Container Image Access Control Architecture to Protect Applications

A container platform allows various applications to be deployed or run after installation. A user can download or execute a container image with the required application. To apply the configuration management system, a container image uses a union filesystem composed of multiple layers. To provide s...

Full description

Saved in:
Bibliographic Details
Published inIEEE access Vol. 8; p. 1
Main Authors Han, Sung-Hwa, Lee, Hoo-Ki, Lee, Sung-Taek, Kim, Sung-Jin, Jang, Won-Jung
Format Journal Article
LanguageEnglish
Published Piscataway IEEE 01.01.2020
The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
Subjects
Access control
Architecture
Computer architecture
Configuration management
Container
Container Image
Containers
Functionals
Image Protection
Information services
Layered Image
Malware
Operating systems
Security management
Online AccessGet full text

Cover

More Information
Summary:A container platform allows various applications to be deployed or run after installation. A user can download or execute a container image with the required application. To apply the configuration management system, a container image uses a union filesystem composed of multiple layers. To provide stability, important application files must be protected from unauthorized access. However, the container image used for distributing an application does not have its own protection function, and it is not protected by the container platform. The access control function provided by the operating system cannot protect the applications because the container environment is not considered. In this study, a container image access control architecture is proposed that can ensure a safe application operating environment by denying unauthorized direct access to container images. The proposed architecture enforces the access control function after the container image is downloaded, denying unauthorized access to the container image layer directory. Because the access control function is provided at the kernel level, there is a security advantage that users cannot bypass. To verify this approach, the functions and performance were determined empirically according to the proposed architecture. Functional verification confirmed that the proposed architecture denies unauthorized access to the container base image and allows access only to authorized users. It was also confirmed that the proposed architecture ensures the performance of the container platform in the same way as before, and that the proposed container image access control architecture is sufficiently effective.
ISSN:2169-3536
2169-3536
DOI:10.1109/ACCESS.2020.3021044