Publication Type

Conference Proceeding Article

Version

acceptedVersion

Publication Date

3-2017

Abstract

A container is a group of processes isolated from other groups via distinct kernel namespaces and resource allocation quota. Attacks against containers often leverage kernel exploits through system call interface. In this paper, we present an approach that mines sandboxes for containers. We first explore the behaviors of a container by leveraging automatic testing, and extract the set of system calls accessed during testing. The set of system calls then results as a sandbox of the container. The mined sandbox restricts the container's access to system calls which are not seen during testing and thus reduces the attack surface. In the experiment, our approach requires less than eleven minutes to mine sandbox for each of the containers. The enforcement of mined sandboxes does not impact the regular functionality of a container and incurs low performance overhead.

Keywords

Linux container, kernel namespaces, resource allocation quota, system call interface, automatic testing, regular functionality, performance overhead, sandbox mining

Discipline

Software Engineering

Research Areas

Software and Cyber-Physical Systems

Publication

10th IEEE International Conference on Software Testing (ICST 2017): Toyko, Japan, March, 13-17: Proceedings

First Page

92

Last Page

102

ISBN

9781509060313

Identifier

10.1109/ICST.2017.16

Publisher

IEEE Computer Society

City or Country

Los Alamitos, CA

Embargo Period

12-18-2019

Copyright Owner and License

Authors

Additional URL

https://doi.org/10.1109/ICST.2017.16

Share

COinS