2025-11-20T01:55:14.885016

Analysis of Security in OS-Level Virtualization

Ketha, Song, Zhu
Virtualization is a technique that allows multiple instances typically running different guest operating systems on top of single physical hardware. A hypervisor, a layer of software running on top of the host operating system, typically runs and manages these different guest operating systems. Rather than to run different services on different servers for reliability and security reasons, companies started to employ virtualization over their servers to run these services within a single server. This approach proves beneficial to the companies as it provides much better reliability, stronger isolation, improved security and resource utilization compared to running services on multiple servers. Although hypervisor based virtualization offers better resource utilization and stronger isolation, it also suffers from high overhead as the host operating system has to maintain different guest operating systems. To tackle this issue, another form of virtualization known as Operating System-level virtualization has emerged. This virtualization provides light-weight, minimal and efficient virtualization, as the different instances are run on top of the same host operating system, sharing the resources of the host operating system. But due to instances sharing the same host operating system affects the isolation of the instances. In this paper, we will first establish the basic concepts of virtualization and point out the differences between the hyper-visor based virtualization and operating system-level virtualization. Next, we will discuss the container creation life-cycle which helps in forming a container threat model for the container systems, which allows to map different potential attack vectors within these systems. Finally, we will discuss a case study, which further looks at isolation provided by the containers.
academic

Analysis of Security in OS-Level Virtualization

Basic Information

  • Paper ID: 2501.01334
  • Title: Analysis of Security in OS-Level Virtualization
  • Authors: Krishna Sai Ketha, Guanqun Song, Ting Zhu (The Ohio State University)
  • Classification: cs.CR (Cryptography and Security), cs.OS (Operating Systems)
  • Publication Date: January 2, 2025 (arXiv preprint)
  • Paper Link: https://arxiv.org/abs/2501.01334

Abstract

Virtualization technology enables multiple instances with different guest operating systems to run on a single physical hardware platform. While hypervisor-based virtualization provides better resource utilization and stronger isolation, it suffers from high overhead due to the host operating system maintaining different guest operating systems. To address this limitation, OS-level virtualization has emerged, offering lightweight, minimal, and efficient virtualization. However, since instances share the same host operating system, inter-instance isolation is compromised. This paper establishes fundamental virtualization concepts, analyzes the differences between hypervisor virtualization and OS-level virtualization, discusses the container creation lifecycle, constructs a container threat model, and analyzes the isolation provided by containers through case studies.

Research Background and Motivation

Problem Definition

  1. Resource Utilization Efficiency: Traditional deployment of different services on separate servers improves reliability and security but is costly and results in low resource utilization
  2. Virtualization Overhead: While hypervisor-based virtualization improves resource utilization, maintaining multiple guest operating systems introduces significant overhead
  3. Container Security Isolation: Although OS-level virtualization addresses overhead concerns, sharing the operating system kernel may compromise security isolation between containers

Research Significance

  • Business Requirements: Enterprises need to safely and efficiently run multiple services on a single server
  • Cloud Computing Trends: Since the 1990s, virtualization technology has been widely adopted in cloud environments
  • Security Threats: The widespread adoption of container technology introduces new security challenges and attack vectors

Limitations of Existing Approaches

  • Traditional Virtualization: Hypervisor virtualization incurs substantial overhead, with each virtual machine requiring a complete guest operating system
  • Insufficient Security Analysis: Security and isolation analysis of OS-level virtualization lacks depth
  • Missing Threat Models: Absence of systematic container threat models to identify potential attack vectors

Core Contributions

  1. Established a comparative framework for virtualization technologies: Systematically compares advantages and disadvantages of hypervisor virtualization and OS-level virtualization
  2. Constructed a detailed container creation lifecycle model: Analyzes the complete process of Docker containers from build to execution
  3. Proposed a comprehensive container threat model: Identifies and classifies nine major attack vectors in container systems
  4. Provided practical vulnerability case analysis: Conducts in-depth analysis of security issues through two real vulnerabilities: CVE-2024-21626 and CVE-2022-0847
  5. Offered container security hardening recommendations: Provides practical security best practices based on analysis results

Methodology Details

Task Definition

This research aims to systematically analyze the security and isolation of OS-level virtualization (particularly Docker containers), identify potential attack vectors through threat modeling, and provide security hardening recommendations.

