TY - GEN
T1 - Sequence-based System Call Filtering for Enhanced Container Security, is it beneficial?
AU - Song, Somin
AU - Suneja, Sahil
AU - Le, Michael V.
AU - Tak, Byungchul
N1 - Publisher Copyright:
© 2023 IEEE.
PY - 2023
Y1 - 2023
N2 - One critical attack that exploits kernel vulnerabilities through system call invocations is the privilege escalation followed by the infamous container escape. The seccomp provides the first line of defense against it. However, it is known to be brittle since it operates at the granularity of the individual system call. Inadvertent filtering of necessary system calls may inhibit the correct execution while overly generous rules allow the attacks.We believe that, by looking at the sequence of system calls, we can achieve more accurate and effective blocking of attacks in containers. To this end, we analyzed the expected defensive power from applying the sequence-based filtering mechanisms by thoroughly analyzing a large set of collected kernel vulnerabilities to assess the feasibility.
AB - One critical attack that exploits kernel vulnerabilities through system call invocations is the privilege escalation followed by the infamous container escape. The seccomp provides the first line of defense against it. However, it is known to be brittle since it operates at the granularity of the individual system call. Inadvertent filtering of necessary system calls may inhibit the correct execution while overly generous rules allow the attacks.We believe that, by looking at the sequence of system calls, we can achieve more accurate and effective blocking of attacks in containers. To this end, we analyzed the expected defensive power from applying the sequence-based filtering mechanisms by thoroughly analyzing a large set of collected kernel vulnerabilities to assess the feasibility.
KW - Linux kernel vulnerability
KW - container security
KW - seccomp
KW - system call sequence pattern
UR - http://www.scopus.com/inward/record.url?scp=85166739614&partnerID=8YFLogxK
U2 - 10.1109/CCGridW59191.2023.00057
DO - 10.1109/CCGridW59191.2023.00057
M3 - Conference contribution
AN - SCOPUS:85166739614
T3 - Proceedings - 23rd IEEE/ACM International Symposium on Cluster, Cloud and Internet Computing Workshops, CCGridW 2023
SP - 278
EP - 280
BT - Proceedings - 23rd IEEE/ACM International Symposium on Cluster, Cloud and Internet Computing Workshops, CCGridW 2023
A2 - Simmhan, Yogesh
A2 - Altintas, Ilkay
A2 - Varbanescu, Ana-Lucia
A2 - Balaji, Pavan
A2 - Prasad, Abhinandan S.
A2 - Carnevale, Lorenzo
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 23rd IEEE/ACM International Symposium on Cluster, Cloud and Internet Computing Workshops, CCGridW 2023
Y2 - 1 May 2023 through 4 May 2023
ER -