English

Lic-Sec: an enhanced AppArmor Docker security profile generator

Cryptography and Security 2020-09-25 v1

Abstract

Along with the rapid development of cloud computing technology, containerization technology has drawn much attention from both industry and academia. In this paper, we perform a comparative measurement analysis of Docker-sec, which is a Linux Security Module proposed in 2018, and a new AppArmor profile generator called Lic-Sec, which combines Docker-sec with a modified version of LiCShield, which is also a Linux Security Module proposed in 2015. Docker-sec and LiCShield can be used to enhance Docker container security based on mandatory access control and allows protection of the container without manually configurations. Lic-Sec brings together their strengths and provides stronger protection. We evaluate the effectiveness and performance of Docker-sec and Lic-Sec by testing them with real-world attacks. We generate an exploit database with 42 exploits effective on Docker containers selected from the latest 400 exploits on Exploit-db. We launch these exploits on containers spawned with Docker-sec and Lic-Sec separately. Our evaluations show that for demanding images, Lic-Sec gives protection for all privilege escalation attacks for which Docker-sec failed to give protection.

Keywords

Cite

@article{arxiv.2009.11572,
  title  = {Lic-Sec: an enhanced AppArmor Docker security profile generator},
  author = {Hui Zhu and Christian Gehrmann},
  journal= {arXiv preprint arXiv:2009.11572},
  year   = {2020}
}
R2 v1 2026-06-23T18:45:47.703Z