SecQuant: Quantifying Container System Call Exposure

Sunwoo Jang, Somin Song, Byungchul Tak, Sahil Suneja, Michael V V. Le, Chuan Yue, Dan Williams

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

6 Scopus citations

Abstract

Despite their maturity and popularity, security remains a critical concern in container adoption. To address this concern, secure container runtimes have emerged, offering superior guest isolation, as well as host protection, via system call policing through the surrogate kernel layer. Whether or not an adversary can bypass this protection depends on the effectiveness of the system call policy being enforced by the container runtime. In this work, we propose a novel method to quantify this container system call exposure. Our technique combines the analysis of a large number of exploit codes with comprehensive experiments designed to uncover the syscall pass-through behaviors of container runtimes. Our exploit code analysis uses information retrieval techniques to rank system calls by their risk weights. Our study shows that secure container runtimes are about 4.2 to 7.5 times more secure than others, using our novel quantification metric. We additionally uncover changing security trends across a 4.5 year version history of the container runtimes.

Original languageEnglish
Title of host publicationComputer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings
EditorsVijayalakshmi Atluri, Roberto Di Pietro, Christian D. Jensen, Weizhi Meng
PublisherSpringer Science and Business Media Deutschland GmbH
Pages145-166
Number of pages22
ISBN (Print)9783031171451
DOIs
StatePublished - 2022
Event27th European Symposium on Research in Computer Security, ESORICS 2022 - Virtual, Online
Duration: 26 Sep 202230 Sep 2022

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume13555 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference27th European Symposium on Research in Computer Security, ESORICS 2022
CityVirtual, Online
Period26/09/2230/09/22

Keywords

  • Container escape
  • Exploit code analysis
  • Secure container runtime
  • Security quantification
  • System call

Fingerprint

Dive into the research topics of 'SecQuant: Quantifying Container System Call Exposure'. Together they form a unique fingerprint.

Cite this