Article

SecQuant: Quantifying Container System Call Exposure

Authors:

Dan WilliamsAuthors Info & Claims

Computer Security – ESORICS 2022: 27th European Symposium on Research in Computer Security, Copenhagen, Denmark, September 26–30, 2022, Proceedings, Part II

Pages 145 - 166

https://doi.org/10.1007/978-3-031-17146-8_8

Published: 26 September 2022 Publication History

Abstract

Despite their maturity and popularity, security remains a critical concern in container adoption. To address this concern, secure container runtimes have emerged, offering superior guest isolation, as well as host protection, via system call policing through the surrogate kernel layer. Whether or not an adversary can bypass this protection depends on the effectiveness of the system call policy being enforced by the container runtime. In this work, we propose a novel method to quantify this container system call exposure. Our technique combines the analysis of a large number of exploit codes with comprehensive experiments designed to uncover the syscall pass-through behaviors of container runtimes. Our exploit code analysis uses information retrieval techniques to rank system calls by their risk weights. Our study shows that secure container runtimes are about 4.2 to 7.5 times more secure than others, using our novel quantification metric. We additionally uncover changing security trends across a 4.5 year version history of the container runtimes.

References

[1]

Exploit Database. https://www.exploit-db.com. (Accessed 12 Oct 2021)

[2]

Project Zero. https://bugs.chromium.org/p/project-zero/issues/list. (Accessed 12 Oct 2021)

[3]

Abubakar, M., Ahmad, A., Fonseca, P., Xu, D.: Shard: Fine-grained kernel specialization with context-aware hardening. In: USENIX Security Symposium (2021)

[4]

Agache, A., et al.: Firecracker: Lightweight virtualization for serverless apps. In: NSDI 2020 (2020)

[5]

AWS: Lambda (2014). https://aws.amazon.com/ko/lambda/. (Accessed Oct 2021)

[6]

Babar, A., Ramsey, B.: Understanding container isolation mechanisms for building security-sensitive private cloud. Technical Report CREST (2017)

[7]

Bernaschi, M., Gabrielli, E., Mancini, L.V.: Operating system enhancements to prevent the misuse of system calls. In: Proceedings of the 7th ACM Conference on Computer and Communications Security, p. 174–183 (2000)

[8]

Bulekov, A., Jahanshahi, R., Egele, M.: Saphire: sandboxing php applications with tailored system call allowlists. In: 30th USENIX Security Symposium (2021)

[9]

Cheng Y, Deng J, Li J, DeLoach SA, Singhal A, and Ou X Kott A, Wang C, and Erbacher RF Metrics of security Cyber Defense and Situational Awareness 2014 Cham Springer 263-295

[10]

Cloud Hypervisor. https://github.com/cloud-hypervisor/cloud-hypervisor. (Accessed 12 Oct 2021)

[11]

Combe T, Martin A, and Di Pietro R To docker or not to docker: a security perspective IEEE Cloud Comput. 2016 3 5 54-62

[12]

CVE. https://cve.mitre.org. (Accessed 12 Oct 2021)

[13]

Firecracker. https://firecracker-microvm.github.io. (Accessed 22 June 2022)

[14]

Ghavamnia, S., Palit, T., Benameur, A., Polychronakis, M.: Confine: automated system call policy generation for container attack surface reduction. In: The 23rd International Symposium on Research in Attacks, Intrusions and Defenses (2020)

[15]

Ghavamnia, S., Palit, T., Mishra, S., Polychronakis, M.: Temporal system call specialization for attack surface reduction. In: USENIX Security Symposium (2020)

[16]

Google: Cloud Function (2016). https://cloud.google.com/functions. (Accessed 10 Oct 2021)

[17]

gVisor. https://github.com/google/gvisor/. (Accessed 17 May 2022)

[18]

Hunt P and Hansman S A taxonomy of network and computer attack methodologies Comput. Secur. 2003 24 1 31-43

[19]

IBM: IBM Cloud Functions (2016). https://cloud.ibm.com/functions/. (Accessed 10 Oct 2021)

[20]

Kata Containers. https://katacontainers.io/. (Accessed 17 May 2022)

[21]

Kuenzer, S., et al.: Unikraft: fast, specialized unikernels the easy way. In: EuroSys (2021)

[22]

Kuo, H.C., Williams, D., Koller, R., Mohan, S.: A linux in unikernel clothing. In: EuroSys (2020)

[23]

Kurmus, A., et al.: Attack surface metrics and automated compile-time os kernel tailoring. In: NDSS (2013)

[24]

Li, Y., Dolan-Gavitt, B., Weber, S., Cappos, J.: Lock-in-pop: securing privileged operating system kernels by keeping on the beaten path. In: USENIX ATC (2017)

[25]

Lie, D., Satyanarayanan, M.: Quantifying the strength of security systems. In: USENIX HOTSEC (2007)

[26]

Lin, X., Lei, L., Wang, Y., Jing, J., Sun, K., Zhou, Q.: A measurement study on linux container security: Attacks and countermeasures. In: ACSAC (2018)

[27]

