Skip to main content
SpringerLink
Log in

SPEAKER: Split-Phase Execution of Application Containers

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10327))

Abstract

Linux containers have recently gained more popularity as an operating system level virtualization approach for running multiple isolated OS distros on a control host or deploying large scale microservice-based applications in the cloud environment. The wide adoption of containers as an application deployment platform also attracts attackers’ attention. Since the system calls are the entry points for processes trapping into the kernel, Linux seccomp filter has been integrated into popular container management tools such as Docker to effectively constrain the system calls available to the container. However, Docker lacks a method to obtain and customize the set of necessary system calls for a given application. Moreover, we observe that a number of system calls are only used during the short-term booting phase and can be safely removed from the long-term running phase for a given application container. In this paper, we propose a container security mechanism called SPEAKER that can dramatically reduce the number of available system calls to a given application container by customizing and differentiating its necessary system calls at two different execution phases, namely, booting phase and running phase. For a given application container, we first separate its execution into booting phase and running phase and then trace the invoked system calls at these two phases, respectively. Second, we extend the Linux seccomp filter to dynamically update the available system calls when the application is running from the booting phase into the running phase. Our mechanism is non-intrusive to the application running in the container. We evaluate SPEAKER on the popular web server and data store containers from Docker hub, and the experimental results show that it can successfully reduce more than 50% and 35% system calls in the running phase for the data store containers and the web server containers, respectively, with negligible performance overhead.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. CVE-2016-9793 Detail. https://nvd.nist.gov/vuln/detail/CVE-2016-9793

  2. Docker. https://www.docker.com/

  3. Docker Datacenter. https://www.docker.com/products/docker-datacenter

  4. PostgreSQL 9.5.3. http://www.postgresql.org/docs/current/static/sql-commands.html

  5. Seccomp security profiles for Docker. https://github.com/docker/docker/blob/master/docs/security/seccomp.md

  6. SECure COMPuting with filters. https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt

  7. Vulnerability summary for CVE-2014-9357. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9357

  8. AWS: Amazon EC2 container service. https://aws.amazon.com/ecs/

  9. Bacis, E., Mutti, S., Capelli, S., Paraboschi, S.: DockerPolicyModules: mandatory access control for docker containers. In: 2015 IEEE Conference on Communications and Network Security (CNS), pp. 749–750. IEEE (2015)

    Google Scholar 

  10. Bernaschi, M., Gabrielli, E., Mancini, L.V.: Enhancements to the Linux kernel for blocking buffer overflow based attacks. In: Annual Linux Showcase & Conference (2000)

    Google Scholar 

  11. Boettiger, C.: An introduction to docker for reproducible research. ACM SIGOPS Oper. Syst. Rev. 49(1), 71–79 (2015)

    Article  Google Scholar 

  12. Bruno, L.: Libseccomp: an enhanced seccomp (mode 2) helper library. https://github.com/seccomp/libseccomp

  13. Bruno, L.: rkt - app container runtime. https://github.com/coreos/rkt

  14. Bui, T.: Analysis of docker security. arXiv preprint arXiv:1501.02967 (2015)

  15. Oracle Corporation: Mysql 5.7 reference manual. http://dev.mysql.com/doc/refman/5.7/en/tutorial.html

  16. Garfinkel, T., Pfaff, B., Rosenblum, M., et al.: Ostia: a delegating architecture for secure system call interposition. In: NDSS (2004)

    Google Scholar 

  17. Garfinkel, T., et al.: Traps and pitfalls: practical problems in system call interposition based security tools. In: NDSS. vol. 3, pp. 163–176 (2003)

    Google Scholar 

  18. Giffin, J.T., Jha, S., Miller, B.P.: Detecting manipulated remote call streams. In: USENIX Security Symposium, pp. 61–79 (2002)

