Explore a 14-minute conference talk from USENIX Security '23 that reveals a new attack surface for breaking the isolation of microVM-based containers. Discover how researchers identified "operation forwarding attacks" that exploit vulnerabilities in host systems running containerized applications. Learn about the three-layer component structure of microVM-based containers and the corresponding attack strategies for each layer. Examine eight specific attacks demonstrated against Kata Containers and Firecracker-based containers, including their impacts on privilege escalation, IO and CPU performance degradation, and potential host system crashes. Gain insights into experiments conducted in local environments as well as on major cloud platforms like AWS and Alibaba Cloud. Consider the security implications for containerized applications and review suggested mitigation strategies to protect against these newly discovered vulnerabilities.
Overview
Syllabus
USENIX Security '23 - Attacks are Forwarded: Breaking the Isolation of MicroVM-based Containers...
Taught by
USENIX