Litcius/Paper detail

PACED: Provenance-based Automated Container Escape Detection

Mashal Abbas, Shahpar Khan, Abdul Monum, Fareed Zaffar, Rashid Tahir, David Eyers, Hassaan Irshad, Ashish Gehani, Vinod Yegneswaran, Thomas Pasquier

202215 citationsDOI

Abstract

The security of container-based microservices relies heavily on the isolation of operating system resources that is provided by namespaces. However, vulnerabilities exist in the isolation of containers that may be exploited by attackers to gain access to the host. These are commonly referred to as container escape attacks. While prior work has identified vulnerabilities in namespace isolation, no general container escape detection and warning system has been presented. We present Paced, a novel, realtime system to detect container-escape attacks. We define what constitutes a cross-namespace event and how such events can be used to detect a container escape attack. We develop a provenance-based approach to isolate cross-namespace events and propose a rule—privileged_flow—to detect attacks on Docker and Kubernetes environments. We evaluate our detection method on a suite of contemporary CVEs with container escape exploits, bad container configurations, and benchmarks. Paced achieves near-perfect accuracy with no false negatives. We release our implementation and datasets as free, open-source software.

Topics & Concepts

NamespaceContainer (type theory)Computer scienceIsolation (microbiology)ExploitMicroservicesSoftwareHost (biology)Event (particle physics)Computer securityOperating systemDistributed computingEngineeringQuantum mechanicsEcologyPhysicsMechanical engineeringBiologyMicrobiologyCloud computingSoftware System Performance and ReliabilityNetwork Security and Intrusion DetectionScientific Computing and Data Management
PACED: Provenance-based Automated Container Escape Detection | Litcius