Back to Search Start Over

Practical and effective sandboxing for Linux containers.

Authors :
Wan, Zhiyuan
Lo, David
Xia, Xin
Cai, Liang
Source :
Empirical Software Engineering; Dec2019, Vol. 24 Issue 6, p4034-4070, 37p
Publication Year :
2019

Abstract

A container is a group of processes isolated from other groups via distinct kernel namespaces and resource allocation quota. Attacks against containers often leverage kernel exploits through the system call interface. In this paper, we present an approach that mines sandboxes and enables fine-grained sandbox enforcement for containers. We first explore the behavior of a container by running test cases and monitor the accessed system calls including types and arguments during testing. We then characterize the types and arguments of system call invocations and translate them into sandbox rules for the container. The mined sandbox restricts the container's access to system calls which are not seen during testing and thus reduces the attack surface. In the experiment, our approach requires less than eleven minutes to mine a sandbox for each of the containers. The estimation of system call coverage of sandbox mining ranges from 96.4% to 99.8% across the containers under the limiting assumptions that the test cases are complete and only static system/application paths are used. The enforcement of mined sandboxes incurs low performance overhead. The mined sandboxes effectively reduce the attack surface of containers and can prevent the containers from security breaches in reality. [ABSTRACT FROM AUTHOR]

Details

Language :
English
ISSN :
13823256
Volume :
24
Issue :
6
Database :
Complementary Index
Journal :
Empirical Software Engineering
Publication Type :
Academic Journal
Accession number :
140205808
Full Text :
https://doi.org/10.1007/s10664-019-09737-2