AppArmor Profile Generator as a Cloud Service Hui Zhu and Christian Gehrmann Department of Electrical and Information Technology, Lund University, Lund, Sweden Keywords: Security-as-a-Service, Docker, Container, AppArmor. Abstract: Along with the rapid development of containerization technology, remarkable benefits have been created for developers and operation teams, and overall software infrastructure. Although lots of effort has been devoted to enhancing containerization security, containerized environments still have a huge attack surface. This paper proposes a secure cloud service for generating a Linux security module, AppArmor profiles for containerized services. The profile generator service implements container runtime profiling to apply customized AppArmor policies to protect containerized services without the need to make hard and potentially error-prone manual policy configurations. To evaluate the effectiveness of the profile generator service, we enable it on a widely used containerized web service to generate profiles and test them with real-world attacks. We generate an exploit database with 11 exploits harmful to the tested web service. These exploits are sifted from the 56 exploits of Exploit-db targeting the tested web service’s software. We launch these exploits on the web service protected by the profile. The results show that the proposed profile generator service improves the test web service’s overall security a lot compared to using the default Docker security profile. 1 INTRODUCTION Containerization is by far the most eye-catching tech- nology as an alternative or companion to virtualiza- tion. Gartner predicts that by 2022, more than 75% of global organizations will be running containerized applications in production 1 . However, while enjoy- ing the significant benefits brought by containeriza- tion technology such as portability, efficiency, and agility, several security issues also arise by the kernel- sharing property of containerization (Casalicchio and Iannucci, 2020). Containers and microservices ar- chitectures are different from the traditional virtual machines with monolithic applications (Martin et al., 2018). DevSecOps is a set of practices that combines software development (Dev), security (Sec), and IT operations (Ops), which means built-in security in application development through the whole service life-cycle (Myrbakken and Colomo-Palacios, 2017). Cloud Security Alliance (CSA) points out that De- vSecOps are created as a response to resolve security issues that have risen from microservices-based archi- tectures 2 . CSA defines six focus areas critical to inte- 1 https://www.gartner.com/smarterwithgartner/6-best- practices-for-creating-a-container-platform-strategy/ 2 https://cloudsecurityalliance.org/artifacts/six-pillars- of-devsecops/ grating DevSecOps into an organization, one of which is automation. The security for microservices in con- tainers should be automated to protect the environ- ment and data. Several security controls for contain- ers have been embedded into a continuous integration and delivery pipeline to ensure the automated end-to- end security of containers. One of such controls is called behavior-based control securing the container runtime. Many different behavior-based solutions have ap- peared in the industry. The top container security products’ typical way is to monitor the container’s be- havior and detect malicious activities by using rule- based or machine-learning-based approaches. For ex- ample, the TwistLock runtime offers both static anal- yses and machine-learning-based behavioral monitor- ing (Stopel et al., 2020). The TwistLock monitoring and profiling defense work on four levels: the file sys- tem (Levin et al., 2020a), the processes, the system calls, and the network (Levin et al., 2020b). Sim- ilarly, Aqua’s runtime security for Docker restricts privileges for files, executables, and OS resources based on a machine-learned behavioral profile to en- sure that only necessary privileges are given to the Zhu, H. and Gehrmann, C. AppArmor Profile Generator as a Cloud Service. DOI: 10.5220/0010434100450055 In Proceedings of the 11th International Conference on Cloud Computing and Services Science (CLOSER 2021), pages 45-55 ISBN: 978-989-758-510-4 Copyright c  2021 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved 45