A survey on secure container isolation approaches for multi-tenant container workloads and serverless computing

Abstract

Container virtualization has become the tool of choice for running isolated applications in cloud environments. Linux-Containers virtualize at the operating system level, with multiple containers running atop the operating system kernel directly. Therefore, threats to one container are potentially threats to many others. Especially for PaaS and Serverless providers, the secure execution of untrusted workloads on their platform in order to mitigate software vulnerabilities from spreading has high priority. Containers face a variety of different threats, vulnerabilities and historical weaknesses that need to be considered and defended against. This paper presents current approaches to securing container workloads. gVisor, Kata Containers and Firecracker are presented and compared with each other. Although sandbox containers have different attack surfaces such as the container daemon process, network, or storage, this paper focuses on the Linux kernel itself as a vulnerability in sandbox containers and examines how each approach implements protection.