Towards Least Privilege Containers with Cimplifier
This addresses security vulnerabilities for users of containerized applications like Docker, though it is an incremental improvement on existing container security methods.
The authors tackled the security problem of privilege separation and least privilege in application containers by developing Cimplifier, a tool that partitions containers into simpler ones with minimal resources, resulting in a 58-95% reduction in image size and processing times under thirty seconds.
Application containers, such as Docker containers, have recently gained popularity as a solution for agile and seamless deployment of applications. These light-weight virtualization environments run applications that are packed together with their resources and configuration information, and thus can be deployed across various software platforms. However, these software ecosystems are not conducive to the true and tried security principles of privilege separation (PS) and principle of least privilege (PLP). We propose algorithms and a tool Cimplifier, which address these concerns in the context of containers. Specifically, given a container our tool partitions them into simpler containers, which are only provided enough resources to perform their functionality. As part our solution, we develop techniques for analyzing resource usage, for performing partitioning, and gluing the containers together to preserve functionality. Our evaluation on real-world containers demonstrates that Cimplifier can preserve the original functionality, leads to reduction in image size of 58-95%, and processes even large containers in under thirty seconds.