Prof-gen: Practical Study on System Call Whitelist Generation for Container Attack Surface Reduction

Sungjin Kim; Byung Joon Kim; Dong Hoon Lee

doi:10.1109/CLOUD53861.2021.00041

Prof-gen: Practical Study on System Call Whitelist Generation for Container Attack Surface Reduction

Sungjin Kim, Byung Joon Kim, Dong Hoon Lee

School of Cybersecurity

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

5 Citations (Scopus)

Abstract

Container escape, which exploits vulnerabilities in the shared kernel to break container isolation, is a severe security threat in cloud-native computing. To alleviate the threat, we should allow the minimum number of system calls required by individual containers, but figuring out which system calls an arbitrary container will need is a challenging problem. This paper presents Prof-gen that automatically creates a restrictive system call policy using static binary analysis and dynamic analysis without any prior knowledge. The tool only requires a container image and a run command. We compared the created system call policy with the results of Confine, a recent study for container attack surface reduction. For 120 official images, Prof-gen reduced the attack surface by 20.2% compared to Confine. All the test containers that applied the profile generated in the application-specific tests ran without failure.

Original language	English
Title of host publication	Proceedings - 2021 IEEE 14th International Conference on Cloud Computing, CLOUD 2021
Editors	Claudio Agostino Ardagna, Carl K. Chang, Ernesto Daminai, Rajiv Ranjan, Zhongjie Wang, Robert Ward, Jia Zhang, Wensheng Zhang
Publisher	IEEE Computer Society
Pages	278-287
Number of pages	10
ISBN (Electronic)	9781665400602
DOIs	https://doi.org/10.1109/CLOUD53861.2021.00041
Publication status	Published - 2021 Sept
Event	14th IEEE International Conference on Cloud Computing, CLOUD 2021 - Virtual, Online, United States Duration: 2021 Sept 5 → 2021 Sept 11

Publication series

Name	IEEE International Conference on Cloud Computing, CLOUD
Volume	2021-September
ISSN (Print)	2159-6182
ISSN (Electronic)	2159-6190

Conference

Conference	14th IEEE International Conference on Cloud Computing, CLOUD 2021
Country/Territory	United States
City	Virtual, Online
Period	21/9/5 → 21/9/11

Bibliographical note

Funding Information:
Received June 19, 1986. Accepted November 4,1986. Address requests for reprints to: Prof. Dr. S. J. Konturek, Institute of Physiology, 31-531 Krakow, ul. Grzegorzecka 16, Poland. This study was supported in part by research grant 501/C/5/M from the Polish Academy of Science. © 1987 by the American Gastroenterological Association 0016-5085/87/$3.50

Publisher Copyright:
© 2021 IEEE.

Keywords

container security
seccomp
static binary analysis

ASJC Scopus subject areas

Artificial Intelligence
Information Systems
Software

Access to Document

10.1109/CLOUD53861.2021.00041

Cite this

Kim, S., Kim, B. J., & Lee, D. H. (2021). Prof-gen: Practical Study on System Call Whitelist Generation for Container Attack Surface Reduction. In C. A. Ardagna, C. K. Chang, E. Daminai, R. Ranjan, Z. Wang, R. Ward, J. Zhang, & W. Zhang (Eds.), Proceedings - 2021 IEEE 14th International Conference on Cloud Computing, CLOUD 2021 (pp. 278-287). (IEEE International Conference on Cloud Computing, CLOUD; Vol. 2021-September). IEEE Computer Society. https://doi.org/10.1109/CLOUD53861.2021.00041

Prof-gen: Practical Study on System Call Whitelist Generation for Container Attack Surface Reduction. / Kim, Sungjin; Kim, Byung Joon; Lee, Dong Hoon.
Proceedings - 2021 IEEE 14th International Conference on Cloud Computing, CLOUD 2021. ed. / Claudio Agostino Ardagna; Carl K. Chang; Ernesto Daminai; Rajiv Ranjan; Zhongjie Wang; Robert Ward; Jia Zhang; Wensheng Zhang. IEEE Computer Society, 2021. p. 278-287 (IEEE International Conference on Cloud Computing, CLOUD; Vol. 2021-September).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Kim, S, Kim, BJ & Lee, DH 2021, Prof-gen: Practical Study on System Call Whitelist Generation for Container Attack Surface Reduction. in CA Ardagna, CK Chang, E Daminai, R Ranjan, Z Wang, R Ward, J Zhang & W Zhang (eds), Proceedings - 2021 IEEE 14th International Conference on Cloud Computing, CLOUD 2021. IEEE International Conference on Cloud Computing, CLOUD, vol. 2021-September, IEEE Computer Society, pp. 278-287, 14th IEEE International Conference on Cloud Computing, CLOUD 2021, Virtual, Online, United States, 21/9/5. https://doi.org/10.1109/CLOUD53861.2021.00041

Kim S, Kim BJ, Lee DH. Prof-gen: Practical Study on System Call Whitelist Generation for Container Attack Surface Reduction. In Ardagna CA, Chang CK, Daminai E, Ranjan R, Wang Z, Ward R, Zhang J, Zhang W, editors, Proceedings - 2021 IEEE 14th International Conference on Cloud Computing, CLOUD 2021. IEEE Computer Society. 2021. p. 278-287. (IEEE International Conference on Cloud Computing, CLOUD). doi: 10.1109/CLOUD53861.2021.00041

Kim, Sungjin ; Kim, Byung Joon ; Lee, Dong Hoon. / Prof-gen : Practical Study on System Call Whitelist Generation for Container Attack Surface Reduction. Proceedings - 2021 IEEE 14th International Conference on Cloud Computing, CLOUD 2021. editor / Claudio Agostino Ardagna ; Carl K. Chang ; Ernesto Daminai ; Rajiv Ranjan ; Zhongjie Wang ; Robert Ward ; Jia Zhang ; Wensheng Zhang. IEEE Computer Society, 2021. pp. 278-287 (IEEE International Conference on Cloud Computing, CLOUD).

