DevSecOps of Containerization

Abstract

Containerization is a new concept of virtualization, one that has attracted attention and occupied considerable amount of market size due to its inherent lightweight characteristics. However, the lightweight advantage is achieved at the price of security. The isolation of containers cannot be as strong as with traditional hypervisor-based virtualization. Attacks against weak isolation of the container have been reported, and the use of shared kernel is another targeted vulnerable point. This work focuses on providing security for the containerization. We aim to provide secure monitoring of containerized application, which can help the infrastructure owner ensure the running application is harmless. The monitoring is non-intrusive and lightweight with no user data privacy and performance overhead problems being incurred. We propose use of machine learning techniques combined with container introspection tools to perform intelligent monitoring. We establish an unique public dataset to provide better emulation of real application behaviors and better coverage of attacks with expanded feature space. Sufficient related work is surveyed, and a proof-of-concept monitoring system is implemented and evaluated. In addition, we also investigate the containerization of Hyperledger blockchain systems. Smart contract is one of the most important and promising feature of blockchain, and it relies on the use of virtualization. Hyperledger implements its chaincode (smart contract) based on containerization. Thus, the DevSecOps of containerization also determines the security of Hyperledger systems. The potential risk of Hyperledger containerization lifecycle have been illustrated and discussed.