Kubernetes, “Kubernetes - Production-Grade Container Orchestration,” 2023. [Online]. Available: https://kubernetes.io/
  9. D. Balla, M. Maliosz, and C. Simon, “Open Source FaaS Performance Aspects,” in 2020 43rd International Conference on Telecommunications and Signal Processing (TSP), Jul. 2020, pp. 358–364. [Online]. Available: https://ieeexplore.ieee.org/document/9163456
  10. gRPC Authors, “gRPC,” 2023. [Online]. Available: https://grpc.io/
  11. X. Wang, J. Du, and H. Liu, “Performance and isolation analysis of RunC, gVisor and Kata Containers runtimes,” Cluster Computing, vol. 25, no. 2, pp. 1497–1513, Apr. 2022. [Online]. Available: https://link.springer.com/10.1007/s10586-021-03517-8
  12. L. Larsson, W. Tärneberg, C. Klein, E. Elmroth, and M. Kihl, “Impact of etcd deployment on Kubernetes, Istio, and application performance,” Software: Practice and Experience, vol. 50, no. 10, pp. 1986–2007, Oct. 2020. [Online]. Available: https://onlinelibrary.wiley.com/doi/10.1002/spe.2885
  13. Z. Li, W. Liu, H. Chen, X. Wang, X. Liao, L. Xing, M. Zha, H. Jin, and D. Zou, “Robbery on DevOps: Understanding and Mitigating Illicit Cryptomining on Continuous Integration Service Platforms,” in 2022 IEEE Symposium on Security and Privacy (SP), May 2022, pp. 2397–2412. [Online]. Available: https://ieeexplore.ieee.org/document/9833803
  14. M. Iorio, F. Risso, A. Palesandro, L. Camiciotti, and A. Manzalini, “Computing Without Borders: The Way Towards Liquid Computing,” IEEE Transactions on Cloud Computing, pp. 1–18, 2022. [Online]. Available: https://ieeexplore.ieee.org/document/9984946/
  15. Sysdig, “Cloud-Native Security and Usage Report,” Sysdig, Tech. Rep., 2023. [Online]. Available: https://sysdig.com/2023-cloud-native-security-and-usage-report/
  16. L. A. Dias Knob, M. Franzil, and D. Siracusa, “On Exploiting gzip’s Content-Dependent Compression,” 2023. [Online]. Available: https://github.com/risingfbk/gzip-compression-tests
  17. Phoronix Media, “Phoronix Test Suite,” Sep. 2023, original-date: 2014-01-12T04:56:38Z. [Online]. Available: https://github.com/phoronix-test-suite/phoronix-test-suite
  18. L. A. Dias Knob, M. Franzil, and D. Siracusa, “MAGI System,” 2023, original-date: 2023-09-20T09:32:40Z. [Online]. Available: https://github.com/risingfbk/magi
  19. ——, “containerdsnoop,” 2023. [Online]. Available: https://github.com/risingfbk/containerdsnoop
  20. Z. Ng, “dockersnoop,” Jun. 2023. [Online]. Available: https://github.com/stwind/dockersnoop
  21. L. A. Dias Knob, M. Franzil, and D. Siracusa, “imagesnoop,” 2023, original-date: 2024-01-19T09:18:45Z. [Online]. Available: https://github.com/risingfbk/imagesnoop
  22. Google Cloud Platform, “Microservices Demo,” Sep. 2023, original-date: 2018-08-03T18:32:18Z. [Online]. Available: https://github.com/GoogleCloudPlatform/microservices-demo
  23. V. Varadarajan, T. Kooburat, B. Farley, T. Ristenpart, and M. M. Swift, “Resource-freeing attacks: improve your cloud performance (at your neighbor’s expense),” in Proceedings of the 2012 ACM conference on Computer and communications security.   Raleigh North Carolina USA: ACM, Oct. 2012, pp. 281–292. [Online]. Available: https://dl.acm.org/doi/10.1145/2382196.2382228
  24. C. Fang, N. Nazari, B. Omidi, H. Wang, A. Puri, M. Arora, S. Rafatirad, H. Homayoun, and K. N. Khasawneh, “HeteroScore: Evaluating and Mitigating Cloud Security Threats Brought by Heterogeneity,” in Proceedings 2023 Network and Distributed System Security Symposium.   San Diego, CA, USA: Internet Society, 2023. [Online]. Available: https://www.ndss-symposium.org/wp-content/uploads/2023/02/ndss2023_f996_paper.pdf
  25. C. Fang, H. Wang, N. Nazari, B. Omidi, A. Sasan, K. N. Khasawneh, S. Rafatirad, and H. Homayoun, “Repttack: Exploiting Cloud Schedulers to Guide Co-Location Attacks,” in Proceedings 2022 Network and Distributed System Security Symposium.   San Diego, CA, USA: Internet Society, 2022. [Online]. Available: https://www.ndss-symposium.org/wp-content/uploads/2022-149-paper.pdf
  26. M. Zhan, Y. Li, H. Yang, G. Yu, B. Li, and W. Wang, “Coda: Runtime Detection of Application-Layer CPU-Exhaustion DoS Attacks in Containers,” IEEE Transactions on Services Computing, vol. 16, no. 3, pp. 1686–1697, May 2023, conference Name: IEEE Transactions on Services Computing. [Online]. Available: https://ieeexplore.ieee.org/document/9842371
  27. A. Ahmed and G. Pierre, “Docker-pi: Docker container deployment in fog computing infrastructures,” International Journal of Cloud Computing, vol. 9, no. 1, pp. 6–27, Jan. 2020, publisher: Inderscience Publishers. [Online]. Available: https://www.inderscienceonline.com/doi/abs/10.1504/IJCC.2020.105885
  28. A. Yolchuyev, “Extreme Gradient Boosting based Anomaly detection for Kubernetes Orchestration,” in 2023 27th International Conference on Information Technology (IT), Feb. 2023, pp. 1–4. [Online]. Available: https://ieeexplore.ieee.org/document/10078576/

Summary

No one has generated a summary of this paper yet.

Sign Up to Summarize

Paper to Video (Beta)

No one has generated a video about this paper yet.

Sign Up to Generate All Videos Subscribe on YouTube

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Generate Now

Continue Learning

We haven't generated follow-up questions for this paper yet.

Generate Now

Collections

Sign up for free to add this paper to one or more collections.

Sign Up