On the Value of Sequence-Based System Call Filtering for Container Security

Somin Song; Sahil Suneja; Michael V. Le; Byungchul Tak

doi:10.1109/CLOUD60044.2023.00043

On the Value of Sequence-Based System Call Filtering for Container Security

Somin Song, Sahil Suneja, Michael V. Le, Byungchul Tak

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

6 Scopus citations

Abstract

One critical attack that exploits kernel vulnerabilities through system call invocations is considered a serious threat to container security since it results in the privilege escalation followed by the infamous container escape. The seccomp kernel feature provides the first line of defense against it. Further, secure container runtimes such as gVisor also make use of it to strengthen security. However, it is known to be brittle since it operates at the granularity of the individual system call. Inadvertent filtering of necessary system calls may inhibit the correct execution while overly generous rules allow the attacks. We believe that, by looking at the sequence of system calls, we can achieve more accurate and effective blocking of attacks in containers. To this end, we built a software tool, Nimos, that performs a combination of static and dynamic analyses of exploit codes in an automated way and investigated the existence of such commonly occurring system call sequences. Then, we analyzed the expected defensive power from applying the sequence-based filtering mechanisms using a large set of collected kernel vulnerabilities to assess the feasibility. We found that there exist a significant number and forms of commonly appearing system call sequences that can be used as a clear signature of the class of attacks. We characterize these common system call sequences that exist among the exploit codes and evaluate the expected effectiveness of a sequence-based system call filtering mechanism for containers.

Original language	English
Title of host publication	Proceedings - 2023 IEEE 16th International Conference on Cloud Computing, CLOUD 2023
Editors	Claudio Ardagna, Nimanthi Atukorala, Pete Beckman, Carl K. Chang, Rong N. Chang, Constantinos Evangelinos, Jing Fan, Geoffrey C. Fox, Judy Fox, Christoph Hagleitner, Zhi Jin, Tevfik Kosar, Manish Parashar
Publisher	IEEE Computer Society
Pages	296-307
Number of pages	12
ISBN (Electronic)	9798350304817
DOIs	https://doi.org/10.1109/CLOUD60044.2023.00043
State	Published - 2023
Event	16th IEEE International Conference on Cloud Computing, CLOUD 2023 - Hybrid, Chicago, United States Duration: 2 Jul 2023 → 8 Jul 2023

Publication series

Name	IEEE International Conference on Cloud Computing, CLOUD
Volume	2023-July
ISSN (Print)	2159-6182
ISSN (Electronic)	2159-6190

Conference

Conference	16th IEEE International Conference on Cloud Computing, CLOUD 2023
Country/Territory	United States
City	Hybrid, Chicago
Period	2/07/23 → 8/07/23

Keywords

Linux kernel vulnerability
Linux security
container security
seccomp
system call sequence pattern

Access to Document

10.1109/CLOUD60044.2023.00043

Cite this

Song, S., Suneja, S., Le, M. V., & Tak, B. (2023). On the Value of Sequence-Based System Call Filtering for Container Security. In C. Ardagna, N. Atukorala, P. Beckman, C. K. Chang, R. N. Chang, C. Evangelinos, J. Fan, G. C. Fox, J. Fox, C. Hagleitner, Z. Jin, T. Kosar, & M. Parashar (Eds.), Proceedings - 2023 IEEE 16th International Conference on Cloud Computing, CLOUD 2023 (pp. 296-307). (IEEE International Conference on Cloud Computing, CLOUD; Vol. 2023-July). IEEE Computer Society. https://doi.org/10.1109/CLOUD60044.2023.00043

Song, Somin ; Suneja, Sahil ; Le, Michael V. et al. / On the Value of Sequence-Based System Call Filtering for Container Security. Proceedings - 2023 IEEE 16th International Conference on Cloud Computing, CLOUD 2023. editor / Claudio Ardagna ; Nimanthi Atukorala ; Pete Beckman ; Carl K. Chang ; Rong N. Chang ; Constantinos Evangelinos ; Jing Fan ; Geoffrey C. Fox ; Judy Fox ; Christoph Hagleitner ; Zhi Jin ; Tevfik Kosar ; Manish Parashar. IEEE Computer Society, 2023. pp. 296-307 (IEEE International Conference on Cloud Computing, CLOUD).

