Attacks are Forwarded - Breaking the Isolation of MicroVM-based Containers Through Operation Forwarding

Explore a 14-minute conference talk from USENIX Security '23 that reveals a new attack surface for breaking the isolation of microVM-based containers. Discover how researchers identified "operation forwarding attacks" that exploit vulnerabilities in host systems running containerized applications. Learn about the three-layer component structure of microVM-based containers and the corresponding attack strategies for each layer. Examine eight specific attacks demonstrated against Kata Containers and Firecracker-based containers, including their impacts on privilege escalation, IO and CPU performance degradation, and potential host system crashes. Gain insights into experiments conducted in local environments as well as on major cloud platforms like AWS and Alibaba Cloud. Consider the security implications for containerized applications and review suggested mitigation strategies to protect against these newly discovered vulnerabilities.