    Google Scholar 

  19. Google: Container engine on Google cloud platform. https://cloud.google.com/container-engine/

  20. Hallyn, S.E., Morgan, A.G.: Linux capabilities: making them work. In: Linux Symposium, vol. 8 (2008)

    Google Scholar 

  21. Helsley, M.: LXC: Linux container tools. IBM devloperWorks Technical Library (2009)

    Google Scholar 

  22. Red Hat Inc.: Red Hat OpenShift Container Platform. https://www.openshift.com/enterprise/trial.html

  23. Jachner, J., Agarwal, V.K.: Data flow anomaly detection. IEEE Trans. Softw. Eng. 4, 432–437 (1984)

    Article  Google Scholar 

  24. Jacobson, I., Booch, G., Rumbaugh, J., Rumbaugh, J., Booch, G.: The Unified Software Development Process, vol. 1. Addison-Wesley, Reading (1999)

    Google Scholar 

  25. Kamp, P.H., Watson, R.N.: Jails: confining the omnipotent root. In: The 2nd International SANE Conference, vol. 43, p. 116 (2000)

    Google Scholar 

  26. Kim, T., Zeldovich, N.: Practical and effective sandboxing for non-root users. In: USENIX Annual Technical Conference, pp. 139–144 (2013)

    Google Scholar 

  27. Kruegel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Automating mimicry attacks using static binary analysis. In: Proceedings of the 14th Conference on USENIX Security Symposium, p. 11. USENIX Association (2005)

    Google Scholar 

  28. Kruegel, C., Mutz, D., Valeur, F., Vigna, G.: On the detection of anomalous system call arguments. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 326–343. Springer, Heidelberg (2003). doi:10.1007/978-3-540-39650-5_19

    Chapter  Google Scholar 

  29. Kurmus, A., Sorniotti, A., Kapitza, R.: Attack surface reduction for commodity OS kernels: trimmed garden plants may attract less bugs. In: Proceedings of the Fourth European Workshop on System Security, p. 6. ACM (2011)

    Google Scholar 

  30. Kurmus, A., Tartler, R., Dorneanu, D., Heinloth, B., Rothberg, V., Ruprecht, A., Schröder-Preikschat, W., Lohmann, D., Kapitza, R.: Attack surface metrics and automated compile-time OS kernel tailoring. In: NDSS (2013)

    Google Scholar 

  31. Lee, K.H., Zhang, X., Xu, D.: High accuracy attack provenance via binary-based execution partition. In: NDSS (2013)

    Google Scholar 

  32. des Ligneris, B.: Virtualization of Linux based computers: the Linux-Vserver project. In: HPCS 2005, pp. 340–346. IEEE (2005)

    Google Scholar 

  33. Linn, C., Rajagopalan, M., Baker, S., Collberg, C.S., Debray, S.K., Hartman, J.H.: Protecting against unexpected system calls. In: Usenix Security (2005)

    Google Scholar 

  34. Maggi, F., Matteucci, M., Zanero, S.: Detecting intrusions through system call sequence and argument analysis. IEEE Trans. Dependable Secure Comput. 7(4), 381–395 (2010)

    Article  Google Scholar 

  35. Martignoni, L., Christodorescu, M., Jha, S.: Omniunpack: fast, generic, and safe unpacking of malware. In: Twenty-Third Annual Computer Security Applications Conference, 2007. ACSAC 2007, pp. 431–441. IEEE (2007)

    Google Scholar 

  36. Mattetti, M., Shulman-Peleg, A., Allouche, Y., Corradi, A., Dolev, S., Foschini, L.: Securing the infrastructure and the workloads of Linux containers. In: 2015 IEEE Conference on Communications and Network Security (CNS) (2015)

    Google Scholar 

  37. Menage, P., Jackson, P., Lameter, C.: Cgroups. https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt

  38. MongoDB, I.: Mongodb manual reference. https://docs.mongodb.com/manual/reference/command/

  39. Mosberger, D., Jin, T.: Httperf: a tool for measuring web server performance. ACM SIGMETRICS Perform. Eval. Rev. 26(3), 31–37 (1998)

    Article  Google Scholar 

  40. Price, D., Tucker, A.: Solaris zones: operating system support for consolidating commercial workloads. In: Proceedings of the 18th USENIX Conference on System Administration. LISA (2004)

