Union Buster: A Cross-Container Covert-Channel Exploiting Union Mounting

July 1, 2022

Novak Boskov, Boston University; Naor Radami, Ben-Gurion University; Trishita Tiwari, Cornell University; and Ari Trachtenberg, Boston University

Software containers provide a light-weight counterpart to virtual machines, utilizing the native host operating system to efficiently manage virtualization. Though efficient, this sharing of resources opens a potentially exploitable communication channel between collocated containers. To this end, we present a novel class of container isolation attacks that exploit union mounting, a key infrastructural component that allows for file system resource sharing among containers. We show that these vulnerabilities enable an unprivileged attacker, running a container on a shared commercial platform, to attack vulnerable victim containers on the same platform. More precisely, we showcase two attacks: one, which gleans information from the vulnerable containers, and another which establishes a covert side channel for exfiltrating data from the victim. Our attack implementations leverage a page-cache attack (CVE-2019-5489), but the attack surface is intrinsic to the efficiency needs of container management, and they apply even to the most recently patched Linux kernels. Our results highlight the need to rethink the page cache design in the context of multi-tenant clouds, and we propose some partial mitigations in this direction.

Read the paper

Cyber Security, Cryptology, and Machine Learning: 6th International Symposium, CSCML 2022, Be’er Sheva, Israel, June 30 – July 1, 2022, ProceedingsJun 2022Pages 300–317https://doi.org/10.1007/978-3-031-07689-3_23

Associated Research Projects