@inproceedings{f13f53476fc240e0b8ecbe1b8158e892,
title = "Prof-gen: Practical Study on System Call Whitelist Generation for Container Attack Surface Reduction",
abstract = "Container escape, which exploits vulnerabilities in the shared kernel to break container isolation, is a severe security threat in cloud-native computing. To alleviate the threat, we should allow the minimum number of system calls required by individual containers, but figuring out which system calls an arbitrary container will need is a challenging problem. This paper presents Prof-gen that automatically creates a restrictive system call policy using static binary analysis and dynamic analysis without any prior knowledge. The tool only requires a container image and a run command. We compared the created system call policy with the results of Confine, a recent study for container attack surface reduction. For 120 official images, Prof-gen reduced the attack surface by 20.2% compared to Confine. All the test containers that applied the profile generated in the application-specific tests ran without failure. ",
keywords = "container security, seccomp, static binary analysis",
author = "Sungjin Kim and Kim, {Byung Joon} and Lee, {Dong Hoon}",
note = "Funding Information: Received June 19, 1986. Accepted November 4,1986. Address requests for reprints to: Prof. Dr. S. J. Konturek, Institute of Physiology, 31-531 Krakow, ul. Grzegorzecka 16, Poland. This study was supported in part by research grant 501/C/5/M from the Polish Academy of Science. {\textcopyright} 1987 by the American Gastroenterological Association 0016-5085/87/$3.50 Publisher Copyright: {\textcopyright} 2021 IEEE.; 14th IEEE International Conference on Cloud Computing, CLOUD 2021 ; Conference date: 05-09-2021 Through 11-09-2021",
year = "2021",
month = sep,
doi = "10.1109/CLOUD53861.2021.00041",
language = "English",
series = "IEEE International Conference on Cloud Computing, CLOUD",
publisher = "IEEE Computer Society",
pages = "278--287",
editor = "Ardagna, {Claudio Agostino} and Chang, {Carl K.} and Ernesto Daminai and Rajiv Ranjan and Zhongjie Wang and Robert Ward and Jia Zhang and Wensheng Zhang",
booktitle = "Proceedings - 2021 IEEE 14th International Conference on Cloud Computing, CLOUD 2021",
}