基于序列的系统调用过滤增强容器安全性，它有益吗?

2023 IEEE/ACM 23rd International Symposium on Cluster, Cloud and Internet Computing Workshops (CCGridW) Pub Date : 2023-05-01 DOI:10.1109/CCGridW59191.2023.00057

Somin Song, Sahil Suneja, Michael V. Le, Byungchul Tak

{"title":"基于序列的系统调用过滤增强容器安全性，它有益吗?","authors":"Somin Song, Sahil Suneja, Michael V. Le, Byungchul Tak","doi":"10.1109/CCGridW59191.2023.00057","DOIUrl":null,"url":null,"abstract":"One critical attack that exploits kernel vulnerabilities through system call invocations is the privilege escalation followed by the infamous container escape. The seccomp provides the first line of defense against it. However, it is known to be brittle since it operates at the granularity of the individual system call. Inadvertent filtering of necessary system calls may inhibit the correct execution while overly generous rules allow the attacks.We believe that, by looking at the sequence of system calls, we can achieve more accurate and effective blocking of attacks in containers. To this end, we analyzed the expected defensive power from applying the sequence-based filtering mechanisms by thoroughly analyzing a large set of collected kernel vulnerabilities to assess the feasibility.","PeriodicalId":341115,"journal":{"name":"2023 IEEE/ACM 23rd International Symposium on Cluster, Cloud and Internet Computing Workshops (CCGridW)","volume":"76 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Sequence-based System Call Filtering for Enhanced Container Security, is it beneficial?\",\"authors\":\"Somin Song, Sahil Suneja, Michael V. Le, Byungchul Tak\",\"doi\":\"10.1109/CCGridW59191.2023.00057\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"One critical attack that exploits kernel vulnerabilities through system call invocations is the privilege escalation followed by the infamous container escape. The seccomp provides the first line of defense against it. However, it is known to be brittle since it operates at the granularity of the individual system call. Inadvertent filtering of necessary system calls may inhibit the correct execution while overly generous rules allow the attacks.We believe that, by looking at the sequence of system calls, we can achieve more accurate and effective blocking of attacks in containers. To this end, we analyzed the expected defensive power from applying the sequence-based filtering mechanisms by thoroughly analyzing a large set of collected kernel vulnerabilities to assess the feasibility.\",\"PeriodicalId\":341115,\"journal\":{\"name\":\"2023 IEEE/ACM 23rd International Symposium on Cluster, Cloud and Internet Computing Workshops (CCGridW)\",\"volume\":\"76 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2023-05-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2023 IEEE/ACM 23rd International Symposium on Cluster, Cloud and Internet Computing Workshops (CCGridW)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/CCGridW59191.2023.00057\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2023 IEEE/ACM 23rd International Symposium on Cluster, Cloud and Internet Computing Workshops (CCGridW)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CCGridW59191.2023.00057","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

摘要

通过系统调用调用利用内核漏洞的一种关键攻击是特权升级，然后是臭名昭著的容器逃逸。seccomp提供了对抗它的第一道防线。然而，众所周知，它是脆弱的，因为它在单个系统调用的粒度上操作。无意中过滤必要的系统调用可能会阻止正确的执行，而过于宽松的规则则允许攻击。我们相信，通过查看系统调用的顺序，我们可以更准确、更有效地阻止容器中的攻击。为此，我们通过对收集到的大量内核漏洞进行全面分析，分析了应用基于序列的过滤机制的预期防御能力，以评估可行性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Sequence-based System Call Filtering for Enhanced Container Security, is it beneficial?

One critical attack that exploits kernel vulnerabilities through system call invocations is the privilege escalation followed by the infamous container escape. The seccomp provides the first line of defense against it. However, it is known to be brittle since it operates at the granularity of the individual system call. Inadvertent filtering of necessary system calls may inhibit the correct execution while overly generous rules allow the attacks.We believe that, by looking at the sequence of system calls, we can achieve more accurate and effective blocking of attacks in containers. To this end, we analyzed the expected defensive power from applying the sequence-based filtering mechanisms by thoroughly analyzing a large set of collected kernel vulnerabilities to assess the feasibility.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2023 IEEE/ACM 23rd International Symposium on Cluster, Cloud and Internet Computing Workshops (CCGridW)

自引率

0.00%

发文量