BEACON: Automatic Container Policy Generation using Environment-aware Dynamic Analysis

TL;DR

BeaCon is an innovative tool that automatically generates container security policies by using environment-aware dynamic analysis, improving security coverage while maintaining application functionality.

Contribution

It introduces a novel environment-aware dynamic analysis approach with heuristics and scoring to generate customizable container security policies.

Findings

Identifies 16.5% more syscalls through diverse environment simulation.

Effectively mitigates risks of 45 known vulnerabilities.

Reduces attack surface by blocking exploits in proof-of-concept tests.

Abstract

This paper introduces BeaCon, a novel tool for the automated generation of adjustable container security policies. Unlike prior approaches, BeaCon leverages dynamic analysis to simulate realistic environments, uncovering container execution paths that may remain hidden during the profiling phase. To address the challenge of exploring vast profiling spaces, we employ efficient heuristics to reveal additional system events with minimal effort. In addition, BeaCon incorporates a security and functionality scoring mechanism to prioritize system calls and capabilities based on their impact on the host OS kernel's security and the functionality of containerized applications. By integrating these scores, BeaCon achieves a customized balance between security and functionality, enabling cloud providers to enforce security measures while maintaining tenant availability. We implemented a prototype of BeaCon using eBPF kernel technology and conducted extensive evaluations. Results from the top 15 containers, which revealed significant improvements, demonstrate that BeaCon identifies an average of 16.5% additional syscalls by applying diverse environments. Furthermore, we evaluated its effectiveness in mitigating risks associated with 45 known vulnerabilities (e.g., CVEs), showcasing its potential to significantly enhance container security. Additionally, we performed proof-of-concept demonstrations for two well-known security vulnerabilities, showing that BeaCon successfully reduces attack surface by blocking these exploits.