Mining Sandboxes for Linux Containers
This work addresses security vulnerabilities in containerized environments for system administrators and developers, though it is incremental as it builds on existing sandboxing techniques.
The paper tackles the problem of securing Linux containers by reducing their attack surface through system call restriction, achieving a sandbox mining time of less than eleven minutes per container with low performance overhead and no impact on regular functionality.
A container is a group of processes isolated from other groups via distinct kernel namespaces and resource allocation quota. Attacks against containers often leverage kernel exploits through system call interface. In this paper, we present an approach that mines sandboxes for containers. We first explore the behaviors of a container by leveraging automatic testing, and extract the set of system calls accessed during testing. The set of system calls then results as a sandbox of the container. The mined sandbox restricts the container's access to system calls which are not seen during testing and thus reduces the attack surface. In the experiment, our approach requires less than eleven minutes to mine sandbox for each of the containers. The enforcement of mined sandboxes does not impact the regular functionality of a container and incurs low performance overhead.