Enhancing Security of Modern Linux Containers

Description

In the last few years, containerization witnessed a rapid growth in adoption. This is due to the fact that it is not only very easy to deploy containers, but they are also extremely lightweight. Although state-of-the-art container implementations are able to isolate users in a similar way as virtual machines, they have a significantly lower overhead. Unfortunately, this reduction was paid with a considerable weaker isolation of host and container. For containers, the kernel takes the same role as the hypervisor for virtual machines. Hence, vulnerabilities in the kernel can be potentially abused by adversaries to escape containers. Since a kernel usually has a much larger attack surface than a hypervisor, this constitutes a serious security problem. For example, the Linux kernel (version 4.18.7) offers 335 syscalls, whereas the Xen hypervisor (version 4.11.0) only offers 42 hypercalls. As a result, it is extremely important to develop hardening mechanisms for containers.

In this thesis, we investigate the security of containers and introduce a technique to further harden containers against breakouts. As such, we divided our thesis in two parts. In the first part, we study the difficulty of container breakouts. In particular, we examine the following three attack vectors: kernel vulnerabilities, configuration flaws, and container management tool vulnerabilities. Unfortunately, our findings show that an adversary sandboxed in a container just has to execute one successful attack against the kernel to compromise the other containers or the host itself.

As a result, we introduce a new technique to harden containers in the second part of this thesis. In particular, our approach statically analyzes which syscalls are needed by the container and prohibits the call of unneeded syscalls. Therefore, an attacker cannot exploit a vulnerability in the implementation of an unneeded syscall. Our evaluation demonstrates that the analysis is able to correctly overapproximate the set of needed syscalls and shows that we can safely prohibit 2/3 of all syscalls without impacting the genuine execution of the containerized software. Since this significantly shrinks the attack surface of the kernel, our approach is an important contribution to container hardening mechanisms.