Research Architecture

1. Container Creation Lifecycle Analysis

The research focuses on four core components of the Docker container system:

  • Docker Engine: Open-source containerization technology providing capabilities to build and containerize applications
  • Docker Daemon (dockerd): Background process that listens to Docker commands, serving as an interface between CLI and container runtime
  • Containerd: High-level container runtime system providing image transfer management, container lifecycle management, storage, and networking functions
  • Runc: Lightweight, secure low-level container runtime that directly interacts with the underlying operating system

2. Container Creation Process

Dockerfile → Docker Build → Docker Daemon → Containerd → Runc → Container
  1. System administrator executes "docker build" command via Docker CLI
  2. Docker CLI invokes Docker Daemon to process the request
  3. Docker Daemon forwards the request to Containerd to create the container
  4. Containerd pulls the image and passes it to Runc
  5. Runc interacts with the underlying operating system, creating and managing containers based on image configuration

Threat Model Construction

Attack Classification

External Attacks: Remote access to container systems via network Internal Attacks: Attacks initiated by attackers already present as users within containers

Nine Major Attack Vectors

  1. Repository Image Manipulation: Attackers tamper with container images in repositories
  2. Application Code Vulnerabilities: Exploitation of vulnerabilities in application code and third-party dependencies
  3. Container Image Misconfiguration: Granting excessive unnecessary permissions during image configuration
  4. Container Misconfiguration: Pulling images containing malicious code from public directories
  5. Host Vulnerabilities: Exploitation of vulnerabilities in the host operating system running containers
  6. Inter-Container Information Leakage: Attackers monitor information sharing between containers
  7. Container Escape Vulnerabilities: Exploitation of runtime system vulnerabilities (containerd, runc) to escape to the host
  8. Insecure Network Communication: Attackers monitor inter-container communication to obtain information
  9. Uncontrolled Resource Consumption: Malicious scripts consume excessive resources, starving other containers

Experimental Setup

Case Study Methodology

This research employs actual vulnerability case analysis, selecting two representative security vulnerabilities for in-depth analysis:

  1. Runc Container Breakout (CVE-2024-21626)
  2. Dirty Pipe Vulnerability (CVE-2022-0847)

Analysis Framework

  • Vulnerability Mechanism Analysis: Detailed examination of technical principles underlying vulnerabilities
  • Impact Scope Assessment: Determination of affected software version ranges
  • Attack Scenario Reproduction: Demonstration of attack processes through actual commands
  • Severity Assessment: Evaluation of security impact of vulnerabilities

Experimental Results

Case Study One: Runc Container Breakout (CVE-2024-21626)

Vulnerability Details

  • Discovery Date: January 31, 2024
  • Affected Versions:
    • runc: v1.0.0-rc93 to v1.1.11
    • containerd: v1.4.7 to v1.6.27 and v1.7.0 to v1.7.12
    • docker: <v25.0.2
  • Severity: High

Attack Mechanism

  1. From the host operating system perspective, a container is a process with an independent filesystem mounted via chroot as the root filesystem
  2. Attackers create symbolic links pointing to file descriptors 7 and 8
  3. Execute sudo docker exec -it -w /foo <container-name> sleep 500 command
  4. Runc mounts the host filesystem into the container, allowing attackers to access the host filesystem

Attack Characteristics

  • Low Privilege Requirements: Attackers can successfully attack without running malicious code or requiring high privileges
  • Direct Filesystem Access: Direct access to files within the host operating system

Case Study Two: Dirty Pipe Vulnerability (CVE-2022-0847)

Vulnerability Details

  • Discovery Date: March 7, 2022
  • Affected Versions: Linux kernel >v5.8.0
  • Severity: High

Attack Mechanism

  1. Improper initialization of the "flags" member in the new Linux kernel pipe buffer structure
  2. Defects in "copy-page-to-iter-pipe" and "push-pipe" functions may contain stale values
  3. Unprivileged local users can modify pages in the page cache associated with read-only files
  4. Attackers can modify read-only files such as /etc/passwd to achieve privilege escalation

Experimental Findings

Security Threat Characteristics

  1. Persistent Threats: CVE-2024-21626 is not the first instance; CVE-2019-5736 was a similar runc escape vulnerability
  2. System-Level Impact: Both vulnerabilities can potentially grant attackers host operating system privileges
  3. Widespread Impact: Vulnerabilities affect numerous container systems used in production environments

Isolation Analysis

Container security isolation exhibits the following problems:

  • Shared Kernel Risk: All containers share the same operating system kernel; kernel vulnerabilities affect all containers
  • Runtime Vulnerabilities: Vulnerabilities in container runtime systems (such as runc) may lead to container escape
  • Configuration Error Risk: Improper permission configuration increases security risks

Related Work

Virtualization Security Research

This paper builds upon the foundation of virtualization technology development. While virtualization concepts have existed since the 1960s, they only became mainstream technology in the 1990s.

