Sequence-based System Call Filtering for Enhanced Container Security, is it beneficial?

Somin Song, Sahil Suneja, Michael V. Le, Byungchul Tak

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

One critical attack that exploits kernel vulnerabilities through system call invocations is the privilege escalation followed by the infamous container escape. The seccomp provides the first line of defense against it. However, it is known to be brittle since it operates at the granularity of the individual system call. Inadvertent filtering of necessary system calls may inhibit the correct execution while overly generous rules allow the attacks.We believe that, by looking at the sequence of system calls, we can achieve more accurate and effective blocking of attacks in containers. To this end, we analyzed the expected defensive power from applying the sequence-based filtering mechanisms by thoroughly analyzing a large set of collected kernel vulnerabilities to assess the feasibility.

Original languageEnglish
Title of host publicationProceedings - 23rd IEEE/ACM International Symposium on Cluster, Cloud and Internet Computing Workshops, CCGridW 2023
EditorsYogesh Simmhan, Ilkay Altintas, Ana-Lucia Varbanescu, Pavan Balaji, Abhinandan S. Prasad, Lorenzo Carnevale
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages278-280
Number of pages3
ISBN (Electronic)9798350302080
DOIs
StatePublished - 2023
Event23rd IEEE/ACM International Symposium on Cluster, Cloud and Internet Computing Workshops, CCGridW 2023 - Bangalore, India
Duration: 1 May 20234 May 2023

Publication series

NameProceedings - 23rd IEEE/ACM International Symposium on Cluster, Cloud and Internet Computing Workshops, CCGridW 2023

Conference

Conference23rd IEEE/ACM International Symposium on Cluster, Cloud and Internet Computing Workshops, CCGridW 2023
Country/TerritoryIndia
CityBangalore
Period1/05/234/05/23

Keywords

  • Linux kernel vulnerability
  • container security
  • seccomp
  • system call sequence pattern

Fingerprint

Dive into the research topics of 'Sequence-based System Call Filtering for Enhanced Container Security, is it beneficial?'. Together they form a unique fingerprint.

Cite this