Analysis of Security in OS-Level Virtualization
Krishna Sai Ketha, Guanqun Song, Ting Zhu
TL;DR
The paper analyzes OS-level virtualization as a lightweight alternative to hypervisor-based approaches, focusing on container isolation and security. It maps the Docker-based container creation lifecycle to a threat model and uses two case studies—Runc container breakout and the Dirty Pipe kernel vulnerability—to illustrate how runtime and host-kernel flaws can break isolation. The study highlights concrete attack surfaces across image supply, configuration, and runtime components, and offers practical hardening guidance such as image integrity checks, restricted privileges, and timely patching. It also points to future directions like AI-driven threat detection and secure networking to bolster container security in evolving environments.
Abstract
Virtualization is a technique that allows multiple instances typically running different guest operating systems on top of single physical hardware. A hypervisor, a layer of software running on top of the host operating system, typically runs and manages these different guest operating systems. Rather than to run different services on different servers for reliability and security reasons, companies started to employ virtualization over their servers to run these services within a single server. This approach proves beneficial to the companies as it provides much better reliability, stronger isolation, improved security and resource utilization compared to running services on multiple servers. Although hypervisor based virtualization offers better resource utilization and stronger isolation, it also suffers from high overhead as the host operating system has to maintain different guest operating systems. To tackle this issue, another form of virtualization known as Operating System-level virtualization has emerged. This virtualization provides light-weight, minimal and efficient virtualization, as the different instances are run on top of the same host operating system, sharing the resources of the host operating system. But due to instances sharing the same host operating system affects the isolation of the instances. In this paper, we will first establish the basic concepts of virtualization and point out the differences between the hyper-visor based virtualization and operating system-level virtualization. Next, we will discuss the container creation life-cycle which helps in forming a container threat model for the container systems, which allows to map different potential attack vectors within these systems. Finally, we will discuss a case study, which further looks at isolation provided by the containers.