Prof-gen: Practical Study on System Call Whitelist Generation for Container Attack Surface Reduction

Sungjin Kim, Byung Joon Kim, Dong Hoon Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Citations (Scopus)

Abstract

Container escape, which exploits vulnerabilities in the shared kernel to break container isolation, is a severe security threat in cloud-native computing. To alleviate the threat, we should allow the minimum number of system calls required by individual containers, but figuring out which system calls an arbitrary container will need is a challenging problem. This paper presents Prof-gen that automatically creates a restrictive system call policy using static binary analysis and dynamic analysis without any prior knowledge. The tool only requires a container image and a run command. We compared the created system call policy with the results of Confine, a recent study for container attack surface reduction. For 120 official images, Prof-gen reduced the attack surface by 20.2% compared to Confine. All the test containers that applied the profile generated in the application-specific tests ran without failure.

Original languageEnglish
Title of host publicationProceedings - 2021 IEEE 14th International Conference on Cloud Computing, CLOUD 2021
EditorsClaudio Agostino Ardagna, Carl K. Chang, Ernesto Daminai, Rajiv Ranjan, Zhongjie Wang, Robert Ward, Jia Zhang, Wensheng Zhang
PublisherIEEE Computer Society
Pages278-287
Number of pages10
ISBN (Electronic)9781665400602
DOIs
Publication statusPublished - 2021 Sept
Event14th IEEE International Conference on Cloud Computing, CLOUD 2021 - Virtual, Online, United States
Duration: 2021 Sept 52021 Sept 11

Publication series

NameIEEE International Conference on Cloud Computing, CLOUD
Volume2021-September
ISSN (Print)2159-6182
ISSN (Electronic)2159-6190

Conference

Conference14th IEEE International Conference on Cloud Computing, CLOUD 2021
Country/TerritoryUnited States
CityVirtual, Online
Period21/9/521/9/11

Keywords

  • container security
  • seccomp
  • static binary analysis

ASJC Scopus subject areas

  • Artificial Intelligence
  • Information Systems
  • Software

Fingerprint

Dive into the research topics of 'Prof-gen: Practical Study on System Call Whitelist Generation for Container Attack Surface Reduction'. Together they form a unique fingerprint.

Cite this