312-50V11 · Question #769
Why containers are less secure that virtual machine?
The correct answer is D. A compromise container may cause a CPU starvation of the host.. Containers share the host OS kernel rather than running isolated OS instances, so a compromised container can affect host-level resources such as CPU in ways a VM cannot.
Question
Why containers are less secure that virtual machine?
Options
- AHost OS on containers has a larger surface attack.
- BContainers are attached to the same virtual network.
- CContainers may fulfill disk space of the host.
- DA compromise container may cause a CPU starvation of the host.
How the community answered
(25 responses)- A8% (2)
- B16% (4)
- C4% (1)
- D72% (18)
Why each option
Containers share the host OS kernel rather than running isolated OS instances, so a compromised container can affect host-level resources such as CPU in ways a VM cannot.
Containers do not expose a larger host OS attack surface than VMs - they actually reduce OS-layer exposure by eliminating guest OS stacks, though they do share the host kernel.
Attachment to a shared virtual network is a configurable property common to both containers and VMs and is not an inherent security disadvantage unique to containers.
Disk space exhaustion is a resource management concern that can be mitigated with storage quotas on both containers and VMs and does not represent a security weakness specific to containers.
Because containers share the host OS kernel and lack the strict resource isolation enforced by a hypervisor, a compromised or malicious container can consume excessive CPU cycles and starve the host and co-located containers of processing resources. This type of denial-of-service impact on the host is not possible with fully isolated VMs because the hypervisor enforces hard resource boundaries between guest and host.
Concept tested: Container vs VM isolation and host resource security
Source: https://csrc.nist.gov/publications/detail/sp/800-190/final
Topics
Community Discussion
No community discussion yet for this question.