Mining Sandboxes for Linux Containers
Zhiyuan Wan, David Lo, Xin Xia, Liang Cai, and Shanping Li
TL;DR
This paper proposes a method to automatically mine security sandboxes for Linux containers by analyzing their system call behaviors, significantly reducing attack surfaces with minimal performance impact.
Contribution
It introduces an automated approach to generate container sandboxes based on observed system call behaviors, enhancing container security.
Findings
Mining each sandbox takes less than eleven minutes.
Enforced sandboxes do not affect container functionality.
Performance overhead is low.
Abstract
A container is a group of processes isolated from other groups via distinct kernel namespaces and resource allocation quota. Attacks against containers often leverage kernel exploits through system call interface. In this paper, we present an approach that mines sandboxes for containers. We first explore the behaviors of a container by leveraging automatic testing, and extract the set of system calls accessed during testing. The set of system calls then results as a sandbox of the container. The mined sandbox restricts the container's access to system calls which are not seen during testing and thus reduces the attack surface. In the experiment, our approach requires less than eleven minutes to mine sandbox for each of the containers. The enforcement of mined sandboxes does not impact the regular functionality of a container and incurs low performance overhead.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.