Secure Container-based High Performance Computing Architecture

Abstract

This PhD thesis addresses the evolving landscape of High Performance Computing (HPC) by focusing on the critical challenge of securing the use of container virtualisation within HPC environments. The traditional approach to security for HPC operators is being challenged by a growing number of cyber security threats such as hacks and resource misuse. In addition, the risk of insider attacks is increasing, overall requiring a re-evaluation of security strategies, which in many cases are still based on a high level of trust in users.

This is further aggravated by the increasing demand to open up HPC environments to novel users and their diverse workloads. These generally differ from the existing users of an environment in that they come from a different domain and require a different application stack, that is often user-specific and conflicting with the existing software stack deployed in the HPC environment. This complexity and the high level of effort required to support such diversity means that in such a scenario the deployment of applications can often no longer be carried out in the traditional way by the administrators of the environment. In order to address this challenging situation, support for User-Defined Software Stacks (UDSS) is required to meet the demand for a growing range of user-specific applications and provide support for configurations conflicting the rest of the environment. Supporting the deployment and use of UDSS by users from different domains, however, has serious implications for the security of such an environment. This thus requires different approaches than if applications are made available in a curated manner by the administrators of the environment, as a different level of trust can be applied here. Container technology has emerged as a viable solution to support UDSS, offering the flexibility to support custom and sometimes conflicting software stacks - but it also introduces a new potential for security risks.

The central research question of this thesis is how the use of UDSS in an HPC environment can be made more secure. The individual research objectives encompass understanding current HPC environments, analysing container security measures, and proposing a secure container-based HPC architecture. This architecture takes into account the requirements and risks associated with UDSS to both empower users with support for UDSS while ensuring secure container execution. As part of this, a multi-stage image analysis process is introduced to identify potentially malicious user-provided applications prior to deployment. The outcome of this analysis also serves as a basis for advanced security measures further securing containerised workloads during execution. These are implemented as rule-based security monitoring and neural network-based anomaly detection. Additionally, a concept for extended isolation is outlined, emphasising additional protection from both other shared environment users and especially operators.

The experiments conducted as part of this research show that a) the general use of containerised applications is associated with a low performance overhead, which is outweighed by the advantages of containers, b) a rule-based monitoring approach, which offers the advantage that the rules can be easily analysed, modified and adapted to specific threats, can be applied at all levels related to containerised workload execution. Related performance overhead can be reduced through appropriate filtering, c) a neural network-based approach, based on an image-specific behavioural model and evaluated with two distinct approaches, shows that system call distribution and parameters using file system paths are in general suited for detecting malicious behaviour during workload execution.

With these contributions, the work advances the understanding of how to implement secure container use in HPC, fostering a potential for more flexible, yet secure compute environments.