ELIMINATING PRIVILAGE ESCALATION TO ROOT IN CONTAINERS RUNNING ON KUBERNETES

ავტორი: Linetskyi Artem, Babenko Tetiana, Myrutenko Larysa, Vialkova Vira
ორგანიზაცია: 1-4 Faculty of Information Technology, Taras Shevchenko National University of Kyiv, Ukraine

კატეგორია:

საკვანძო სიტყვები: kubernetes; privilage escalation; cybersecurity, security layer
აბსტრაქტი. Containerization and orchestration tools like Kubernetes allow enterprises to automate many aspects of application life cycle, especially deployment, significant business benefits. However, these new deployments are also vulnerable to attacks and introduce new exploits from hackers and insiders, making Kubernetes security acrucial component for every deployment. We perform a study analyzing privilege escalation to root in containers running on Kubernetes. Based on the results we create a solution that can eliminate this type of attack.

ბიბლიოგრაფია

"Production-Grade Container Orchestration", Kubernetes.io, 2019. [Online]. Available: https://kubernetes.io/. [Accessed: 30- Oct- 2019].
D. Goodin, "Tesla cloud resources are hacked to run cryptocurrency-mining malware", Ars Technica, 2018. [Online]. Available: https://arstechnica.com/information-technology/2018/02/tesla-cloud-resources-arehacked- to-run-cryptocurrency-mining-malware/. [Accessed: 30- Sep- 2019].
F. Huang and G. Duan, "The Ultimate Guide to Kubernetes Security - Threats, Tips, and Ebook", NeuVector, 2018. [Online]. Available: https://neuvector.com/container-security/kubernetes-security-guide/. [Accessed: 30- Oct- 2019].
C. Meléndez, "The top Kubernetes security best practices - Sqreen blog", Sqreen Blog, 2019. [Online]. Available: https://blog.sqreen.com/kubernetes-security-best-practices/. [Accessed: 30- Sep- 2019].
A. Zelivansky, "Non-Root Containers, Kubernetes CVE-2019-11245 and Why You Should Care", Unit42, 2019. [Online]. Available: https://unit42.paloaltonetworks.com/non-root-containers-kubernetes-cve-2019- 11245-care/. [Accessed: 11- Nov- 2019].
C. Gilbert, "9 Kubernetes Security Best Practices Everyone Must Follow - Cloud Native Computing Foundation", Cloud Native Computing Foundation, 2019. [Online]. Available: https://www.cncf.io/blog/2019/01/14/9-kubernetes-security-best-practices-everyone-must-follow/. [Accessed: 30- Nov- 2019].
Y. Avrahami, "Breaking out of Docker via runC – Explaining CVE-2019-5736", Unit42, 2019. [Online]. Available: https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-cve-2019-5736/. [Accessed: 09- Nov- 2019].
A. Martin, "11 Ways (Not) to Get Hacked", Kubernetes.io, 2018. [Online]. Available: https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked/. [Accessed: 30- Oct- 2019].
"Extending your Kubernetes Cluster", Kubernetes.io, 2019. [Online]. Available: https://kubernetes.io/docs/concepts/extend-kubernetes/ extend-cluster/. [Accessed: 19- Oct- 2019].
S. Prodan, "Scanning Kubernetes resources with Kubesec", Stefanprodan.com, 2018. [Online]. Available: https://stefanprodan.com/2018/scanning-kubernetes-deployments-with-kubesec/. [Accessed: 30- Sep- 2019].