@inproceedings{ab79381a8ad54fa1bc61a843a1131919,

title = "On the Value of Sequence-Based System Call Filtering for Container Security",

abstract = "One critical attack that exploits kernel vulnerabilities through system call invocations is considered a serious threat to container security since it results in the privilege escalation followed by the infamous container escape. The seccomp kernel feature provides the first line of defense against it. Further, secure container runtimes such as gVisor also make use of it to strengthen security. However, it is known to be brittle since it operates at the granularity of the individual system call. Inadvertent filtering of necessary system calls may inhibit the correct execution while overly generous rules allow the attacks. We believe that, by looking at the sequence of system calls, we can achieve more accurate and effective blocking of attacks in containers. To this end, we built a software tool, Nimos, that performs a combination of static and dynamic analyses of exploit codes in an automated way and investigated the existence of such commonly occurring system call sequences. Then, we analyzed the expected defensive power from applying the sequence-based filtering mechanisms using a large set of collected kernel vulnerabilities to assess the feasibility. We found that there exist a significant number and forms of commonly appearing system call sequences that can be used as a clear signature of the class of attacks. We characterize these common system call sequences that exist among the exploit codes and evaluate the expected effectiveness of a sequence-based system call filtering mechanism for containers.",

keywords = "Linux kernel vulnerability, Linux security, container security, seccomp, system call sequence pattern",

author = "Somin Song and Sahil Suneja and Le, {Michael V.} and Byungchul Tak",

note = "Publisher Copyright: {\textcopyright} 2023 IEEE.; 16th IEEE International Conference on Cloud Computing, CLOUD 2023 ; Conference date: 02-07-2023 Through 08-07-2023",

year = "2023",

doi = "10.1109/CLOUD60044.2023.00043",

language = "English",

series = "IEEE International Conference on Cloud Computing, CLOUD",

publisher = "IEEE Computer Society",

pages = "296--307",

editor = "Claudio Ardagna and Nimanthi Atukorala and Pete Beckman and Chang, {Carl K.} and Chang, {Rong N.} and Constantinos Evangelinos and Jing Fan and Fox, {Geoffrey C.} and Judy Fox and Christoph Hagleitner and Zhi Jin and Tevfik Kosar and Manish Parashar",

booktitle = "Proceedings - 2023 IEEE 16th International Conference on Cloud Computing, CLOUD 2023",

address = "United States",

}

Song, S, Suneja, S, Le, MV & Tak, B 2023, On the Value of Sequence-Based System Call Filtering for Container Security. in C Ardagna, N Atukorala, P Beckman, CK Chang, RN Chang, C Evangelinos, J Fan, GC Fox, J Fox, C Hagleitner, Z Jin, T Kosar & M Parashar (eds), Proceedings - 2023 IEEE 16th International Conference on Cloud Computing, CLOUD 2023. IEEE International Conference on Cloud Computing, CLOUD, vol. 2023-July, IEEE Computer Society, pp. 296-307, 16th IEEE International Conference on Cloud Computing, CLOUD 2023, Hybrid, Chicago, United States, 2/07/23. https://doi.org/10.1109/CLOUD60044.2023.00043

On the Value of Sequence-Based System Call Filtering for Container Security. / Song, Somin; Suneja, Sahil; Le, Michael V. et al.
Proceedings - 2023 IEEE 16th International Conference on Cloud Computing, CLOUD 2023. ed. / Claudio Ardagna; Nimanthi Atukorala; Pete Beckman; Carl K. Chang; Rong N. Chang; Constantinos Evangelinos; Jing Fan; Geoffrey C. Fox; Judy Fox; Christoph Hagleitner; Zhi Jin; Tevfik Kosar; Manish Parashar. IEEE Computer Society, 2023. p. 296-307 (IEEE International Conference on Cloud Computing, CLOUD; Vol. 2023-July).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - On the Value of Sequence-Based System Call Filtering for Container Security

AU - Song, Somin

AU - Suneja, Sahil

AU - Le, Michael V.

