Skip to Main content Skip to Navigation

Défense contre les attaques à l'aune des nouvelles formes de virtualisation des infrastructures

Maxime Bélair 1, 2 
Abstract : Containerization is an OS-level virtualization technique providing good performances, ease of deployment and code reusability properties. Containers are therefore massively used nowadays. However, due to their big attack surface and to the vulnerability they may contain, containers bring new security challenges. The numerous existing defensive approaches are not sufficient to respond to all their security issues. In this thesis, we show that kernel programmability allows to deploy innovative security services to improve the security of containers. After showing the specificities of containers environments and associated security challenges and opportunities, we present the design and implementation of SNAPPY, a new framework allowing to setup fine-grained programmable kernel security policies notably suitable to protect containers. We also present SecuHub, a new framework enabling to distribute CVE mitigation policies, allowing containers to protect themselves against known vulnerabilities. We finally show that SNAPPY and SecuHub can be used with a very low performance overhead.
Document type :
Complete list of metadata
Contributor : ABES STAR :  Contact
Submitted on : Tuesday, January 11, 2022 - 9:57:40 AM
Last modification on : Wednesday, April 27, 2022 - 3:54:32 AM
Long-term archiving on: : Tuesday, April 12, 2022 - 6:39:28 PM


Version validated by the jury (STAR)


  • HAL Id : tel-03520546, version 1


Maxime Bélair. Défense contre les attaques à l'aune des nouvelles formes de virtualisation des infrastructures. Cryptographie et sécurité [cs.CR]. Ecole nationale supérieure Mines-Télécom Atlantique, 2021. Français. ⟨NNT : 2021IMTA0279⟩. ⟨tel-03520546⟩



Record views


Files downloads