{"id":"https://openalex.org/W4417131135","doi":"https://doi.org/10.1109/tdsc.2025.3641311","title":"Exploiting Kubernetes\u2019 Image Pull Implementation to Deny Node Availability","display_name":"Exploiting Kubernetes\u2019 Image Pull Implementation to Deny Node Availability","publication_year":2025,"publication_date":"2025-12-08","ids":{"openalex":"https://openalex.org/W4417131135","doi":"https://doi.org/10.1109/tdsc.2025.3641311"},"language":"en","primary_location":{"id":"doi:10.1109/tdsc.2025.3641311","is_oa":true,"landing_page_url":"https://doi.org/10.1109/tdsc.2025.3641311","pdf_url":null,"source":{"id":"https://openalex.org/S133795288","display_name":"IEEE Transactions on Dependable and Secure Computing","issn_l":"1545-5971","issn":["1545-5971","1941-0018","2160-9209"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320439","host_organization_name":"IEEE Computer Society","host_organization_lineage":["https://openalex.org/P4310320439","https://openalex.org/P4310319808"],"host_organization_lineage_names":["IEEE Computer Society","Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Dependable and Secure Computing","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"hybrid","oa_url":"https://doi.org/10.1109/tdsc.2025.3641311","any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5005612187","display_name":"Luis Augusto Dias Knob","orcid":"https://orcid.org/0000-0001-7291-7780"},"institutions":[{"id":"https://openalex.org/I2277624104","display_name":"Fondazione Bruno Kessler","ror":"https://ror.org/01j33xk10","country_code":"IT","type":"facility","lineage":["https://openalex.org/I2277624104"]}],"countries":["IT"],"is_corresponding":false,"raw_author_name":"Luis Augusto Dias Knob","raw_affiliation_strings":["DAISY, Center for Cybersecurity, Fondazione Bruno Kessler, Trento, Italy","Center for Cybersecurity, Fondazione Bruno Kessler, Italy"],"raw_orcid":"https://orcid.org/0000-0001-7291-7780","affiliations":[{"raw_affiliation_string":"DAISY, Center for Cybersecurity, Fondazione Bruno Kessler, Trento, Italy","institution_ids":["https://openalex.org/I2277624104"]},{"raw_affiliation_string":"Center for Cybersecurity, Fondazione Bruno Kessler, Italy","institution_ids":["https://openalex.org/I2277624104"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5093766568","display_name":"Matteo Franzil","orcid":"https://orcid.org/0009-0001-1273-3936"},"institutions":[{"id":"https://openalex.org/I193223587","display_name":"University of Trento","ror":"https://ror.org/05trd4x28","country_code":"IT","type":"education","lineage":["https://openalex.org/I193223587"]}],"countries":["IT"],"is_corresponding":false,"raw_author_name":"Matteo Franzil","raw_affiliation_strings":["Department of Information Engineering and Computer Science, University of Trento, Trento, Italy","Department of Information Engineering, Computer Science, University of Trento, Italy"],"raw_orcid":"https://orcid.org/0009-0001-1273-3936","affiliations":[{"raw_affiliation_string":"Department of Information Engineering and Computer Science, University of Trento, Trento, Italy","institution_ids":["https://openalex.org/I193223587"]},{"raw_affiliation_string":"Department of Information Engineering, Computer Science, University of Trento, Italy","institution_ids":["https://openalex.org/I193223587"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5044055480","display_name":"Domenico Siracusa","orcid":"https://orcid.org/0000-0002-5640-6507"},"institutions":[{"id":"https://openalex.org/I193223587","display_name":"University of Trento","ror":"https://ror.org/05trd4x28","country_code":"IT","type":"education","lineage":["https://openalex.org/I193223587"]}],"countries":["IT"],"is_corresponding":false,"raw_author_name":"Domenico Siracusa","raw_affiliation_strings":["Department of Information Engineering and Computer Science, University of Trento, Trento, Italy","Department of