Secure Namespaced Kernel Audit for Containers
This addresses security analysis challenges for container-based cloud computing by providing a practical, deployable solution without extensive kernel modifications.
The paper tackles the problem of high-fidelity container auditing in cloud computing by presenting saBPF, an extension of the eBPF framework that enables secure system-level audit mechanisms at container granularity, showing it is comparable in performance and security to kernel-based audit systems.
Despite the wide usage of container-based cloud computing, container auditing for security analysis relies mostly on built-in host audit systems, which often lack the ability to capture high-fidelity container logs. State-of-the-art reference-monitor-based audit techniques greatly improve the quality of audit logs, but their system-wide architecture is too costly to be adapted for individual containers. Moreover, these techniques typically require extensive kernel modifications, making them difficult to deploy in practical settings. In this paper, we present saBPF (secure audit BPF), an extension of the eBPF framework capable of deploying secure system-level audit mechanisms at the container granularity. We demonstrate the practicality of saBPF in Kubernetes by designing an audit framework, an intrusion detection system, and a lightweight access control mechanism. We evaluate saBPF and show that it is comparable in performance and security guarantees to audit systems from the literature that are implemented directly in the kernel.