Abstract
Container escape, which exploits vulnerabilities in the shared kernel to break container isolation, is a severe security threat in cloud-native computing. To alleviate the threat, we should allow the minimum number of system calls required by individual containers, but figuring out which system calls an arbitrary container will need is a challenging problem. This paper presents Prof-gen that automatically creates a restrictive system call policy using static binary analysis and dynamic analysis without any prior knowledge. The tool only requires a container image and a run command. We compared the created system call policy with the results of Confine, a recent study for container attack surface reduction. For 120 official images, Prof-gen reduced the attack surface by 20.2% compared to Confine. All the test containers that applied the profile generated in the application-specific tests ran without failure.
Original language | English |
---|---|
Title of host publication | Proceedings - 2021 IEEE 14th International Conference on Cloud Computing, CLOUD 2021 |
Editors | Claudio Agostino Ardagna, Carl K. Chang, Ernesto Daminai, Rajiv Ranjan, Zhongjie Wang, Robert Ward, Jia Zhang, Wensheng Zhang |
Publisher | IEEE Computer Society |
Pages | 278-287 |
Number of pages | 10 |
ISBN (Electronic) | 9781665400602 |
DOIs | |
Publication status | Published - 2021 Sept |
Event | 14th IEEE International Conference on Cloud Computing, CLOUD 2021 - Virtual, Online, United States Duration: 2021 Sept 5 → 2021 Sept 11 |
Publication series
Name | IEEE International Conference on Cloud Computing, CLOUD |
---|---|
Volume | 2021-September |
ISSN (Print) | 2159-6182 |
ISSN (Electronic) | 2159-6190 |
Conference
Conference | 14th IEEE International Conference on Cloud Computing, CLOUD 2021 |
---|---|
Country/Territory | United States |
City | Virtual, Online |
Period | 21/9/5 → 21/9/11 |
Bibliographical note
Publisher Copyright:© 2021 IEEE.
Keywords
- container security
- seccomp
- static binary analysis
ASJC Scopus subject areas
- Artificial Intelligence
- Information Systems
- Software