SecQuant: Quantifying Container System Call Exposure

Simple item page
dc.contributor.authorJang, Sunwooen
dc.contributor.authorSong, Sominen
dc.contributor.authorTak, Byungchulen
dc.contributor.authorSuneja, Sahilen
dc.contributor.authorLe, Michael V.en
dc.contributor.authorYue, Chuanen
dc.contributor.authorWilliams, Danen
dc.date.accessioned2025-02-20T14:20:24Zen
dc.date.available2025-02-20T14:20:24Zen
dc.date.issued2022-09-22en
dc.description.abstractDespite their maturity and popularity, security remains a critical concern in container adoption. To address this concern, secure container runtimes have emerged, offering superior guest isolation, as well as host protection, via system call policing through the surrogate kernel layer. Whether or not an adversary can bypass this protection depends on the effectiveness of the system call policy being enforced by the container runtime. In this work, we propose a novel method to quantify this container system call exposure. Our technique combines the analysis of a large number of exploit codes with comprehensive experiments designed to uncover the syscall pass-through behaviors of container runtimes. Our exploit code analysis uses information retrieval techniques to rank system calls by their risk weights. Our study shows that secure container runtimes are about 4.2 to 7.5 times more secure than others, using our novel quantification metric. We additionally uncover changing security trends across a 4.5 year version history of the container runtimes.en
dc.description.versionAccepted versionen
dc.format.extentPages 145-166en
dc.format.extent22 page(s)en
dc.format.mimetypeapplication/pdfen
dc.identifier.doihttps://doi.org/10.1007/978-3-031-17146-8_8en
dc.identifier.eissn1611-3349en
dc.identifier.isbn978-3-031-17145-1en
dc.identifier.issn0302-9743en
dc.identifier.orcidWilliams, Daniel [0000-0003-1537-0525]en
dc.identifier.urihttps://hdl.handle.net/10919/124664en
dc.identifier.volume13555en
dc.language.isoenen
dc.publisherSpringeren
dc.rightsIn Copyrighten
dc.rights.urihttp://rightsstatements.org/vocab/InC/1.0/en
dc.subjectSecure container runtimeen
dc.subjectSecurity quantificationen
dc.subjectSystem callen
dc.subjectContainer escapeen
dc.subjectExploit code analysisen
dc.subjectDOCKERen
dc.titleSecQuant: Quantifying Container System Call Exposureen
dc.title.serialCOMPUTER SECURITY - ESORICS 2022, PT IIen
dc.typeConference proceedingen
dc.type.dcmitypeTexten
dc.type.otherProceedings Paperen
dc.type.otherBook in seriesen
pubs.finish-date2022-09-30en
pubs.organisational-groupVirginia Techen
pubs.organisational-groupVirginia Tech/Engineeringen
pubs.organisational-groupVirginia Tech/Engineering/Computer Scienceen
pubs.organisational-groupVirginia Tech/All T&R Facultyen
pubs.organisational-groupVirginia Tech/Engineering/COE T&R Facultyen
pubs.start-date2022-09-26en

Files

Original bundle
Now showing 1 - 1 of 1
Thumbnail Image
Name:
esorics22-secquant.pdf
Size:
1.02 MB
Format:
Adobe Portable Document Format
Description:
Published version
Download
License bundle
Now showing 1 - 1 of 1
Name:
license.txt
Size:
1.5 KB
Format:
Plain Text
Description:
Download

Collections

All Faculty Deposits
Scholarly Works, Computer Science