Optimus: association-based dynamic system call filtering for container attack surface reduction

Seungyong Yang, Brent Byunghoon Kang, Jaehyun Nam
{"title":"Optimus: association-based dynamic system call filtering for container attack surface reduction","authors":"Seungyong Yang, Brent Byunghoon Kang, Jaehyun Nam","doi":"10.1186/s13677-024-00639-3","DOIUrl":null,"url":null,"abstract":"While container adoption has witnessed significant growth in facilitating the operation of large-scale applications, this increased attention has also attracted adversaries who exploit numerous vulnerabilities present in contemporary containers. Unfortunately, existing security solutions largely overlooked the need to restrict container access to the shared host kernel, particularly exhibiting critical limitations in enforcing the least privilege for containers during runtime. Hence, we propose Optimus, an automated and comprehensive system that confines container operations and governs their interactions with the host kernel using an association-based system call filtering. Optimus efficiently identifies the essential system calls required by containers and enhances their security posture by dynamically enforcing the minimal set of system calls for each container during runtime. This is achieved through (1) lightweight system call monitoring leveraging eBPF, (2) system call validation via association analysis, and (3) dynamic system call filtering by adopting covert container renewal. Our evaluation shows that Optimus effectively minimizes the necessary system calls for containers while maintaining their serviceability and operational efficiency during runtime.","PeriodicalId":501257,"journal":{"name":"Journal of Cloud Computing","volume":"17 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-03-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Cloud Computing","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1186/s13677-024-00639-3","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0

Abstract

While container adoption has witnessed significant growth in facilitating the operation of large-scale applications, this increased attention has also attracted adversaries who exploit numerous vulnerabilities present in contemporary containers. Unfortunately, existing security solutions largely overlooked the need to restrict container access to the shared host kernel, particularly exhibiting critical limitations in enforcing the least privilege for containers during runtime. Hence, we propose Optimus, an automated and comprehensive system that confines container operations and governs their interactions with the host kernel using an association-based system call filtering. Optimus efficiently identifies the essential system calls required by containers and enhances their security posture by dynamically enforcing the minimal set of system calls for each container during runtime. This is achieved through (1) lightweight system call monitoring leveraging eBPF, (2) system call validation via association analysis, and (3) dynamic system call filtering by adopting covert container renewal. Our evaluation shows that Optimus effectively minimizes the necessary system calls for containers while maintaining their serviceability and operational efficiency during runtime.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
Optimus:基于关联的动态系统调用过滤,减少容器攻击面
虽然容器的采用在促进大规模应用运行方面取得了显著增长,但这种关注度的提高也吸引了对手,他们利用当代容器中存在的大量漏洞进行攻击。遗憾的是,现有的安全解决方案在很大程度上忽视了限制容器访问共享主机内核的需要,尤其是在运行期间为容器执行最小权限方面表现出严重的局限性。因此,我们提出了 Optimus,这是一个自动化的综合系统,可使用基于关联的系统调用过滤功能限制容器操作并管理它们与主机内核的交互。Optimus 能有效识别容器所需的基本系统调用,并通过在运行时动态执行每个容器的最小系统调用集来增强其安全态势。这是通过以下方式实现的:(1)利用 eBPF 进行轻量级系统调用监控;(2)通过关联分析进行系统调用验证;(3)通过采用隐蔽容器更新进行动态系统调用过滤。我们的评估结果表明,Optimus 能有效减少容器的必要系统调用,同时在运行期间保持容器的可服务性和运行效率。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
A cost-efficient content distribution optimization model for fog-based content delivery networks Toward security quantification of serverless computing SMedIR: secure medical image retrieval framework with ConvNeXt-based indexing and searchable encryption in the cloud A trusted IoT data sharing method based on secure multi-party computation Wind power prediction method based on cloud computing and data privacy protection
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1