Lopes, N., Martins, R., Correia, M.E., Serrano, S., Nunes, F.: Container hardening through automated seccomp profiling. In: Proceedings of the 2020 6th International Workshop on Container Technologies and Container Clouds, pp. 31–36 (2020)

[28]

LTP: Linux Test Project. https://github.com/linux-test-project/ltp. (Accessed 12 Oct 2021)

[29]

Manco, F., et al.: My vm is lighter (and safer) than your container. In: Proceedings of the 26th Symposium on Operating Systems Principles (2017)

[30]

Martin, A., Raponi, S., Combe, T., Pietro, R.D.: Docker ecosystem - vulnerability analysis. In: Computer Communications, vol. 122, pp. 30–43 (2018)

[31]

Microsoft: Azure Function. https://azure.microsoft.com/en-us/services/functions/

[32]

Nabla Containers: A new approach to Container Isolation. https://nabla-containers.github.io/. (Accessed 12 Oct 2021)

[33]

Nayak, K., Marino, D., Efstathopoulos, P., Dumitraş, T.: Some vulnerabilities are different than others. In: Workshop on Recent Advances in Intrusion Detection 2014 (2014)

[34]

Reshetova, E., Karhunen, J., Nyman, T., Asokan, N.: Security of os-level virtualization technologies: Technical report. Secure IT Systems (2014)

[35]

Suneja, S.: The choices we make: Impact of using host filesystem interface for secure containers (2018). https://nabla-containers.github.io/2018/11/28/fs/

[36]

Sultan S, Ahmad I, and Dimitriou T Container security: issues, challenges, and the road ahead IEEE Access 2019 7 52976-52996

[37]

Syzkaller: Kernel Fuzzer. https://github.com/google/syzkaller. (Accessed Oct 2021)

[38]

Tunde-Onadele, O., Lin, Y., He, J., Gu, X.: Self-patch: Beyond patch tuesday for containerized applications. In: IEEE ACSOS (2020)

[39]

Viktorsson, W., Klein, C., Tordsson, J.: Security-performance trade-offs of kubernetes container runtimes. In: IEEE MASCOTS (2020)

[40]

Williams, D., Koller, R., Lucina, M., Prakash, N.: Unikernels as processes. In: Proceedings of the ACM Symposium on Cloud Computing, pp. 199–211 (2018)

[41]

Williams, D., Koller, R., Lum, B.: Say goodbye to virtualization for a safer cloud. In: 10th USENIX Workshop on Hot Topics in Cloud Computing (2018)

[42]

Wu, Y., Lei, L., Wang, Y., Sun, K., Meng, J.: Evaluation on the security of commercial cloud container services. In: ISC (2020)

Cited By

Jelesnianski CIsmail MJang YWilliams DMin CAamodt TJerger NSwift M(2023)Protect the System Call, Protect (Most of) the World with BASTIONProceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3582016.3582066(528-541)Online publication date: 25-Mar-2023
https://dl.acm.org/doi/10.1145/3582016.3582066
Le MAhmed SWilliams DJamjoom H(2023)Securing Container-based Clouds with Syscall-aware SchedulingProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3582835(812-826)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3579856.3582835

Index Terms

SecQuant: Quantifying Container System Call Exposure

Index terms have been assigned to the content through auto-classification.

Recommendations

Evaluation on the Security of Commercial Cloud Container Services
Information Security
Abstract
With the increasing adoption of the container mechanism in the industrial community, cloud vendors begin to provide cloud container services. Unfortunately, it lacks a concrete method to evaluate the security of cloud containers, whose security ...
Malware detection for container runtime based on virtual machine introspection
Abstract
The isolation technique of containers introduces uncertain security risks to malware detection in the current container environment. In this paper, we propose a framework called Malware Detection for Container Runtime based on Virtual Machine ...
Securing Container-based Clouds with Syscall-aware Scheduling
ASIA CCS '23: Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security

Container-based clouds—in which containers are the basic unit of isolation—face security concerns because, unlike Virtual Machines, containers directly interface with the underlying highly privileged kernel through the wide and vulnerable system call ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings

Computer Security – ESORICS 2022: 27th European Symposium on Research in Computer Security, Copenhagen, Denmark, September 26–30, 2022, Proceedings, Part II

Sep 2022

753 pages

ISBN:978-3-031-17145-1

DOI:10.1007/978-3-031-17146-8

Editors:
Vijayalakshmi Atluri
Rutgers University, Newark, NJ, USA
,
Roberto Di Pietro
Hamad Bin Khalifa University, Doha, Qatar
,
Christian D. Jensen
Technical University of Denmark, Kongens Lyngby, Denmark
,
Weizhi Meng
Technical University of Denmark, Kongens Lyngby, Denmark

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022.

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 26 September 2022

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 20 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Jelesnianski CIsmail MJang YWilliams DMin CAamodt TJerger NSwift M(2023)Protect the System Call, Protect (Most of) the World with BASTIONProceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 310.1145/3582016.3582066(528-541)Online publication date: 25-Mar-2023
https://dl.acm.org/doi/10.1145/3582016.3582066
Le MAhmed SWilliams DJamjoom H(2023)Securing Container-based Clouds with Syscall-aware SchedulingProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3582835(812-826)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3579856.3582835

View Options

View options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents