BPFGuard: Multi-Granularity Container Runtime Mandatory Access Control

IF 5.3 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

IEEE Transactions on Cloud Computing Pub Date : 2025-03-24 DOI:10.1109/TCC.2025.3551838

Hui Lu;Xiaojiang Du;Dawei Hu;Shen Su;Zhihong Tian

{"title":"BPFGuard: Multi-Granularity Container Runtime Mandatory Access Control","authors":"Hui Lu;Xiaojiang Du;Dawei Hu;Shen Su;Zhihong Tian","doi":"10.1109/TCC.2025.3551838","DOIUrl":null,"url":null,"abstract":"The adoption of container-based cloud computing services has been prevalent, especially with the introduction of Kubernetes, which enables the automated deployment, scaling, and administration of applications in containers, hence boosting the popularity of containers. As a result, researchers have placed greater emphasis on container runtime security, notably investigating the efficacy of traditional techniques such as Capabilities, Seccomp, and Linux security modules in guaranteeing container security. However, due to the limitations imposed by the container environment, the results have been unsatisfactory. In addition, eBPF-based solutions face the problem of being unable to quickly load policies and affect real-time operations when faced with newer kernel vulnerabilities. This paper investigates the limitations of existing container security mechanisms. Additionally, it examines the specific constraints of these mechanisms in Kubernetes environments. The paper classifies container monitoring and obligatory access control into three distinct categories: system call access control, LSM hook access control, and kernel function access control. Therefore, we propose a technique for regulating container access with a variety of granularity levels. This technique is executed using eBPF and is tightly integrated with Kubernetes to collect relevant meta-information. In addition, we suggest implementing a consolidated routing method and employing function tail call chaining to overcome the limitation of eBPF in enforcing mandatory access control for containers. Lastly, we conducted a series of experiment to verify the effectiveness of the system's security using CVE-2022-0492 and to benchmark the system that had BPFGuard enabled. The results indicate that the average performance loss increased merely by 2.16%, demonstrating that there are no adverse effects on the container services. This suggests that greater security can be achieved at a minimal cost.","PeriodicalId":13202,"journal":{"name":"IEEE Transactions on Cloud Computing","volume":"13 2","pages":"629-640"},"PeriodicalIF":5.3000,"publicationDate":"2025-03-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Cloud Computing","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10938304/","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

The adoption of container-based cloud computing services has been prevalent, especially with the introduction of Kubernetes, which enables the automated deployment, scaling, and administration of applications in containers, hence boosting the popularity of containers. As a result, researchers have placed greater emphasis on container runtime security, notably investigating the efficacy of traditional techniques such as Capabilities, Seccomp, and Linux security modules in guaranteeing container security. However, due to the limitations imposed by the container environment, the results have been unsatisfactory. In addition, eBPF-based solutions face the problem of being unable to quickly load policies and affect real-time operations when faced with newer kernel vulnerabilities. This paper investigates the limitations of existing container security mechanisms. Additionally, it examines the specific constraints of these mechanisms in Kubernetes environments. The paper classifies container monitoring and obligatory access control into three distinct categories: system call access control, LSM hook access control, and kernel function access control. Therefore, we propose a technique for regulating container access with a variety of granularity levels. This technique is executed using eBPF and is tightly integrated with Kubernetes to collect relevant meta-information. In addition, we suggest implementing a consolidated routing method and employing function tail call chaining to overcome the limitation of eBPF in enforcing mandatory access control for containers. Lastly, we conducted a series of experiment to verify the effectiveness of the system's security using CVE-2022-0492 and to benchmark the system that had BPFGuard enabled. The results indicate that the average performance loss increased merely by 2.16%, demonstrating that there are no adverse effects on the container services. This suggests that greater security can be achieved at a minimal cost.

查看原文本刊更多论文

BPFGuard：多粒度容器运行时强制访问控制

基于容器的云计算服务的采用已经非常普遍，特别是随着Kubernetes的引入，它支持在容器中自动部署、扩展和管理应用程序，从而促进了容器的普及。因此，研究人员更加重视容器运行时安全性，特别是研究传统技术（如Capabilities、Seccomp和Linux安全模块）在保证容器安全性方面的有效性。然而，由于容器环境的限制，结果并不令人满意。此外，当面对较新的内核漏洞时，基于ebpf的解决方案还面临着无法快速加载策略和影响实时操作的问题。本文研究了现有容器安全机制的局限性。此外，它还研究了Kubernetes环境中这些机制的特定约束。本文将容器监控和强制访问控制分为三类：系统调用访问控制、LSM钩子访问控制和内核函数访问控制。因此，我们提出了一种用各种粒度级别来调节容器访问的技术。该技术使用eBPF执行，并与Kubernetes紧密集成以收集相关的元信息。此外，我们建议实现统一路由方法并使用函数尾部调用链来克服eBPF在强制容器访问控制方面的限制。最后，我们进行了一系列实验，使用CVE-2022-0492来验证系统安全性的有效性，并对启用了BPFGuard的系统进行基准测试。结果表明，平均性能损失仅增加了2.16%，表明对容器服务没有不利影响。这表明可以以最小的成本实现更高的安全性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Transactions on Cloud Computing Computer Science-Software

CiteScore

9.40

自引率

6.20%

发文量

167

期刊介绍： The IEEE Transactions on Cloud Computing (TCC) is dedicated to the multidisciplinary field of cloud computing. It is committed to the publication of articles that present innovative research ideas, application results, and case studies in cloud computing, focusing on key technical issues related to theory, algorithms, systems, applications, and performance.