Litcius/Paper detail

Enhancing Container Security Through Phase-Based System Call Filtering

Ke Chen, Hui Lu, Yelin Yao, Binxing Fang, Yuan Liu, Zhihong Tian

2025IEEE Transactions on Cloud Computing8 citationsDOI

Abstract

Container technology in cloud computing has improved resource utilization and deployment efficiency, but it also introduces new security risks. Excessive privileges in containerized environments can allow attackers to exploit insufficiently restricted system calls, potentially leading to container escapes and other attacks. Some system calls are only necessary during the initialization phase of a container, and allowing them during runtime can increase the risk of exploitation. This paper proposes a Phase-based System Call Filtering (PSF) method to minimize system call permissions during the runtime of cloud containers. The PSF method builds a comprehensive whitelist of system calls during the initialization phase to cover all necessary calls for containerized applications. During runtime, a refined, phase-specific system call whitelist is enforced, dynamically adjusting privileges based on the functions encapsulated within the container. Additionally, we introduce a container phase recognition algorithm to distinguish between initialization and runtime phases, supporting the generation of phase-specific system call lists. Experimental results show that the proposed method enhances runtime system call restrictions, minimizes privileges, and improves the overall security of cloud containers.

Topics & Concepts

Computer scienceContainer (type theory)System callComputer securityCloud computingPhase (matter)Computer networkOperating systemEngineeringOrganic chemistryChemistryMechanical engineeringMobile Agent-Based Network ManagementReal-Time Systems SchedulingEmbedded Systems Design Techniques