{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,1]],"date-time":"2026-04-01T11:13:23Z","timestamp":1775042003115,"version":"3.50.1"},"reference-count":120,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","license":[{"start":{"date-parts":[[2019,1,1]],"date-time":"2019-01-01T00:00:00Z","timestamp":1546300800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/OAPA.html"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Access"],"published-print":{"date-parts":[[2019]]},"DOI":"10.1109\/access.2019.2911732","type":"journal-article","created":{"date-parts":[[2019,4,17]],"date-time":"2019-04-17T19:46:40Z","timestamp":1555530400000},"page":"52976-52996","source":"Crossref","is-referenced-by-count":237,"title":["Container Security: Issues, Challenges, and the Road Ahead"],"prefix":"10.1109","volume":"7","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-4781-5528","authenticated-orcid":false,"given":"Sari","family":"Sultan","sequence":"first","affiliation":[]},{"given":"Imtiaz","family":"Ahmad","sequence":"additional","affiliation":[]},{"given":"Tassos","family":"Dimitriou","sequence":"additional","affiliation":[]}],"member":"263","reference":[{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2017.49"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1145\/3058060.3058085"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1109\/SCC.2016.123"},{"key":"ref32","author":"bogaerts","year":"2017","journal-title":"Arp Spoofing Docker Containers"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.6028\/NIST.SP.800-190"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1109\/TIM.2018.2815431"},{"key":"ref37","year":"2017","journal-title":"Namespaces&#x2014;Overview of Linux Namespaces"},{"key":"ref36","author":"team","year":"2017","journal-title":"Docker security"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.6028\/NIST.IR.8176"},{"key":"ref34","first-page":"123","volume":"800","author":"scarfone","year":"2008","journal-title":"Guide to General Server Security"},{"key":"ref28","year":"2018","journal-title":"Intel Clear Containers Now Part of Kata Containers"},{"key":"ref27","author":"kocher","year":"2018","journal-title":"Spectre Attacks Exploiting Speculative Execution"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1109\/IWMN.2017.8078370"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.4018\/IJGHPC.2016010103"},{"key":"ref22","author":"stuart","year":"2015","journal-title":"Evolving Container Architectures"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1109\/PDP.2013.41"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-67425-4_12"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1007\/s10723-016-9366-y"},{"key":"ref101","author":"grattafiori","year":"2016","journal-title":"Understanding and Hardening Linux Containers"},{"key":"ref26","first-page":"973","article-title":"Meltdown: Reading Kernel memory from user space","author":"lipp","year":"2018","journal-title":"Proc 27th USENIX Secur Symp USENIX Secur"},{"key":"ref100","doi-asserted-by":"publisher","DOI":"10.1109\/IUCC-CSS.2016.018"},{"key":"ref25","author":"golden","year":"2016","journal-title":"3 Reasons Why You Should Always Run Microservices Apps in Containers"},{"key":"ref50","year":"2017","journal-title":"Docker Default Capabilities"},{"key":"ref51","first-page":"17","article-title":"Linux security modules: General security support for the linux kernel","author":"morris","year":"2002","journal-title":"Proc Usenix Secur Symp"},{"key":"ref59","author":"johansen","year":"2018","journal-title":"Making Linux Security Modules Available to Containers"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1109\/CNS.2015.7346917"},{"key":"ref57","first-page":"94","article-title":"Enhancing security of docker using linux hardening techniques","author":"mp","year":"2016","journal-title":"Proc 2nd Int Conf Appl Theor Comput Commun Technol (iCATccT)"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1109\/ICDCS.2018.00169"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1109\/CNS.2015.7346869"},{"key":"ref54","year":"2017","journal-title":"Linux Security Module Usage"},{"key":"ref53","author":"smalley","year":"2001","journal-title":"Linux Security Modules General security hooks for Linux"},{"key":"ref52","article-title":"Mandatory access control","volume":"87","author":"lindqvist","year":"2006"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2018.2879605"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1109\/FiCloud.2017.27"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1109\/MWC.2017.1600427"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2017.2714638"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1109\/SMARTCOMP.2016.7501691"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1109\/MS.2018.2141039"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1109\/CLOUD.2017.67"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.23919\/INM.2017.7987466"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2018.09.082"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-60876-1_11"},{"key":"ref45","year":"2018","journal-title":"Chapter 