Secure Namespaced Kernel Audit for Containers

TL;DR

This paper introduces saBPF, a secure, container-specific audit framework built on eBPF, enabling high-fidelity security logs and intrusion detection in containerized environments with practical deployment and performance comparable to kernel-level systems.

Contribution

saBPF extends eBPF to provide secure, high-fidelity audit mechanisms at the container level, addressing deployment and performance challenges of existing system-wide solutions.

Findings

saBPF achieves performance comparable to kernel-level audit systems

It enables high-fidelity container logs for security analysis

Demonstrated effective intrusion detection and access control in Kubernetes

Abstract

Despite the wide usage of container-based cloud computing, container auditing for security analysis relies mostly on built-in host audit systems, which often lack the ability to capture high-fidelity container logs. State-of-the-art reference-monitor-based audit techniques greatly improve the quality of audit logs, but their system-wide architecture is too costly to be adapted for individual containers. Moreover, these techniques typically require extensive kernel modifications, making them difficult to deploy in practical settings. In this paper, we present saBPF (secure audit BPF), an extension of the eBPF framework capable of deploying secure system-level audit mechanisms at the container granularity. We demonstrate the practicality of saBPF in Kubernetes by designing an audit framework, an intrusion detection system, and a lightweight access control mechanism. We evaluate saBPF and show that it is comparable in performance and security guarantees to audit systems from the literature that are implemented directly in the kernel.