Protect Containerized Applications With System Call Profiling

Presented at AppSec USA 2016, Oct. 14, 2016, 9:30 a.m. (60 minutes).

Container technologies like Docker are gaining mainstream interest from development and operations teams. Unlike virtual machines, containers running on the same host share the underlying OS kernel. As such, a malicious container can influence the execution of other containers through the common kernel by either exploiting a kernel vulnerability or simply leveraging the privileges of the compromised container. In this talk we describe an approach to harden and isolate containerized applications via system call profiling. We show that one can develop accurate system call profiles via static analysis of the container images and knowledge of the host system. Using this profile in runtime, one can monitor for and protect against malicious behavior that deviates from the profile. We show that one can build these profiles automatically from analyzing information within the container image and Dockerfiles. We show that runtime profiling and monitoring adds approximately 5-8% performance overhead for running applications. We demonstrate system call profiling on a sample micro-service application and show that it is a non-intrusive and effective method to detect behavioral anomalies with low false positives.

Presenters:

• Chenxi Wang - Twistlock
  Dr. Chenxi Wang is Chief Strategy Officer of Twistlock, where she is responsible for product strategy and thought leadership. Chenxi built an illustrious career at Forrester Research, Intel Security, and CipherCloud. At Forrester, Chenxi covered mobile, cloud, and enterprise security, and wrote many hard hitting research papers. At Intel Security, she led the ubiquity strategy that spans both hardware and software platforms. Chenxi started her career as a faculty member at Carnegie Mellon University. Chenxi is a sought-after public speaker and a trusted advisor for IT executives. She has keynoted RSA, OWASP, SANDs Developers Conference. Chenxi is the chair for the 2016 Grace Hopper Conference Security and Privacy program. Chenxi has been quoted/featured by New York Times, Wall Street Journal, Forbes.com, Fox News, Bloomberg, Dark Reading, and many other media outlets. Chenxi holds a Ph.D. in Computer Science from University of Virginia.

Links:

• https://appsecusa2016.sched.com/event/7tAZ/protect-containerized-applications-with-system-call-profiling
• https://www.youtube.com/watch?v=uBH2QNDks4I

Similar Presentations:

• ToorCon San Diego 20 (2018) / If You Give a Container a Capability: A Tale of Container Exploitation
• DEF CON 30 (2022) / The COW (Container On Windows) Who Escaped the Silo
• DerbyCon 8.0 Evolution (2018) / Living in a Secure Container, Down by the River