Subrota Kumar Mondal, Pan Wenxi, Dai Hongning, Chen Yijun, Wang Haocheng
Received: 2023-08-17; Revised: 2024-04-29; Accepted: 2024-06-25; Online: 2024-07-16
Over the years and nowadays container technology is widely used among the communities for application deployment and maintenance. Especially, comparing with virtual machines, containers are lightweight and occupy fewer hardware resources since they share the kernel with the host system. However, due to the weak isolation of container mechanisms, the host system or other containers are vulnerable when a container is attacked exploiting the kernel vulnerabilities. Besides, unexpected control of container engines and tainted images are also threats to containers. Thus, it is important to know about the security patterns of these issues toward enhancing security. To this, in this paper, we present an empirical study of container escape, which is a kind of risk to gain permissions to take control of other containers or the host from one container. Basically, our study includes the common patterns, root causes, exploits, possible fixes, and many more. Particularly, we study nine (09) related vulnerabilities discovered in recent years by analyzing their root causes, deploying environments to simulate the attack and comparing the official patches. For some of these vulnerabilities, we also present alternative defense or fix methods. Additionally, we summarize our learning outcomes for each vulnerability, and propose further analysis using these experiences.