Containerization is a fundamental component of modern cloud-native infrastructure,and Kubernetes is a prominent platform of container orchestration systems.However,containerization raises significant security concerns...Containerization is a fundamental component of modern cloud-native infrastructure,and Kubernetes is a prominent platform of container orchestration systems.However,containerization raises significant security concerns due to the nature of sharing a kernel among multiple containers,which can lead to container breakout or privilege escalation.Kubernetes cannot avoid it as well.While various tools,such as container image scanning and configuration checking,can mitigate container workload vulnerabilities,these are not foolproof and cannot guarantee perfect isolation or prevent every active threat in runtime.As such,a policy enforcement solution is required to tackle the problem,and existing solutions based on LSM(Linux Security Module)frameworks may not be adequate for some situations.To address this,we propose an enforcement system based on BPF-LSM,which leverages eBPF(extended Berkeley Packet Filter)technology to provide fine-grained control and dynamic adoption of security policies.In this paper,we compare different LSM implementations to highlight the challenges of current enforcement solutions before detailing the design of our eBPF-based Kubernetes Runtime Instrumentation and Enforcement System(KRSIE).Finally,we evaluate the effectiveness of our system using a real-world scenario,as measuring the performance of a policy enforcement system is a complex task.Our results show that KRSIE can successfully control containers’behaviors using LSM hooks at container runtime,offering improved container security for cloud-native infrastructure.展开更多
Nowadays,with the significant growth of the mobile market,security issues on the Android Operation System have also become an urgent matter.Trusted execution environment(TEE)technologies are considered an option for s...Nowadays,with the significant growth of the mobile market,security issues on the Android Operation System have also become an urgent matter.Trusted execution environment(TEE)technologies are considered an option for satisfying the inviolable property by taking advantage of hardware security.However,for Android,TEE technologies still contain restrictions and limitations.The first issue is that non-original equipment manufacturer developers have limited access to the functionality of hardware-based TEE.Another issue of hardware-based TEE is the cross-platform problem.Since every mobile device supports different TEE vendors,it becomes an obstacle for developers to migrate their trusted applications to other Android devices.A software-based TEE solution is a potential approach that allows developers to customize,package and deliver the product efficiently.Motivated by that idea,this paper introduces a VTEE model,a software-based TEE solution,on Android devices.This research contributes to the analysis of the feasibility of using a virtualized TEE on Android devices by considering two metrics:computing performance and security.The experiment shows that the VTEE model can host other software-based TEE services and deliver various cryptography TEE functions on theAndroid environment.The security evaluation shows that adding the VTEE model to the existing Android does not addmore security issues to the traditional design.Overall,this paper shows applicable solutions to adjust the balance between computing performance and security.展开更多
Container technology plays an essential role in many Information and Communications Technology(ICT)systems.However,containers face a diversity of threats caused by vulnerable packages within container images.Previous ...Container technology plays an essential role in many Information and Communications Technology(ICT)systems.However,containers face a diversity of threats caused by vulnerable packages within container images.Previous vulnerability scanning solutions for container images are inadequate.These solutions entirely depend on the information extracted from package managers.As a result,packages installed directly from the source code compilation,or packages downloaded from the repository,etc.,are ignored.We introduce DAVS–A Dockerfile analysis-based vulnerability scanning framework for OCI-based container images to deal with the limitations of existing solutions.DAVS performs static analysis using file extraction based on Dockerfile information to obtain the list of Potentially Vulnerable Files(PVFs).The PVFs are then scanned to figure out the vulnerabilities in the target container image.The experimental shows the outperform of DAVS on detecting Common Vulnerabilities and Exposures(CVE)of 10 known vulnerable images compared to Clair–the most popular container image scanning project.Moreover,DAVS found that 68%of real-world container images are vulnerable from different image registries.展开更多
A scheme of rogue access point(Rogue AP)detection based on AP's localization is proposed.Global position system(GPS)information and received signal strength(RSS)information are used to get the location of AP in a ...A scheme of rogue access point(Rogue AP)detection based on AP's localization is proposed.Global position system(GPS)information and received signal strength(RSS)information are used to get the location of AP in a smartphone,which is compared with the database located in a remote server.The proposed scheme can detect not only fake access point(Fake AP)but also Evil Twin AP.It can be a user-oriented solution to detecting Rogue AP threats,and users can use it flexibly.展开更多
A unified hybrid authentication framework was proposed to provide proactive authentication and re-authentication for media independent handover(MIH)-based multi-wireless access.In addition,a specific protocol distribu...A unified hybrid authentication framework was proposed to provide proactive authentication and re-authentication for media independent handover(MIH)-based multi-wireless access.In addition,a specific protocol distributing a hierarchical key after the proactive authentication from key holder to base station has been proposed.The proposed hybrid authentication framework not only performs proactive authentication with credentials based on Chameleon hashing,which removes the authentication procedures that exchanges messages with a authentication server,but also performs re-authentication with EAP re-authentication protocol(ERP)that distributes the hierarchical key on the basis of the root key generated by the proactive authentication.展开更多
基金supported by the Institute of Information&Communications Technology Planning&Evaluation (IITP)grant funded by the Korea Government (MSIT), (No.2020-0-00952,Development of 5G edge security technology for ensuring 5G+service stability and availability,50%)the Institute of Information and Communications Technology Planning and Evaluation (IITP)grant funded by the MSIT (Ministry of Science and ICT),Korea (No.IITP-2023-2020-0-01602,ITRC (Information Technology Research Center)support program,50%).
