Abstract:Linux containers have recently gained more popularity as an operating system level virtualization approach for running multiple isolated OS distros on a control host or deploying large scale microservice-based applications in the cloud environment. The wide adoption of containers as an application deployment platform also attracts attackers’ attention. Since the system calls are the entry points for processes trapping into the kernel, Linux seccomp filter has been integrated into popular container management tools such as Docker to effectively constrain the system calls available to the container. However, Docker lacks a method to obtain and customize the set of necessary system calls for a given application. Moreover, we observe that a number of system calls are only used during the short-term booting phase and can be safely removed from the long-term running phase for a given application container. In this paper, we propose a container security mechanism called SPEAKER that can dramatically reduce the number of available system calls to a given application container by customizing and differentiating its necessary system calls at two different execution phases, namely, booting phase and running phase. For a given application container, we first separate its execution into booting phase and running phase and then trace the invoked system calls at these two phases, respectively. Second, we extend the Linux seccomp filter to dynamically update the available system calls when the application is running from the booting phase into the running phase. Our mechanism is non-intrusive to the application running in the container. We evaluate SPEAKER on the popular web server and data store containers from Docker hub, and the experimental results show that it can successfully reduce more than 50% and 35% system calls in the running phase for the data store containers and the web server containers, respectively, with negligible performance overhead.

SPEAKER: Split-Phase Execution of Application Containers

Houdini's Escape

Design and Implementation of SecPod, A Framework for Virtualization-Based Security Systems.

RSDS: Getting System Call Whitelist for Container Through Dynamic and Static Analysis

Shrinking the Kernel Attack Surface Through Static and Dynamic Syscall Limitation

SysCap: Profiling and Crosschecking Syscall and Capability Configurations for Docker Images

SWAT4J: Generating System Call Allowlist for Java Container Attack Surface Reduction

Practical and Effective Sandboxing for Linux Containers

A Lightweight Container Security Framework Adapted to the Power Cloud Platform

Programmable System Call Security with eBPF

Attacks are Forwarded: Breaking the Isolation of MicroVM-based Containers Through Operation Forwarding

Whispers Between The Containers: High-Capacity Covert Channel Attacks In Docker

Building Dynamic System Call Sandbox with Partial Order Analysis

BULKHEAD: Secure, Scalable, and Efficient Kernel Compartmentalization with PKS

Condo: Enhancing Container Isolation Through Kernel Permission Data Protection

A Secure Edge Power System Based on a Docker Container

TZ-Container: Protecting Container from Untrusted OS with ARM TrustZone

Container Performance and Vulnerability Management for Container Security Using Docker Engine

Container Introspection: Using External Management Containers to Monitor Containers in Cloud Computing

Towards Understanding and Defeating Abstract Resource Attacks for Container Platforms

Coda: Runtime Detection of Application-Layer CPU-Exhaustion DoS Attacks in Containers