Container Security Threat Analysis

Related research primarily focuses on:

  1. Container Isolation Mechanisms: Analysis of isolation differences between containers and traditional virtualization
  2. Attack Vector Identification: Identification of unique attack methods in container environments
  3. Security Hardening Methods: Proposal of container security best practices

Contributions Compared to Existing Work

  • Systematic Threat Model: Compared to existing research, this paper provides more comprehensive container threat classification
  • Practical Case Analysis: Provides concrete evidence of security threats through real CVE vulnerability analysis
  • Lifecycle Perspective: Analyzes security issues from the perspective of container creation lifecycle

Conclusions and Discussion

Main Conclusions

  1. Double-Edged Nature of OS-Level Virtualization: While providing lightweight and efficient virtualization solutions, shared operating system kernels introduce security isolation challenges
  2. Diversity of Threat Vectors: Container systems face full-lifecycle security threats from image repositories to runtime environments
  3. Practical Security Risks: CVE case analysis confirms the real existence of serious security threats such as container escape and privilege escalation
  4. Continuous Security Challenges: Container security is an evolving problem requiring continuous updates to protective measures

Security Best Practice Recommendations

  1. Image Security: Inspect container images pulled from public repositories and scan for potential vulnerabilities
  2. Privilege Minimization: Avoid granting containers unnecessary privileges
  3. Timely Updates: Maintain up-to-date versions of container engines, runtimes, tools, and third-party components
  4. Dependency Management: Ensure dependencies do not contain known vulnerabilities
  5. Secure Communication: Transmit inter-container information through secure connections
  6. Security Scanning: Regularly scan containers for vulnerabilities using security scripts

Limitations

  1. Research Scope Constraints: Primarily focuses on Docker containers without covering other container technologies (such as FreeBSD Jails, Solaris Zones)
  2. Threat Model Depth: While identifying major attack vectors, discussion of specific protective measures for each attack type lacks depth
  3. Limited Experimental Cases: Analysis of only two CVE cases may be insufficient to comprehensively reflect the complexity of container security threats
  4. Insufficient Quantitative Analysis: Lacks quantitative assessment of risk levels for different attack vectors

Future Directions

The paper proposes the following research directions:

  1. AI-Driven Threat Detection: Integration of artificial intelligence technology to enhance container systems' resilience against emerging vulnerabilities
  2. Secure Communication Protocols: Development of more secure inter-container communication protocols
  3. Wireless Environment Optimization: Optimization of container networking for wireless environments
  4. System-Level Innovation: Improvement of resource allocation through system-level innovation to ensure performance and security in dynamic distributed infrastructure

In-Depth Evaluation

Strengths

  1. Systematic Analysis: Provides a complete analytical framework from fundamental concepts to practical threats
  2. High Practical Value: Threat model and security recommendations provide guidance for practical deployment
  3. In-Depth Case Analysis: Provides specific technical details through real CVE vulnerabilities
  4. Clear Structure: Well-organized paper structure with logical progression from theory to practice
  5. Strong Timeliness: Analyzes the latest security vulnerabilities (CVE-2024-21626)

Weaknesses

  1. Limited Theoretical Contribution: Primarily organizes and analyzes existing knowledge with limited original theoretical contributions
  2. Insufficient Experimental Validation: Lacks large-scale experimental validation of threat model effectiveness
  3. Missing Quantitative Analysis: Does not provide quantitative risk assessment of different attack vectors
  4. Insufficient Solution Depth: While proposing security recommendations, lacks specific technical solutions
  5. Weak Comparative Analysis: Comparative analysis with other container security research is relatively weak

Impact

  1. Academic Contribution: Provides a systematic threat analysis framework for container security research
  2. Practical Value: Provides guidance for enterprise and developer container security practices
  3. Educational Value: Suitable as reference material for container security teaching
  4. Research Foundation: Establishes foundation for subsequent in-depth container security research

Applicable Scenarios

  1. Enterprise Container Deployment: Provides reference for enterprise container security strategy formulation
  2. Security Auditing: Serves as a checklist for container system security assessment
  3. Education and Training: Used for container security awareness training and technical education
  4. Research Starting Point: Provides foundational framework for in-depth container security technology research

References

The paper cites 38 related references, primarily including:

  • Classical operating systems textbooks (Tanenbaum & Bos, Modern Operating Systems)
  • Container security monographs (Rice, Container Security)
  • Important security vulnerability reports (CVE-2024-21626, CVE-2022-0847)
  • Related research work by the author team in security, AI, and IoT domains

Overall Assessment: This paper provides a relatively comprehensive security analysis framework for OS-level virtualization. While limited in theoretical innovation, it possesses high practical value and systematic rigor, making it suitable as introductory and reference material in the container security field.