Practical and effective sandboxing for Linux containers

A container is a group of processes isolated from other groups via distinct kernel namespaces and resource allocation quota. Attacks against containers often leverage kernel exploits through the system call interface. In this paper, we present an approach that mines sandboxes and enables fine-graine...

Full description

Saved in:
Bibliographic Details
Main Authors: WAN, Zhiyuan, LO, David, XIA, Xin, CAI, Liang
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2019
Subjects:
Online Access:https://ink.library.smu.edu.sg/sis_research/4502
https://ink.library.smu.edu.sg/context/sis_research/article/5505/viewcontent/Practical_and_effective_sandboxing_for_Linux_containers.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
id sg-smu-ink.sis_research-5505
record_format dspace
spelling sg-smu-ink.sis_research-55052019-12-19T05:56:37Z Practical and effective sandboxing for Linux containers WAN, Zhiyuan LO, David XIA, Xin CAI, Liang A container is a group of processes isolated from other groups via distinct kernel namespaces and resource allocation quota. Attacks against containers often leverage kernel exploits through the system call interface. In this paper, we present an approach that mines sandboxes and enables fine-grained sandbox enforcement for containers. We first explore the behavior of a container by running test cases and monitor the accessed system calls including types and arguments during testing. We then characterize the types and arguments of system call invocations and translate them into sandbox rules for the container. The mined sandbox restricts the container’s access to system calls which are not seen during testing and thus reduces the attack surface. In the experiment, our approach requires less than eleven minutes to mine a sandbox for each of the containers. The estimation of system call coverage of sandbox mining ranges from 96.4% to 99.8% across the containers under the limiting assumptions that the test cases are complete and only static system/application paths are used. The enforcement of mined sandboxes incurs low performance overhead. The mined sandboxes effectively reduce the attack surface of containers and can prevent the containers from security breaches in reality 2019-07-04T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/4502 info:doi/10.1007/s10664-019-09737-2 https://ink.library.smu.edu.sg/context/sis_research/article/5505/viewcontent/Practical_and_effective_sandboxing_for_Linux_containers.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Container System call Sandbox Testing Monitoring Cloud computing Docker Seccomp Programming Languages and Compilers Software Engineering
institution Singapore Management University
building SMU Libraries
continent Asia
country Singapore
Singapore
content_provider SMU Libraries
collection InK@SMU
language English
topic Container
System call
Sandbox
Testing
Monitoring
Cloud computing
Docker
Seccomp
Programming Languages and Compilers
Software Engineering
spellingShingle Container
System call
Sandbox
Testing
Monitoring
Cloud computing
Docker
Seccomp
Programming Languages and Compilers
Software Engineering
WAN, Zhiyuan
LO, David
XIA, Xin
CAI, Liang
Practical and effective sandboxing for Linux containers
description A container is a group of processes isolated from other groups via distinct kernel namespaces and resource allocation quota. Attacks against containers often leverage kernel exploits through the system call interface. In this paper, we present an approach that mines sandboxes and enables fine-grained sandbox enforcement for containers. We first explore the behavior of a container by running test cases and monitor the accessed system calls including types and arguments during testing. We then characterize the types and arguments of system call invocations and translate them into sandbox rules for the container. The mined sandbox restricts the container’s access to system calls which are not seen during testing and thus reduces the attack surface. In the experiment, our approach requires less than eleven minutes to mine a sandbox for each of the containers. The estimation of system call coverage of sandbox mining ranges from 96.4% to 99.8% across the containers under the limiting assumptions that the test cases are complete and only static system/application paths are used. The enforcement of mined sandboxes incurs low performance overhead. The mined sandboxes effectively reduce the attack surface of containers and can prevent the containers from security breaches in reality
format text
author WAN, Zhiyuan
LO, David
XIA, Xin
CAI, Liang
author_facet WAN, Zhiyuan
LO, David
XIA, Xin
CAI, Liang
author_sort WAN, Zhiyuan
title Practical and effective sandboxing for Linux containers
title_short Practical and effective sandboxing for Linux containers
title_full Practical and effective sandboxing for Linux containers
title_fullStr Practical and effective sandboxing for Linux containers
title_full_unstemmed Practical and effective sandboxing for Linux containers
title_sort practical and effective sandboxing for linux containers
publisher Institutional Knowledge at Singapore Management University
publishDate 2019
url https://ink.library.smu.edu.sg/sis_research/4502
https://ink.library.smu.edu.sg/context/sis_research/article/5505/viewcontent/Practical_and_effective_sandboxing_for_Linux_containers.pdf
_version_ 1770574876813295616