Information Engineering, Computer Science, University of Trento, Italy"],"raw_orcid":"https://orcid.org/0000-0002-5640-6507","affiliations":[{"raw_affiliation_string":"Department of Information Engineering and Computer Science, University of Trento, Trento, Italy","institution_ids":["https://openalex.org/I193223587"]},{"raw_affiliation_string":"Department of Information Engineering, Computer Science, University of Trento, Italy","institution_ids":["https://openalex.org/I193223587"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":3,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.1855969,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":"23","issue":"2","first_page":"3784","last_page":"3797"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.6955000162124634,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.6955000162124634,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11614","display_name":"Cloud Data Security Solutions","score":0.08250000327825546,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11986","display_name":"Scientific Computing and Data Management","score":0.020899999886751175,"subfield":{"id":"https://openalex.org/subfields/1802","display_name":"Information Systems and Management"},"field":{"id":"https://openalex.org/fields/18","display_name":"Decision Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/container","display_name":"Container (type theory)","score":0.7361000180244446},{"id":"https://openalex.org/keywords/popularity","display_name":"Popularity","score":0.5960999727249146},{"id":"https://openalex.org/keywords/denial-of-service-attack","display_name":"Denial-of-service attack","score":0.520799994468689},{"id":"https://openalex.org/keywords/upload","display_name":"Upload","score":0.4986000061035156},{"id":"https://openalex.org/keywords/orchestration","display_name":"Orchestration","score":0.4832000136375427},{"id":"https://openalex.org/keywords/process","display_name":"Process (computing)","score":0.4465000033378601},{"id":"https://openalex.org/keywords/firewall","display_name":"Firewall (physics)","score":0.40149998664855957},{"id":"https://openalex.org/keywords/abstraction","display_name":"Abstraction","score":0.39879998564720154},{"id":"https://openalex.org/keywords/containerization","display_name":"Containerization","score":0.39820000529289246}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8472999930381775},{"id":"https://openalex.org/C2781018962","wikidata":"https://www.wikidata.org/wiki/Q5164884","display_name":"Container (type theory)","level":2,"score":0.7361000180244446},{"id":"https://openalex.org/C2780586970","wikidata":"https://www.wikidata.org/wiki/Q1357284","display_name":"Popularity","level":2,"score":0.5960999727249146},{"id":"https://openalex.org/C38822068","wikidata":"https://www.wikidata.org/wiki/Q131406","display_name":"Denial-of-service attack","level":3,"score":0.520799994468689},{"id":"https://openalex.org/C71901391","wikidata":"https://www.wikidata.org/wiki/Q7126699","display_name":"Upload","level":2,"score":0.4986000061035156},{"id":"https://openalex.org/C199168358","wikidata":"https://www.wikidata.org/wiki/Q3367000","display_name":"Orchestration","level":3,"score":0.4832000136375427},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.4578000009059906},{"id":"https://openalex.org/C98045186","wikidata":"https://www.wikidata.org/wiki/Q205663","display_name":"Process (computing)","level":2,"score":0.4465000033378601},{"id":"https://openalex.org/C77714075","wikidata":"https://www.wikidata.org/wiki/Q5452017","display_name":"Firewall (physics)","level":5,"score":0.40149998664855957},{"id":"https://openalex.org/C124304363","wikidata":"https://www.wikidata.org/wiki/Q673661","display_name":"Abstraction","level":2,"score":0.39879998564720154},{"id":"https://openalex.org/C2779821363","wikidata":"https://www.wikidata.org/wiki/Q428072","display_name":"Containerization","level":3,"score":0.39820000529289246},{"id":"https://openalex.org/C62611344","wikidata":"https://www.wikidata.org/wiki/Q1062658","display_name":"Node (physics)","level":2,"score":0.3978999853134155},{"id":"https://openalex.org/C513985346","wikidata":"https://www.wikidata.org/wiki/Q270471","display_name":"Virtualization","level":3,"score":0.3862999975681305},{"id":"https://openalex.org/C120314980","wikidata":"https://www.wikidata.org/wiki/Q180634","display_name":"Distributed computing","level":1,"score":0.38499999046325684},{"id":"https://openalex.org/C15569618","wikidata":"https://www.wikidata.org/wiki/Q3561421","display_name":"Liveness","level":2,"score":0.37310001254081726},{"id":"https://openalex.org/C93996380","wikidata":"https://www.wikidata.org/wiki/Q44127","display_name":"Server","level":2,"score":0.35690000653266907},{"id":"https://openalex.org/C165064840","wikidata":"https://www.wikidata.org/wiki/Q1321061","display_name":"Matching (statistics)","level":2,"score":0.34549999237060547},{"id":"https://openalex.org/C180652500","wikidata":"https://www.wikidata.org/wiki/Q1351910","display_name":"Push technology","level":2,"score":0.3255999982357025},{"id":"https://openalex.org/C2775924081","wikidata":"https://www.wikidata.org/wiki/Q55608371","display_name":"Control (management)","level":2,"score":0.32269999384880066},{"id":"https://openalex.org/C2780378061","wikidata":"https://www.wikidata.org/wiki/Q25351891","display_name":"Service (business)","level":2,"score":0.3197000026702881},{"id":"https://openalex.org/C103613024","wikidata":"https://www.wikidata.org/wiki/Q230924","display_name":"Stateless protocol","level":3,"score":0.3190999925136566},{"id":"https://openalex.org/C164100034","wikidata":"https://www.wikidata.org/wiki/Q1870629","display_name":"Loose coupling","level":2,"score":0.31540000438690186},{"id":"https://openalex.org/C31258907","wikidata":"https://www.wikidata.org/wiki/Q1301371","display_name":"Computer network","level":1,"score":0.29820001125335693},{"id":"https://openalex.org/C147358964","wikidata":"https://www.wikidata.org/wiki/Q1200992","display_name":"Abstraction layer","level":3,"score":0.28790000081062317},{"id":"https://openalex.org/C113843644","wikidata":"https://www.wikidata.org/wiki/Q901882","display_name":"Interface (matter)","level":4,"score":0.28200000524520874},{"id":"https://openalex.org/C205606062","wikidata":"https://www.wikidata.org/wiki/Q5249645","display_name":"Decoupling (probability)","level":2,"score":0.2799000144004822},{"id":"https://openalex.org/C527821871","wikidata":"https://www.wikidata.org/wiki/Q228502","display_name":"Access control","level":2,"score":0.25859999656677246},{"id":"https://openalex.org/C2776834041","wikidata":"https://www.wikidata.org/wiki/Q25346349","display_name":"Execution model","level":2,"score":0.257099986076355},{"id":"https://openalex.org/C132525143","wikidata":"https://www.wikidata.org/wiki/Q141488","display_name":"Graph","level":2,"score":0.25600001215934753},{"id":"https://openalex.org/C4679612","wikidata":"https://www.wikidata.org/wiki/Q866298","display_name":"Aggregate (composite)","level":2,"score":0.2538999915122986}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1109/tdsc.2025.3641311","is_oa":true,"landing_page_url":"https://doi.org/10.1109/tdsc.2025.3641311","pdf_url":null,"source":{"id":"https://openalex.org/S133795288","display_name":"IEEE Transactions on Dependable and Secure Computing","issn_l":"1545-5971","issn":["1545-5971","1941-0018","2160-9209"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320439","host_organization_name":"IEEE Computer Society","host_organization_lineage":["https://openalex.org/P4310320439","https://openalex.org/P4310319808"],"host_organization_lineage_names":["IEEE Computer Society","Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Dependable and Secure