8 Linux Capabilities and Seccomp"},{"key":"ref48","article-title":"Docker: Lightweight linux containers for consistent development and deployment","volume":"2014","author":"merkel","year":"2014","journal-title":"Linux J"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1109\/ICST.2017.16"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1109\/ETFA.2013.6648167"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1002\/cpe.4436"},{"key":"ref44","year":"2017","journal-title":"Linux Capabilities"},{"key":"ref43","author":"chen","year":"2018","journal-title":"A container-based DoS attack-resilient control framework for real-time UAV systems"},{"key":"ref73","doi-asserted-by":"publisher","DOI":"10.1145\/2487726.2488370"},{"key":"ref72","article-title":"Intel SGX explained","author":"costan","year":"2016"},{"key":"ref71","year":"2016","journal-title":"Trusted Platform Module (TPM) 2 0 a brief introduction"},{"key":"ref70","doi-asserted-by":"publisher","DOI":"10.1109\/SECURWARE.2008.23"},{"key":"ref76","first-page":"533","article-title":"Ryoan: A distributed sandbox for untrusted computation on secret data","author":"hunt","year":"2016","journal-title":"Proc OSDI"},{"key":"ref77","first-page":"645","article-title":"Graphene-SGX: A practical library OS for unmodified applications on SGX","author":"tsai","year":"2017","journal-title":"Proc USENIX Annu Tech Conf USENIX ATC"},{"key":"ref74","first-page":"689","article-title":"SCONE: Secure linux containers with intel SGX","author":"arnautov","year":"2016","journal-title":"Proc OSDI"},{"key":"ref75","author":"zetter","year":"2016","journal-title":"NSA hacker chief explains how to keep him out of your system"},{"key":"ref78","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.45"},{"key":"ref79","first-page":"1041","article-title":"Telling your secrets without page faults: Stealthy page table-based attacks on enclaved execution","author":"van bulck","year":"2017","journal-title":"Proc 27th USENIX Secur Symp USENIX Secur"},{"key":"ref60","first-page":"1423","article-title":"Security namespace: making linux security frameworks available to containers","author":"sun","year":"2018","journal-title":"Proc 27th USENIX Secur Symp USENIX Secur"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.1109\/MSECP.2003.1203224"},{"key":"ref61","doi-asserted-by":"crossref","first-page":"1332","DOI":"10.1007\/978-1-4419-5906-5_796","article-title":"Trusted platform module","author":"morris","year":"2011","journal-title":"Encyclopedia of Cryptography and Security"},{"key":"ref63","author":"martin","year":"2008","journal-title":"The Ten-Page Introduction to Trusted Computing"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.1145\/2996890.3009903"},{"key":"ref65","first-page":"305","article-title":"vTPM: Virtualizing the trusted platform module","author":"perez","year":"2006","journal-title":"Proc 15th Conf USENIX Secur Symp"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-68979-9_9"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1145\/2076732.2076759"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.1007\/s11859-015-1127-4"},{"key":"ref2","author":"tozzi","year":"2017","journal-title":"What Do Containers have to Do With DevOps Anyway?"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.1109\/MINES.2012.82"},{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4302-4570-4"},{"key":"ref109","first-page":"1","article-title":"Lock-in-Pop: Securing privileged operating system kernels by keeping on the beaten path","author":"li","year":"2017","journal-title":"Proc Usenix Ann Technical Conf (Usenix '99)"},{"key":"ref95","doi-asserted-by":"publisher","DOI":"10.1109\/i-Society.2016.7854163"},{"key":"ref108","article-title":"Understanding container isolation mechanisms for building security-sensitive private cloud","author":"babar","year":"2017"},{"key":"ref94","doi-asserted-by":"publisher","DOI":"10.1109\/TrustCom.2016.0119"},{"key":"ref107","doi-asserted-by":"publisher","DOI":"10.1145\/3195870.3195874"},{"key":"ref93","article-title":"Security analysis of Docker containers in a production environment","author":"kabbe","year":"2017"},{"key":"ref106","article-title":"Security in Docker swarm: Orchestration service for distributed software systems","author":"s\u00e6ther","year":"2018"},{"key":"ref92","doi-asserted-by":"publisher","DOI":"10.1145\/3274694.3274720"},{"key":"ref105","doi-asserted-by":"publisher","DOI":"10.1109\/eScience.2017.80"},{"key":"ref91","doi-asserted-by":"publisher","DOI":"10.1016\/j.comcom.2018.03.011"},{"key":"ref104","doi-asserted-by":"publisher","DOI":"10.1007\/s11042-017-5224-6"},{"key":"ref90","doi-asserted-by":"publisher","DOI":"10.1145\/3029806.3029832"},{"key":"ref103","author":"bui","year":"2015","journal-title":"Analysis