TY - GEN
T1 - SecQuant
T2 - 27th European Symposium on Research in Computer Security, ESORICS 2022
AU - Jang, Sunwoo
AU - Song, Somin
AU - Tak, Byungchul
AU - Suneja, Sahil
AU - Le, Michael V V.
AU - Yue, Chuan
AU - Williams, Dan
N1 - Publisher Copyright:
© 2022, The Author(s), under exclusive license to Springer Nature Switzerland AG.
PY - 2022
Y1 - 2022
N2 - Despite their maturity and popularity, security remains a critical concern in container adoption. To address this concern, secure container runtimes have emerged, offering superior guest isolation, as well as host protection, via system call policing through the surrogate kernel layer. Whether or not an adversary can bypass this protection depends on the effectiveness of the system call policy being enforced by the container runtime. In this work, we propose a novel method to quantify this container system call exposure. Our technique combines the analysis of a large number of exploit codes with comprehensive experiments designed to uncover the syscall pass-through behaviors of container runtimes. Our exploit code analysis uses information retrieval techniques to rank system calls by their risk weights. Our study shows that secure container runtimes are about 4.2 to 7.5 times more secure than others, using our novel quantification metric. We additionally uncover changing security trends across a 4.5 year version history of the container runtimes.
AB - Despite their maturity and popularity, security remains a critical concern in container adoption. To address this concern, secure container runtimes have emerged, offering superior guest isolation, as well as host protection, via system call policing through the surrogate kernel layer. Whether or not an adversary can bypass this protection depends on the effectiveness of the system call policy being enforced by the container runtime. In this work, we propose a novel method to quantify this container system call exposure. Our technique combines the analysis of a large number of exploit codes with comprehensive experiments designed to uncover the syscall pass-through behaviors of container runtimes. Our exploit code analysis uses information retrieval techniques to rank system calls by their risk weights. Our study shows that secure container runtimes are about 4.2 to 7.5 times more secure than others, using our novel quantification metric. We additionally uncover changing security trends across a 4.5 year version history of the container runtimes.
KW - Container escape
KW - Exploit code analysis
KW - Secure container runtime
KW - Security quantification
KW - System call
UR - http://www.scopus.com/inward/record.url?scp=85140711795&partnerID=8YFLogxK
U2 - 10.1007/978-3-031-17146-8_8
DO - 10.1007/978-3-031-17146-8_8
M3 - Conference contribution
AN - SCOPUS:85140711795
SN - 9783031171451
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 145
EP - 166
BT - Computer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings
A2 - Atluri, Vijayalakshmi
A2 - Di Pietro, Roberto
A2 - Jensen, Christian D.
A2 - Meng, Weizhi
PB - Springer Science and Business Media Deutschland GmbH
Y2 - 26 September 2022 through 30 September 2022
ER -