Computing","raw_type":"journal-article"},{"id":"pmh:oai:iris.unitn.it:11572/470670","is_oa":false,"landing_page_url":"https://hdl.handle.net/11572/470670","pdf_url":null,"source":{"id":"https://openalex.org/S4377196320","display_name":"Iris (University of Trento)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I193223587","host_organization_name":"University of Trento","host_organization_lineage":["https://openalex.org/I193223587"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"info:eu-repo/semantics/article"}],"best_oa_location":{"id":"doi:10.1109/tdsc.2025.3641311","is_oa":true,"landing_page_url":"https://doi.org/10.1109/tdsc.2025.3641311","pdf_url":null,"source":{"id":"https://openalex.org/S133795288","display_name":"IEEE Transactions on Dependable and Secure Computing","issn_l":"1545-5971","issn":["1545-5971","1941-0018","2160-9209"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320439","host_organization_name":"IEEE Computer Society","host_organization_lineage":["https://openalex.org/P4310320439","https://openalex.org/P4310319808"],"host_organization_lineage_names":["IEEE Computer Society","Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Dependable and Secure Computing","raw_type":"journal-article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Kubernetes":[0],"(K8s)":[1],"has":[2],"grown":[3],"in":[4,21,137,187,199],"popularity":[5],"over":[6],"the":[7,13,38,57,63,67,75,78,87,90,97,100,104,108,111,188,193,200],"past":[8],"few":[9],"years":[10],"to":[11,29,114,152],"become":[12],"<italic":[14],"xmlns:mml=\"http://www.w3.org/1998/Math/MathML\"":[15],"xmlns:xlink=\"http://www.w3.org/1999/xlink\">de-facto</i>":[16],"standard":[17],"for":[18,61,169],"container":[19,64,91,105,161],"orchestration":[20],"cloud-native":[22],"environments.":[23],"While":[24],"research":[25],"is":[26,59],"not":[27,51],"new":[28,160],"topics":[30],"such":[31,115,144],"as":[32,131,204],"containerization":[33],"and":[34,46,69,86,163,166,192,217],"access":[35],"control":[36],"security,":[37],"Application":[39],"Programming":[40],"Interface":[41],"(API)":[42],"interactions":[43],"between":[44,190],"K8s":[45,94,139,191],"its":[47],"runtime":[48,92],"interfaces":[49],"have":[50],"been":[52],"studied":[53],"thoroughly.":[54],"In":[55,117],"particular,":[56],"CRI-API":[58],"responsible":[60],"abstracting":[62],"runtime,":[65],"managing":[66],"creation":[68],"lifecycle":[70],"of":[71,77,84,89,96,99,103,110,125,134,159,174],"containers":[72],"along":[73],"with":[74],"downloads":[76,158],"respective":[79],"images.":[80],"However,":[81],"this":[82,118,123,179],"decoupling":[83],"concerns":[85],"abstraction":[88],"renders":[93],"unaware":[95],"status":[98,126],"downloading":[101],"process":[102],"images,":[106,162],"obstructing":[107],"monitoring":[109],"resources":[112],"allocated":[113],"process.":[116],"paper,":[119],"we":[120,208],"discuss":[121],"how":[122,143],"lack":[124],"information":[127],"can":[128,146],"be":[129,197],"exploited":[130],"a":[132,138,170,183,205],"Denial":[133],"Service":[135],"attack":[136],"cluster.":[140],"We":[141],"show":[142],"attacks":[145],"impact":[147],"worker":[148],"nodes,":[149],"generating":[150],"up":[151],"95%":[153],"average":[154],"CPU":[155],"usage,":[156],"prevent":[157],"increase":[164],"I/O":[165],"network":[167],"usage":[168],"potentially":[171],"unlimited":[172],"amount":[173],"time.We":[175],"argue":[176],"that":[177,215],"solving":[178],"problem":[180],"would":[181,196],"require":[182],"radical":[184],"architectural":[185],"change":[186],"relationship":[189],"CRI-API,":[194],"which":[195],"unfeasible":[198],"short":[201],"term.":[202],"Thus,":[203],"stopgap":[206],"solution,":[207],"propose":[209],"MAGI:":[210],"an":[211],"eBPF-based,":[212],"proof-of-concept":[213],"mitigation":[214],"detects":[216],"terminates":[218],"potential":[219],"attacks.":[220]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2025-12-08T00:00:00"}