Linux Containers for App Security

A major focus in security is preventing system intrusion resulting from vulnerabilities in the software running on it. However an equally important consideration is mitigation and isolation – if an attacker is successfully able to compromise a single node in a system, how do you prevent the attack from spreading? Isolating a complex system into components that are fire-walled from each other (either via software or hardware) ensures that the attack surface of any given component is limited, and that a weakness in one component does not compromise the rest. In the age of ‘the cloud’, the traditional approach for servers has been to use virtual machines as a means of partitioning one physical machine into smaller logical units. While this is a tried and tested solution, it is far from ideal. Each virtual machine requires a complete filesystem, virtualized RAM and an entire operating system. In addition there is the overhead of the virtualization environment/hypervisor as well as the instruction translation layer between the virtualized kernel and the host kernel.

LXC Security Approach

Linux containers (LXC) takes a different approach. Dubbed an ‘operating-system level virtualization’ technology, containers actually share the same kernel as the host. Features such as kernel namespaces to restrict any given container’s view of the operating system it runs on, and cgroups allow resource allocations to be dynamically managed to ensure QoS. As with virtualization, containers cannot see processes running on the same kernel outside of its own namespace and have no direct access to real hardware. In mobile things are very different – devices have very limited physical resources (memory, CPU, battery) so no real virtualization solutions have ever come into prominence on these platforms. As these devices have a different usage model to servers, the security concept has been largely focused on ‘app’ sandboxing. In a way, the approach taken by LXC is more similar to sandboxing on mobile devices than virtualization. The ‘app’ can be thought of as a container, while the sandbox stays light by marshaling access to shared resources rather than creating virtualized ones. Another consideration with mobile is that it is much easier for an attacker to gain physical access to the device. In this situation containerization may not be enough – if you have physical access to the container, you can break in. One solution to mitigating this sort of attack is by reducing reliance on the operating system for protection, and additionally protecting what’s inside the container. At Apperian we offer Data At Rest (DAR) encryption as part of our app wrapping technology. Data At Rest ensures that all data persisted to disk by an application is transparently encrypted, ensuring the security of the contents of the container.