Prof-gen: Practical Study on System Call Whitelist Generation for Container Attack Surface Reduction

Sungjin Kim, Byung Joon Kim, Dong Hoon Lee

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    9 Citations (Scopus)

    Abstract

    Container escape, which exploits vulnerabilities in the shared kernel to break container isolation, is a severe security threat in cloud-native computing. To alleviate the threat, we should allow the minimum number of system calls required by individual containers, but figuring out which system calls an arbitrary container will need is a challenging problem. This paper presents Prof-gen that automatically creates a restrictive system call policy using static binary analysis and dynamic analysis without any prior knowledge. The tool only requires a container image and a run command. We compared the created system call policy with the results of Confine, a recent study for container attack surface reduction. For 120 official images, Prof-gen reduced the attack surface by 20.2% compared to Confine. All the test containers that applied the profile generated in the application-specific tests ran without failure.

    Original languageEnglish
    Title of host publicationProceedings - 2021 IEEE 14th International Conference on Cloud Computing, CLOUD 2021
    EditorsClaudio Agostino Ardagna, Carl K. Chang, Ernesto Daminai, Rajiv Ranjan, Zhongjie Wang, Robert Ward, Jia Zhang, Wensheng Zhang
    PublisherIEEE Computer Society
    Pages278-287
    Number of pages10
    ISBN (Electronic)9781665400602
    DOIs
    Publication statusPublished - 2021 Sept
    Event14th IEEE International Conference on Cloud Computing, CLOUD 2021 - Virtual, Online, United States
    Duration: 2021 Sept 52021 Sept 11

    Publication series

    NameIEEE International Conference on Cloud Computing, CLOUD
    Volume2021-September
    ISSN (Print)2159-6182
    ISSN (Electronic)2159-6190

    Conference

    Conference14th IEEE International Conference on Cloud Computing, CLOUD 2021
    Country/TerritoryUnited States
    CityVirtual, Online
    Period21/9/521/9/11

    Bibliographical note

    Publisher Copyright:
    © 2021 IEEE.

    Keywords

    • container security
    • seccomp
    • static binary analysis

    ASJC Scopus subject areas

    • Artificial Intelligence
    • Information Systems
    • Software

    Fingerprint

    Dive into the research topics of 'Prof-gen: Practical Study on System Call Whitelist Generation for Container Attack Surface Reduction'. Together they form a unique fingerprint.

    Cite this