Abstract
Linux containers have recently gained more popularity as an operating system level virtualization approach for running multiple isolated OS distros on a control host or deploying large scale microservice-based applications in the cloud environment. The wide adoption of containers as an application deployment platform also attracts attackers’ attention. Since the system calls are the entry points for processes trapping into the kernel, Linux seccomp filter has been integrated into popular container management tools such as Docker to effectively constrain the system calls available to the container. However, Docker lacks a method to obtain and customize the set of necessary system calls for a given application. Moreover, we observe that a number of system calls are only used during the short-term booting phase and can be safely removed from the long-term running phase for a given application container. In this paper, we propose a container security mechanism called SPEAKER that can dramatically reduce the number of available system calls to a given application container by customizing and differentiating its necessary system calls at two different execution phases, namely, booting phase and running phase. For a given application container, we first separate its execution into booting phase and running phase and then trace the invoked system calls at these two phases, respectively. Second, we extend the Linux seccomp filter to dynamically update the available system calls when the application is running from the booting phase into the running phase. Our mechanism is non-intrusive to the application running in the container. We evaluate SPEAKER on the popular web server and data store containers from Docker hub, and the experimental results show that it can successfully reduce more than 50% and 35% system calls in the running phase for the data store containers and the web server containers, respectively, with negligible performance overhead.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
CVE-2016-9793 Detail. https://nvd.nist.gov/vuln/detail/CVE-2016-9793
Docker. https://www.docker.com/
Docker Datacenter. https://www.docker.com/products/docker-datacenter
PostgreSQL 9.5.3. http://www.postgresql.org/docs/current/static/sql-commands.html
Seccomp security profiles for Docker. https://github.com/docker/docker/blob/master/docs/security/seccomp.md
SECure COMPuting with filters. https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt
Vulnerability summary for CVE-2014-9357. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9357
AWS: Amazon EC2 container service. https://aws.amazon.com/ecs/
Bacis, E., Mutti, S., Capelli, S., Paraboschi, S.: DockerPolicyModules: mandatory access control for docker containers. In: 2015 IEEE Conference on Communications and Network Security (CNS), pp. 749–750. IEEE (2015)
Bernaschi, M., Gabrielli, E., Mancini, L.V.: Enhancements to the Linux kernel for blocking buffer overflow based attacks. In: Annual Linux Showcase & Conference (2000)
Boettiger, C.: An introduction to docker for reproducible research. ACM SIGOPS Oper. Syst. Rev. 49(1), 71–79 (2015)
Bruno, L.: Libseccomp: an enhanced seccomp (mode 2) helper library. https://github.com/seccomp/libseccomp
Bruno, L.: rkt - app container runtime. https://github.com/coreos/rkt
Bui, T.: Analysis of docker security. arXiv preprint arXiv:1501.02967 (2015)
Oracle Corporation: Mysql 5.7 reference manual. http://dev.mysql.com/doc/refman/5.7/en/tutorial.html
Garfinkel, T., Pfaff, B., Rosenblum, M., et al.: Ostia: a delegating architecture for secure system call interposition. In: NDSS (2004)
Garfinkel, T., et al.: Traps and pitfalls: practical problems in system call interposition based security tools. In: NDSS. vol. 3, pp. 163–176 (2003)
Giffin, J.T., Jha, S., Miller, B.P.: Detecting manipulated remote call streams. In: USENIX Security Symposium, pp. 61–79 (2002)
Google: Container engine on Google cloud platform. https://cloud.google.com/container-engine/
Hallyn, S.E., Morgan, A.G.: Linux capabilities: making them work. In: Linux Symposium, vol. 8 (2008)
Helsley, M.: LXC: Linux container tools. IBM devloperWorks Technical Library (2009)
Red Hat Inc.: Red Hat OpenShift Container Platform. https://www.openshift.com/enterprise/trial.html
Jachner, J., Agarwal, V.K.: Data flow anomaly detection. IEEE Trans. Softw. Eng. 4, 432–437 (1984)
Jacobson, I., Booch, G., Rumbaugh, J., Rumbaugh, J., Booch, G.: The Unified Software Development Process, vol. 1. Addison-Wesley, Reading (1999)
Kamp, P.H., Watson, R.N.: Jails: confining the omnipotent root. In: The 2nd International SANE Conference, vol. 43, p. 116 (2000)
Kim, T., Zeldovich, N.: Practical and effective sandboxing for non-root users. In: USENIX Annual Technical Conference, pp. 139–144 (2013)
Kruegel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Automating mimicry attacks using static binary analysis. In: Proceedings of the 14th Conference on USENIX Security Symposium, p. 11. USENIX Association (2005)
Kruegel, C., Mutz, D., Valeur, F., Vigna, G.: On the detection of anomalous system call arguments. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 326–343. Springer, Heidelberg (2003). doi:10.1007/978-3-540-39650-5_19
Kurmus, A., Sorniotti, A., Kapitza, R.: Attack surface reduction for commodity OS kernels: trimmed garden plants may attract less bugs. In: Proceedings of the Fourth European Workshop on System Security, p. 6. ACM (2011)
Kurmus, A., Tartler, R., Dorneanu, D., Heinloth, B., Rothberg, V., Ruprecht, A., Schröder-Preikschat, W., Lohmann, D., Kapitza, R.: Attack surface metrics and automated compile-time OS kernel tailoring. In: NDSS (2013)
Lee, K.H., Zhang, X., Xu, D.: High accuracy attack provenance via binary-based execution partition. In: NDSS (2013)
des Ligneris, B.: Virtualization of Linux based computers: the Linux-Vserver project. In: HPCS 2005, pp. 340–346. IEEE (2005)
Linn, C., Rajagopalan, M., Baker, S., Collberg, C.S., Debray, S.K., Hartman, J.H.: Protecting against unexpected system calls. In: Usenix Security (2005)
Maggi, F., Matteucci, M., Zanero, S.: Detecting intrusions through system call sequence and argument analysis. IEEE Trans. Dependable Secure Comput. 7(4), 381–395 (2010)
Martignoni, L., Christodorescu, M., Jha, S.: Omniunpack: fast, generic, and safe unpacking of malware. In: Twenty-Third Annual Computer Security Applications Conference, 2007. ACSAC 2007, pp. 431–441. IEEE (2007)
Mattetti, M., Shulman-Peleg, A., Allouche, Y., Corradi, A., Dolev, S., Foschini, L.: Securing the infrastructure and the workloads of Linux containers. In: 2015 IEEE Conference on Communications and Network Security (CNS) (2015)
Menage, P., Jackson, P., Lameter, C.: Cgroups. https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt
MongoDB, I.: Mongodb manual reference. https://docs.mongodb.com/manual/reference/command/
Mosberger, D., Jin, T.: Httperf: a tool for measuring web server performance. ACM SIGMETRICS Perform. Eval. Rev. 26(3), 31–37 (1998)
Price, D., Tucker, A.: Solaris zones: operating system support for consolidating commercial workloads. In: Proceedings of the 18th USENIX Conference on System Administration. LISA (2004)
Provos, N.: Improving host security with system call policies. In: USENIX Security, vol. 3, p. 19 (2003)
Quest, K.C.: docker-slim: lean and mean docker containers. https://github.com/docker-slim/docker-slim
Rastogi, V., Davidson, D., De Carli, L., Jha, S., McDaniel, P.: Towards least privilege containers with cimplifier. arXiv preprint arXiv:1602.08410 (2016)
RedHat: Docker selinux security policy. https://access.redhat.com/documentation/en/red-hat-enterprise-linux-atomic-host/7/container-security-guide/chapter-6-docker-selinux-security-policy
Redislabs: Redis commands reference. http://redis.io/commands
Reshetova, E., Karhunen, J., Nyman, T., Asokan, N.: Security of OS-level virtualization technologies. In: Bernsmed, K., Fischer-Hübner, S. (eds.) NordSec 2014. LNCS, vol. 8788, pp. 77–93. Springer, Cham (2014). doi:10.1007/978-3-319-11599-3_5
Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A fast automaton-based method for detecting anomalous program behaviors. In: Proceedings of IEEE Security and Privacy, pp. 144–155 (2001)
Soltesz, S., Pötzl, H., Fiuczynski, M.E., Bavier, A., Peterson, L.: Container-based operating system virtualization: a scalable, high-performance alternative to hypervisors. In: ACM SIGOPS Operating Systems Review, pp. 275–287. ACM (2007)
van Surksum, K.: Microsoft announces support for docker container virtualization for next version of windows server (2014)
Wagner, D., Dean, R.: Intrusion detection via static analysis. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy (2001)
Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 255–264. ACM (2002)
Walsh, D.J.: Docker security in the future. https://opensource.com/business/15/3/docker-security-future
Watson, R.N., Anderson, J., Laurie, B., Kennaway, K.: Capsicum: practical capabilities for UNIX. In: USENIX Security Symposium, vol. 46, p. 2 (2010)
Zeng, Q., Xin, Z., Wu, D., Liu, P., Mao, B.: Tailored application-specific system call tables. Technical report, Pennsylvania State University (2014)
Acknowledgments
We would like to thank our shepherd Andrea Lanzi and our anonymous reviewers for their valuable comments and suggestions. We would also like to thank Xianchen Meng, Chong Guan, Yue Li, and Shengye Wan for their feedback and advice. This work is partially supported by U.S. ONR grants N00014-16-1-3216 and N00014-16-1-3214, the National Basic Research Program of China under GA No. 2013CB338001 (973 Program), the National Key Research & Development Program of China under GA No. 2016YFB0800102, and a Cisco award.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Lei, L. et al. (2017). SPEAKER: Split-Phase Execution of Application Containers. In: Polychronakis, M., Meier, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2017. Lecture Notes in Computer Science(), vol 10327. Springer, Cham. https://doi.org/10.1007/978-3-319-60876-1_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-60876-1_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-60875-4
Online ISBN: 978-3-319-60876-1
eBook Packages: Computer ScienceComputer Science (R0)