Sequence-based System Call Filtering for Enhanced Container Security, is it beneficial?

Abstract

One critical attack that exploits kernel vulnerabilities through system call invocations is the privilege escalation followed by the infamous container escape. The seccomp provides the first line of defense against it. However, it is known to be brittle since it operates at the granularity of the individual system call. Inadvertent filtering of necessary system calls may inhibit the correct execution while overly generous rules allow the attacks. We believe that, by looking at the sequence of system calls, we can achieve more accurate and effective blocking of attacks in containers. To this end, we analyzed the expected defensive power from applying the sequence-based filtering mechanisms by thoroughly analyzing a large set of collected kernel vulnerabilities to assess the feasibility.