AU - Tak, Byungchul

PY - 2023

Y1 - 2023

N2 - One critical attack that exploits kernel vulnerabilities through system call invocations is considered a serious threat to container security since it results in the privilege escalation followed by the infamous container escape. The seccomp kernel feature provides the first line of defense against it. Further, secure container runtimes such as gVisor also make use of it to strengthen security. However, it is known to be brittle since it operates at the granularity of the individual system call. Inadvertent filtering of necessary system calls may inhibit the correct execution while overly generous rules allow the attacks. We believe that, by looking at the sequence of system calls, we can achieve more accurate and effective blocking of attacks in containers. To this end, we built a software tool, Nimos, that performs a combination of static and dynamic analyses of exploit codes in an automated way and investigated the existence of such commonly occurring system call sequences. Then, we analyzed the expected defensive power from applying the sequence-based filtering mechanisms using a large set of collected kernel vulnerabilities to assess the feasibility. We found that there exist a significant number and forms of commonly appearing system call sequences that can be used as a clear signature of the class of attacks. We characterize these common system call sequences that exist among the exploit codes and evaluate the expected effectiveness of a sequence-based system call filtering mechanism for containers.

AB - One critical attack that exploits kernel vulnerabilities through system call invocations is considered a serious threat to container security since it results in the privilege escalation followed by the infamous container escape. The seccomp kernel feature provides the first line of defense against it. Further, secure container runtimes such as gVisor also make use of it to strengthen security. However, it is known to be brittle since it operates at the granularity of the individual system call. Inadvertent filtering of necessary system calls may inhibit the correct execution while overly generous rules allow the attacks. We believe that, by looking at the sequence of system calls, we can achieve more accurate and effective blocking of attacks in containers. To this end, we built a software tool, Nimos, that performs a combination of static and dynamic analyses of exploit codes in an automated way and investigated the existence of such commonly occurring system call sequences. Then, we analyzed the expected defensive power from applying the sequence-based filtering mechanisms using a large set of collected kernel vulnerabilities to assess the feasibility. We found that there exist a significant number and forms of commonly appearing system call sequences that can be used as a clear signature of the class of attacks. We characterize these common system call sequences that exist among the exploit codes and evaluate the expected effectiveness of a sequence-based system call filtering mechanism for containers.

KW - Linux kernel vulnerability

KW - Linux security

KW - container security

KW - seccomp

KW - system call sequence pattern

UR - http://www.scopus.com/inward/record.url?scp=85174258930&partnerID=8YFLogxK

U2 - 10.1109/CLOUD60044.2023.00043

DO - 10.1109/CLOUD60044.2023.00043

M3 - Conference contribution

AN - SCOPUS:85174258930

T3 - IEEE International Conference on Cloud Computing, CLOUD

SP - 296

EP - 307

BT - Proceedings - 2023 IEEE 16th International Conference on Cloud Computing, CLOUD 2023

A2 - Ardagna, Claudio

A2 - Atukorala, Nimanthi

A2 - Beckman, Pete

A2 - Chang, Carl K.

A2 - Chang, Rong N.

A2 - Evangelinos, Constantinos

A2 - Fan, Jing

A2 - Fox, Geoffrey C.

A2 - Fox, Judy

A2 - Hagleitner, Christoph

A2 - Jin, Zhi

A2 - Kosar, Tevfik

A2 - Parashar, Manish

PB - IEEE Computer Society

T2 - 16th IEEE International Conference on Cloud Computing, CLOUD 2023

Y2 - 2 July 2023 through 8 July 2023

ER -

Song S, Suneja S, Le MV, Tak B. On the Value of Sequence-Based System Call Filtering for Container Security. In Ardagna C, Atukorala N, Beckman P, Chang CK, Chang RN, Evangelinos C, Fan J, Fox GC, Fox J, Hagleitner C, Jin Z, Kosar T, Parashar M, editors, Proceedings - 2023 IEEE 16th International Conference on Cloud Computing, CLOUD 2023. IEEE Computer Society. 2023. p. 296-307. (IEEE International Conference on Cloud Computing, CLOUD). doi: 10.1109/CLOUD60044.2023.00043

On the Value of Sequence-Based System Call Filtering for Container Security

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this