    Google Scholar 

  41. Provos, N.: Improving host security with system call policies. In: USENIX Security, vol. 3, p. 19 (2003)

    Google Scholar 

  42. Quest, K.C.: docker-slim: lean and mean docker containers. https://github.com/docker-slim/docker-slim

  43. Rastogi, V., Davidson, D., De Carli, L., Jha, S., McDaniel, P.: Towards least privilege containers with cimplifier. arXiv preprint arXiv:1602.08410 (2016)

  44. RedHat: Docker selinux security policy. https://access.redhat.com/documentation/en/red-hat-enterprise-linux-atomic-host/7/container-security-guide/chapter-6-docker-selinux-security-policy

  45. Redislabs: Redis commands reference. http://redis.io/commands

  46. Reshetova, E., Karhunen, J., Nyman, T., Asokan, N.: Security of OS-level virtualization technologies. In: Bernsmed, K., Fischer-Hübner, S. (eds.) NordSec 2014. LNCS, vol. 8788, pp. 77–93. Springer, Cham (2014). doi:10.1007/978-3-319-11599-3_5

    Google Scholar 

  47. Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A fast automaton-based method for detecting anomalous program behaviors. In: Proceedings of IEEE Security and Privacy, pp. 144–155 (2001)

    Google Scholar 

  48. Soltesz, S., Pötzl, H., Fiuczynski, M.E., Bavier, A., Peterson, L.: Container-based operating system virtualization: a scalable, high-performance alternative to hypervisors. In: ACM SIGOPS Operating Systems Review, pp. 275–287. ACM (2007)

    Google Scholar 

  49. van Surksum, K.: Microsoft announces support for docker container virtualization for next version of windows server (2014)

    Google Scholar 

  50. Wagner, D., Dean, R.: Intrusion detection via static analysis. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy (2001)

    Google Scholar 

  51. Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 255–264. ACM (2002)

    Google Scholar 

  52. Walsh, D.J.: Docker security in the future. https://opensource.com/business/15/3/docker-security-future

  53. Watson, R.N., Anderson, J., Laurie, B., Kennaway, K.: Capsicum: practical capabilities for UNIX. In: USENIX Security Symposium, vol. 46, p. 2 (2010)

    Google Scholar 

  54. Zeng, Q., Xin, Z., Wu, D., Liu, P., Mao, B.: Tailored application-specific system call tables. Technical report, Pennsylvania State University (2014)

    Google Scholar 

Download references

Acknowledgments

We would like to thank our shepherd Andrea Lanzi and our anonymous reviewers for their valuable comments and suggestions. We would also like to thank Xianchen Meng, Chong Guan, Yue Li, and Shengye Wan for their feedback and advice. This work is partially supported by U.S. ONR grants N00014-16-1-3216 and N00014-16-1-3214, the National Basic Research Program of China under GA No. 2013CB338001 (973 Program), the National Key Research & Development Program of China under GA No. 2016YFB0800102, and a Cisco award.

Author information

Authors and Affiliations

  1. Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

    Lingguang Lei, Rui Ma & Yuewu Wang

  2. College of William and Mary, Williamsburg, USA

    Jianhua Sun

  3. George Mason University, Fairfax, USA

    Lingguang Lei & Kun Sun

  4. Tsinghua University, Beijing, China

    Qi Li

  5. Cisco Systems, Inc., Raleigh, USA

    Chris Shenefiel

Authors
  1. Lingguang Lei
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jianhua Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Kun Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Chris Shenefiel
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Rui Ma
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Yuewu Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Qi Li
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Lingguang Lei .

Editor information

Editors and Affiliations

  1. Stony Brook University, Stony Brook, New York, USA

    Michalis Polychronakis

  2. University of Bonn and Fraunhofer FKIE, Bonn, Germany

    Michael Meier

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Lei, L. et al. (2017). SPEAKER: Split-Phase Execution of Application Containers. In: Polychronakis, M., Meier, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2017. Lecture Notes in Computer Science(), vol 10327. Springer, Cham. https://doi.org/10.1007/978-3-319-60876-1_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-60876-1_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-60875-4

  • Online ISBN: 978-3-319-60876-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation