为Linux容器挖掘沙箱

2017 IEEE International Conference on Software Testing, Verification and Validation (ICST) Pub Date : 2017-03-01 DOI:10.1109/ICST.2017.16

Zhiyuan Wan, D. Lo, Xin Xia, Liang Cai, Shanping Li

{"title":"为Linux容器挖掘沙箱","authors":"Zhiyuan Wan, D. Lo, Xin Xia, Liang Cai, Shanping Li","doi":"10.1109/ICST.2017.16","DOIUrl":null,"url":null,"abstract":"A container is a group of processes isolated from other groups via distinct kernel namespaces and resource allocation quota. Attacks against containers often leverage kernel exploits through system call interface. In this paper, we present an approach that mines sandboxes for containers. We first explore the behaviors of a container by leveraging automatic testing, and extract the set of system calls accessed during testing. The set of system calls then results as a sandbox of the container. The mined sandbox restricts the container's access to system calls which are not seen during testing and thus reduces the attack surface. In the experiment, our approach requires less than eleven minutes to mine sandbox for each of the containers. The enforcement of mined sandboxes does not impact the regular functionality of a container and incurs low performance overhead.","PeriodicalId":112258,"journal":{"name":"2017 IEEE International Conference on Software Testing, Verification and Validation (ICST)","volume":"15 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"31","resultStr":"{\"title\":\"Mining Sandboxes for Linux Containers\",\"authors\":\"Zhiyuan Wan, D. Lo, Xin Xia, Liang Cai, Shanping Li\",\"doi\":\"10.1109/ICST.2017.16\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"A container is a group of processes isolated from other groups via distinct kernel namespaces and resource allocation quota. Attacks against containers often leverage kernel exploits through system call interface. In this paper, we present an approach that mines sandboxes for containers. We first explore the behaviors of a container by leveraging automatic testing, and extract the set of system calls accessed during testing. The set of system calls then results as a sandbox of the container. The mined sandbox restricts the container's access to system calls which are not seen during testing and thus reduces the attack surface. In the experiment, our approach requires less than eleven minutes to mine sandbox for each of the containers. The enforcement of mined sandboxes does not impact the regular functionality of a container and incurs low performance overhead.\",\"PeriodicalId\":112258,\"journal\":{\"name\":\"2017 IEEE International Conference on Software Testing, Verification and Validation (ICST)\",\"volume\":\"15 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2017-03-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"31\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2017 IEEE International Conference on Software Testing, Verification and Validation (ICST)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ICST.2017.16\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 IEEE International Conference on Software Testing, Verification and Validation (ICST)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICST.2017.16","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 31

摘要

容器是一组通过不同的内核名称空间和资源分配配额与其他组隔离的进程。对容器的攻击通常通过系统调用接口利用内核漏洞。在本文中，我们提出了一种挖掘容器沙箱的方法。我们首先通过利用自动测试来探索容器的行为，并提取在测试期间访问的系统调用集。然后，系统调用集作为容器的沙箱产生。挖掘的沙箱限制了容器对测试期间未看到的系统调用的访问，从而减少了攻击面。在实验中，我们的方法需要不到11分钟的时间来挖掘每个容器的沙盒。挖掘沙箱的实施不会影响容器的常规功能，并且产生较低的性能开销。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Mining Sandboxes for Linux Containers

A container is a group of processes isolated from other groups via distinct kernel namespaces and resource allocation quota. Attacks against containers often leverage kernel exploits through system call interface. In this paper, we present an approach that mines sandboxes for containers. We first explore the behaviors of a container by leveraging automatic testing, and extract the set of system calls accessed during testing. The set of system calls then results as a sandbox of the container. The mined sandbox restricts the container's access to system calls which are not seen during testing and thus reduces the attack surface. In the experiment, our approach requires less than eleven minutes to mine sandbox for each of the containers. The enforcement of mined sandboxes does not impact the regular functionality of a container and incurs low performance overhead.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2017 IEEE International Conference on Software Testing, Verification and Validation (ICST)

自引率

0.00%

发文量