of Docker Security"},{"key":"ref102","author":"goyal","year":"2017","journal-title":"CIS Docker Community Edition Benchmark v1 1 0"},{"key":"ref111","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2016.28"},{"key":"ref112","doi-asserted-by":"publisher","DOI":"10.1145\/2499368.2451145"},{"key":"ref110","doi-asserted-by":"publisher","DOI":"10.1109\/IC2E.2018.00025"},{"key":"ref98","doi-asserted-by":"publisher","DOI":"10.1109\/ICDCSW.2017.66"},{"key":"ref99","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-11599-3_5"},{"key":"ref96","doi-asserted-by":"publisher","DOI":"10.2991\/icmmcce-17.2017.238"},{"key":"ref97","doi-asserted-by":"publisher","DOI":"10.1147\/JRD.2016.2574138"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1109\/ICDCS.2018.00076"},{"key":"ref11","author":"buyya","year":"2017","journal-title":"A Manifesto for Future Generation Cloud Computing Research Directions for the Next Decade"},{"key":"ref12","year":"2017","journal-title":"451 Research Says Application Container Market to Reach 2 7 Billion by 2020"},{"key":"ref13","author":"walsh","year":"2014","journal-title":"Are Docker Containers Really Secure?"},{"key":"ref14","article-title":"A security evaluation methodology for container images","author":"abbott","year":"2017"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1109\/MCC.2016.100"},{"key":"ref118","author":"brown","year":"2016","journal-title":"The Future of IoT Containers Aim to Solve Security Crisis"},{"key":"ref16","author":"bettini","year":"2015","journal-title":"vulnerability exploitation in docker container environments"},{"key":"ref82","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-60876-1_1"},{"key":"ref117","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2017.2704444"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1145\/2431211.2431216"},{"key":"ref81","doi-asserted-by":"publisher","DOI":"10.1145\/3173162.3173204"},{"key":"ref18","doi-asserted-by":"crossref","DOI":"10.1145\/2480741.2480757","article-title":"A survey of security issues in hardware virtualization","volume":"45","author":"p\u00e9k","year":"2013","journal-title":"ACM Comput Surv"},{"key":"ref84","author":"brasser","year":"2017","journal-title":"Software grand exposure SGX cache attacks are practical"},{"key":"ref119","first-page":"45","article-title":"Internet of things: Security issues","volume":"6","author":"haritha","year":"2017","journal-title":"Ineternational Journal of Engineering Science Invention"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2018.2794881"},{"key":"ref83","first-page":"299","article-title":"High-resolution side channels for untrusted operating systems","author":"h\u00e4hnel","year":"2017","journal-title":"Proc of USENIX Annual Technical Conf (USENIX)"},{"key":"ref114","author":"dewald","year":"2018","journal-title":"Incident Analysis and Forensics in Docker Environments"},{"key":"ref113","doi-asserted-by":"publisher","DOI":"10.1109\/TCC.2017.2702586"},{"key":"ref116","doi-asserted-by":"publisher","DOI":"10.1109\/MNET.2018.1700175"},{"key":"ref80","first-page":"557","article-title":"Inferring fine-grained control flow inside SGX enclaves with branch shadowing","author":"lee","year":"2017","journal-title":"Proc 27th USENIX Secur Symp USENIX Secur"},{"key":"ref115","article-title":"A survey on security isolation of virtualization, containers, and unikernels","author":"de lucia","year":"2017"},{"key":"ref120","first-page":"1","article-title":"Namespacing and stacking the LSM","author":"johansen","year":"2017","journal-title":"Proc Linux Plumbers Conf"},{"key":"ref89","article-title":"Static vulnerability analysis of docker images","author":"henriksson","year":"2017"},{"key":"ref85","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134038"},{"key":"ref86","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2017.23193"},{"key":"ref87","author":"shih","year":"2018","journal-title":"TSX-Based Defenses Against SGX Side-Channel Attacks"},{"key":"ref88","author":"gummaraju","year":"2015","journal-title":"Over 30% of official images in docker hub contain high priority security vulnerabilities"}],"container-title":["IEEE Access"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/6287639\/8600701\/08693491.pdf?arnumber=8693491","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,8,10]],"date-time":"2021-08-10T19:39:57Z","timestamp":1628624397000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/8693491\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019]]},"references-count":120,"URL":"https:\/\/doi.org\/10.1109\/access.2019.2911732","relation":{},"ISSN":["2169-3536"],"issn-type":[{"value":"2169-3536","type":"electronic"}],"subject":[],"published":{"date-parts":[[2019]]}}}