文摘Containerization is a fundamental component of modern cloud-native infrastructure,and Kubernetes is a prominent platform of container orchestration systems.However,containerization raises significant security concerns due to the nature of sharing a kernel among multiple containers,which can lead to container breakout or privilege escalation.Kubernetes cannot avoid it as well.While various tools,such as container image scanning and configuration checking,can mitigate container workload vulnerabilities,these are not foolproof and cannot guarantee perfect isolation or prevent every active threat in runtime.As such,a policy enforcement solution is required to tackle the problem,and existing solutions based on LSM(Linux Security Module)frameworks may not be adequate for some situations.To address this,we propose an enforcement system based on BPF-LSM,which leverages eBPF(extended Berkeley Packet Filter)technology to provide fine-grained control and dynamic adoption of security policies.In this paper,we compare different LSM implementations to highlight the challenges of current enforcement solutions before detailing the design of our eBPF-based Kubernetes Runtime Instrumentation and Enforcement System(KRSIE).Finally,we evaluate the effectiveness of our system using a real-world scenario,as measuring the performance of a policy enforcement system is a complex task.Our results show that KRSIE can successfully control containers’behaviors using LSM hooks at container runtime,offering improved container security for cloud-native infrastructure.
基金This work was partly supported by the Institute of Information&Communications Technology Planning&Evaluation(IITP)grant funded by the Korea Government(MSIT),(No.2020-0-00952,Development of 5G edge security technology for ensuring 5G+service stability and availability,50%)the Institute of Information and Communications Technology Planning and Evaluation(IITP)grant funded by the MSIT(Ministry of Science and ICT),Korea(No.IITP-2022-2020-0-01602,ITRC(Information Technology Research Center)support program,50%).
文摘Nowadays,with the significant growth of the mobile market,security issues on the Android Operation System have also become an urgent matter.Trusted execution environment(TEE)technologies are considered an option for satisfying the inviolable property by taking advantage of hardware security.However,for Android,TEE technologies still contain restrictions and limitations.The first issue is that non-original equipment manufacturer developers have limited access to the functionality of hardware-based TEE.Another issue of hardware-based TEE is the cross-platform problem.Since every mobile device supports different TEE vendors,it becomes an obstacle for developers to migrate their trusted applications to other Android devices.A software-based TEE solution is a potential approach that allows developers to customize,package and deliver the product efficiently.Motivated by that idea,this paper introduces a VTEE model,a software-based TEE solution,on Android devices.This research contributes to the analysis of the feasibility of using a virtualized TEE on Android devices by considering two metrics:computing performance and security.The experiment shows that the VTEE model can host other software-based TEE services and deliver various cryptography TEE functions on theAndroid environment.The security evaluation shows that adding the VTEE model to the existing Android does not addmore security issues to the traditional design.Overall,this paper shows applicable solutions to adjust the balance between computing performance and security.
基金supported by the Institute of Information&Communications Technology Planning&Evaluation(IITP)grant funded by the Korea Government(MSIT)(No.2020-0-00952)Development of 5G edge security technology for ensuring 5G+service stability and availability.
文摘Container technology plays an essential role in many Information and Communications Technology(ICT)systems.However,containers face a diversity of threats caused by vulnerable packages within container images.Previous vulnerability scanning solutions for container images are inadequate.These solutions entirely depend on the information extracted from package managers.As a result,packages installed directly from the source code compilation,or packages downloaded from the repository,etc.,are ignored.We introduce DAVS–A Dockerfile analysis-based vulnerability scanning framework for OCI-based container images to deal with the limitations of existing solutions.DAVS performs static analysis using file extraction based on Dockerfile information to obtain the list of Potentially Vulnerable Files(PVFs).The PVFs are then scanned to figure out the vulnerabilities in the target container image.The experimental shows the outperform of DAVS on detecting Common Vulnerabilities and Exposures(CVE)of 10 known vulnerable images compared to Clair–the most popular container image scanning project.Moreover,DAVS found that 68%of real-world container images are vulnerable from different image registries.
基金The KCC(Korea Communications Commission),Korea,under the R&D program supervised by the KCA(Korea Communications Agency)(KCA-2012-08-911-05-001)
文摘A scheme of rogue access point(Rogue AP)detection based on AP's localization is proposed.Global position system(GPS)information and received signal strength(RSS)information are used to get the location of AP in a smartphone,which is compared with the database located in a remote server.The proposed scheme can detect not only fake access point(Fake AP)but also Evil Twin AP.It can be a user-oriented solution to detecting Rogue AP threats,and users can use it flexibly.
基金The KCC(Korea Communications Commission),Korea,under the R&D program supervised by the KCA(Korea Communi-cations Agency)(KCA-2012-08-911-05-001)
文摘A unified hybrid authentication framework was proposed to provide proactive authentication and re-authentication for media independent handover(MIH)-based multi-wireless access.In addition,a specific protocol distributing a hierarchical key after the proactive authentication from key holder to base station has been proposed.The proposed hybrid authentication framework not only performs proactive authentication with credentials based on Chameleon hashing,which removes the authentication procedures that exchanges messages with a authentication server,but also performs re-authentication with EAP re-authentication protocol(ERP)that distributes the hierarchical key on the basis of the root key generated by the proactive authentication.