Quantifying the Security Profile of Linux Applications

Abstract

There is an increasing interest to quantify and improve the isolation provided by containers to competing applications on multitenant hosts. As a first step to address this need, we introduce several metrics that quantify the exposure of the applications to the source code of the kernel subsystems. Based on existing tracing tools, we develop a common framework and build two toolchains that automate the extraction of the metrics. We experimentally compare the tracing accuracy of the toolchains by calculating the metrics across different workloads and demonstrate the importance of separating the application execution from unrelated system activity.