@inproceedings{f13f53476fc240e0b8ecbe1b8158e892,

title = "Prof-gen: Practical Study on System Call Whitelist Generation for Container Attack Surface Reduction",

abstract = "Container escape, which exploits vulnerabilities in the shared kernel to break container isolation, is a severe security threat in cloud-native computing. To alleviate the threat, we should allow the minimum number of system calls required by individual containers, but figuring out which system calls an arbitrary container will need is a challenging problem. This paper presents Prof-gen that automatically creates a restrictive system call policy using static binary analysis and dynamic analysis without any prior knowledge. The tool only requires a container image and a run command. We compared the created system call policy with the results of Confine, a recent study for container attack surface reduction. For 120 official images, Prof-gen reduced the attack surface by 20.2% compared to Confine. All the test containers that applied the profile generated in the application-specific tests ran without failure. ",

keywords = "container security, seccomp, static binary analysis",

author = "Sungjin Kim and Kim, {Byung Joon} and Lee, {Dong Hoon}",

note = "Funding Information: Received June 19, 1986. Accepted November 4,1986. Address requests for reprints to: Prof. Dr. S. J. Konturek, Institute of Physiology, 31-531 Krakow, ul. Grzegorzecka 16, Poland. This study was supported in part by research grant 501/C/5/M from the Polish Academy of Science. {\textcopyright} 1987 by the American Gastroenterological Association 0016-5085/87/$3.50 Publisher Copyright: {\textcopyright} 2021 IEEE.; 14th IEEE International Conference on Cloud Computing, CLOUD 2021 ; Conference date: 05-09-2021 Through 11-09-2021",

year = "2021",

month = sep,

doi = "10.1109/CLOUD53861.2021.00041",

language = "English",

series = "IEEE International Conference on Cloud Computing, CLOUD",

publisher = "IEEE Computer Society",

pages = "278--287",

editor = "Ardagna, {Claudio Agostino} and Chang, {Carl K.} and Ernesto Daminai and Rajiv Ranjan and Zhongjie Wang and Robert Ward and Jia Zhang and Wensheng Zhang",

booktitle = "Proceedings - 2021 IEEE 14th International Conference on Cloud Computing, CLOUD 2021",

}

TY - GEN

T1 - Prof-gen

T2 - 14th IEEE International Conference on Cloud Computing, CLOUD 2021

AU - Kim, Sungjin

AU - Kim, Byung Joon

AU - Lee, Dong Hoon

N1 - Funding Information: Received June 19, 1986. Accepted November 4,1986. Address requests for reprints to: Prof. Dr. S. J. Konturek, Institute of Physiology, 31-531 Krakow, ul. Grzegorzecka 16, Poland. This study was supported in part by research grant 501/C/5/M from the Polish Academy of Science. © 1987 by the American Gastroenterological Association 0016-5085/87/$3.50 Publisher Copyright: © 2021 IEEE.

PY - 2021/9

Y1 - 2021/9

N2 - Container escape, which exploits vulnerabilities in the shared kernel to break container isolation, is a severe security threat in cloud-native computing. To alleviate the threat, we should allow the minimum number of system calls required by individual containers, but figuring out which system calls an arbitrary container will need is a challenging problem. This paper presents Prof-gen that automatically creates a restrictive system call policy using static binary analysis and dynamic analysis without any prior knowledge. The tool only requires a container image and a run command. We compared the created system call policy with the results of Confine, a recent study for container attack surface reduction. For 120 official images, Prof-gen reduced the attack surface by 20.2% compared to Confine. All the test containers that applied the profile generated in the application-specific tests ran without failure.

AB - Container escape, which exploits vulnerabilities in the shared kernel to break container isolation, is a severe security threat in cloud-native computing. To alleviate the threat, we should allow the minimum number of system calls required by individual containers, but figuring out which system calls an arbitrary container will need is a challenging problem. This paper presents Prof-gen that automatically creates a restrictive system call policy using static binary analysis and dynamic analysis without any prior knowledge. The tool only requires a container image and a run command. We compared the created system call policy with the results of Confine, a recent study for container attack surface reduction. For 120 official images, Prof-gen reduced the attack surface by 20.2% compared to Confine. All the test containers that applied the profile generated in the application-specific tests ran without failure.

KW - container security

KW - seccomp

KW - static binary analysis

UR - http://www.scopus.com/inward/record.url?scp=85119354957&partnerID=8YFLogxK

U2 - 10.1109/CLOUD53861.2021.00041

DO - 10.1109/CLOUD53861.2021.00041

M3 - Conference contribution

AN - SCOPUS:85119354957

T3 - IEEE International Conference on Cloud Computing, CLOUD

SP - 278

EP - 287

BT - Proceedings - 2021 IEEE 14th International Conference on Cloud Computing, CLOUD 2021

A2 - Ardagna, Claudio Agostino

A2 - Chang, Carl K.

A2 - Daminai, Ernesto

A2 - Ranjan, Rajiv

A2 - Wang, Zhongjie

A2 - Ward, Robert

A2 - Zhang, Jia

A2 - Zhang, Wensheng

PB - IEEE Computer Society

Y2 - 5 September 2021 through 11 September 2021

ER -

Prof-gen: Practical Study on System Call Whitelist Generation for Container Attack Surface Reduction

Abstract

Publication series

Conference

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this