Visible to the public Fine-Grained Supervision and Restriction of Biomedical Applications in Linux Containers

TitleFine-Grained Supervision and Restriction of Biomedical Applications in Linux Containers
Publication TypeConference Paper
Year of Publication2017
AuthorsWitt, M., Jansen, C., Krefting, D., Streit, A.
Conference Name2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGRID)
Keywordsalgorithm development, application analysis, biomedical application restriction, biomedical data, cloud computing, Collaboration, complex programs, composability, container portability, Containers, Data analysis, distributed processing, docker-based container, external code repositories, fine-grained restricted environment, fine-grained supervision, Kernel, Linux, Linux containers, medical administrative data processing, medical data processing, Monitoring, multidimensional biosignal recordings normalization, operating system, policy, Policy-Governed Secure Collaboration, Policy-Governed systems, Process Supervision, program libraries, pubcrawl, sandbox, Sandboxing, security, security of data, security technologies, system call filtering, System Call Interception

Applications for data analysis of biomedical data are complex programs and often consist of multiple components. Re-usage of existing solutions from external code repositories or program libraries is common in algorithm development. To ease reproducibility as well as transfer of algorithms and required components into distributed infrastructures Linux containers are increasingly used in those environments, that are at least partly connected to the internet. However concerns about the untrusted application remain and are of high interest when medical data is processed. Additionally, the portability of the containers needs to be ensured by using only security technologies, that do not require additional kernel modules. In this paper we describe measures and a solution to secure the execution of an example biomedical application for normalization of multidimensional biosignal recordings. This application, the required runtime environment and the security mechanisms are installed in a Docker-based container. A fine-grained restricted environment (sandbox) for the execution of the application and the prevention of unwanted behaviour is created inside the container. The sandbox is based on the filtering of system calls, as they are required to interact with the operating system to access potentially restricted resources e.g. the filesystem or network. Due to the low-level character of system calls, the creation of an adequate rule set for the sandbox is challenging. Therefore the presented solution includes a monitoring component to collect required data for defining the rules for the application sandbox. Performance evaluation of the application execution shows no significant impact of the resulting sandbox, while detailed monitoring may increase runtime up to over 420%.

Citation Keywitt_fine-grained_2017