This repository includes a Docker container able to mitigate covert channels exploiting the memory of the host to create malicious container-to-container communications. For an example of such malevolent application, refer to YehudaCorsia/Docker-Covert-channel. In order to disturb the covert channel, a random amount of memory is periodically allocated by the container.
This repository represent an outcome of a joint research by CNR-IMATI and CNR-IEIIT. In case of exploitation for research purposes, please cite the following paper:
M. Zuppelli, M. Repetto, L. Caviglione, E. Cambiaso, Information Leakages of Docker Containers: Characterization and Mitigation Strategies, 9th International Conference on Network Softwarization, Madrid, Spain, 19 - 23 June 2023.
For a manual installation, follow the steps reported below.
- Clone the repository:
git clone https://github.com/cybersecurity-cnr/docker-stego-protector
cd
into the cloned repository:
cd docker-stego-protector
- Build the Docker image:
docker build -t docker-stego-protector .
- Optionally, save the Docker image to file:
docker save docker-stego-protector:latest|gzip > docker-stego-protector.tar.gz
Just run the Docker container, with a command similar to the following one:
docker run -e SIZEFROM=1000000000 -e SIZETO=2000000000 -e TIMEOUTFROM=1 -e TIMEOUTFROM=5 -t docker-stego-protector
where:
SIZEFROM
identifies the minimum size of memory to allocate at each round, in bytesSIZETO
identifies the maximum size of memory to allocate at each round, in bytesTIMEOUTFROM
identifies the minimum duration of each round, in secondsTIMEOUTTO
identifies the maximum duration of each round, in seconds
This work was partially supported by project SERICS (PE00000014) under the NRRP MUR program funded by the EU - NGEU.