PACED: Provenance-based Automated Container Escape Detection

The security of container-based microservices relies heavily on the isolation of operating system resources that is provided by namespaces. However, vulnerabilities exist in the isolation of containers that may be exploited by attackers to gain access to the host. These are commonly referred to as container escape attacks. While prior work has identified vulnerabilities in namespace isolation, no general container escape detection and warning system has been presented. We present Paced, a novel, realtime system to detect container-escape attacks. We define what constitutes a cross-namespace event and how such events can be used to detect a container escape attack. We develop a provenance-based approach to isolate cross-namespace events and propose a rule—privileged_flow—to detect attacks on Docker and Kubernetes environments. We evaluate our detection method on a suite of contemporary CVEs with container escape exploits, bad container configurations, and benchmarks. Paced achieves near-perfect accuracy with no false negatives. We release our implementation and datasets as free, open-source software.

[1]  Haining Wang,et al.  Torpedo: A Fuzzing Framework for Discovering Adversarial Container Workloads , 2022, Dependable Systems and Networks.

[2]  Liming Wang,et al.  A Secure Container Placement Strategy Using Deep Reinforcement Learning in Cloud , 2022, International Conference on Computer Supported Cooperative Work in Design.

[3]  Zheng Leong Chua,et al.  SHADEWATCHER: Recommendation-guided Cyber Threat Analysis using System Audit Records , 2022, 2022 IEEE Symposium on Security and Privacy (SP).

[4]  Wenbo Shen,et al.  Security Challenges in the Container Cloud , 2021, International Conference on Trust, Privacy and Security in Intelligent Systems and Applications.

[5]  Hassaan Irshad,et al.  Digging into big provenance (with SPADE) , 2021, Commun. ACM.

[6]  Jianfeng Ma,et al.  Demons in the Shared Kernel: Abstract Resource Attacks Against OS-level Virtualization , 2021, CCS.

[7]  Michael Reeves,et al.  Towards Improving Container Security by Preventing Runtime Escapes , 2021, 2021 IEEE Secure Development Conference (SecDev).

[8]  Kevin Liao,et al.  Logging to the Danger Zone: Race Condition Attacks and Defenses on System Audit Frameworks , 2020, CCS.

[9]  James W. Mickens,et al.  SIGL: Securing Software Installations Through Deep Graph Learning , 2020, USENIX Security Symposium.

[10]  Margo Seltzer,et al.  UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats , 2020, NDSS.

[11]  Tassos Dimitriou,et al.  Container Security: Issues, Challenges, and the Road Ahead , 2019, IEEE Access.

[12]  Yuan He,et al.  An Open-Source Benchmark Suite for Microservices and Their Hardware-Software Implications for Cloud & Edge Systems , 2019, ASPLOS.

[13]  Dimitrios Pendarakis,et al.  A Study on the Security Implications of Information Leakages in Container Clouds , 2018, IEEE Transactions on Dependable and Secure Computing.

[14]  Roberto Di Pietro,et al.  Docker ecosystem - Vulnerability Analysis , 2018, Comput. Commun..

[15]  David M. Eyers,et al.  Runtime Analysis of Whole-System Provenance , 2018, CCS.

[16]  David M. Eyers,et al.  Practical whole-system provenance capture , 2017, SoCC.

[17]  Margo I. Seltzer,et al.  FRAPpuccino: Fault-detection through Runtime Analysis of Provenance , 2017, HotCloud.

[18]  Dimitrios Pendarakis,et al.  ContainerLeaks: Emerging Security Threats of Information Leakages in Container Clouds , 2017, 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[19]  William Enck,et al.  A Study of Security Vulnerabilities on Docker Hub , 2017, CODASPY.

[20]  Long Chen,et al.  A Defense Method against Docker Escape Attack , 2017, ICCSP '17.

[21]  Fengyuan Xu,et al.  High Fidelity Data Reduction for Big Data Security Dependency Analyses , 2016, CCS.

[22]  Leman Akoglu,et al.  Fast Memory-efficient Anomaly Detection in Streaming Heterogeneous Graphs , 2016, KDD.

[23]  Thomas Moyer,et al.  Trustworthy Whole-System Provenance for the Linux Kernel , 2015, USENIX Security Symposium.

[24]  James Cheney,et al.  The W3C PROV family of specifications for modelling provenance metadata , 2013, EDBT '13.

[25]  Ashish Gehani,et al.  SPADE: Support for Provenance Auditing in Distributed Environments , 2012, Middleware.

[26]  Patrick D. McDaniel,et al.  Hi-Fi: collecting high-fidelity whole-system provenance , 2012, ACSAC '12.

[27]  Fareed Zaffar,et al.  Fine-grained tracking of Grid infections , 2010, 2010 11th IEEE/ACM International Conference on Grid Computing.

[28]  Jian Zhang,et al.  Steps Toward Managing Lineage Metadata in Grid Clusters , 2009, Workshop on the Theory and Practice of Provenance.

[29]  Natarajan Shankar,et al.  System Support for Forensic Inference , 2009, IFIP Int. Conf. Digital Forensics.

[30]  Margo I. Seltzer,et al.  Provenance-Aware Storage Systems , 2006, USENIX ATC, General Track.

[31]  Samuel T. King,et al.  Backtracking intrusions , 2003, SOSP '03.

[32]  Somesh Jha,et al.  TRACE: Enterprise-Wide Provenance Tracking for Real-Time APT Detection , 2021, IEEE Transactions on Information Forensics and Security.

[33]  Vinod Yegneswaran,et al.  CLARION: Sound and Clear Provenance Tracking for Microservice Deployments , 2021, USENIX Security Symposium.

[34]  Xiao Yu,et al.  You Are What You Do: Hunting Stealthy Malware via Data Provenance Analysis , 2020, NDSS.

[35]  Wajih Ul Hassan,et al.  Custos: Practical Tamper-Evident Auditing of Operating Systems Using Trusted Execution , 2020, NDSS.

[36]  Vinod Yegneswaran,et al.  Mining Data Provenance to Detect Advanced Persistent Threats , 2019, TaPP.

[37]  Ding Li,et al.  NoDoze: Combatting Threat Alert Fatigue with Automated Provenance Triage , 2019, NDSS.

[38]  R. Sekar,et al.  Dependence-Preserving Data Compaction for Scalable Forensic Analysis , 2018, USENIX Security Symposium.

[39]  Mu Zhang,et al.  Towards a Timely Causality Analysis for Enterprise Security , 2018, NDSS.

[40]  Thomas Moyer,et al.  Towards Scalable Cluster Auditing through Grammatical Inference over Provenance Graphs , 2018, NDSS.

[41]  Jon-Anders Kabbe,et al.  Security analysis of Docker containers in a production environment , 2017 .

[42]  Xiangyu Zhang,et al.  ProTracer: Towards Practical Provenance Tracing by Alternating Between Logging and Tainting , 2016, NDSS.

[43]  A. Hopper,et al.  A primer on provenance , 2014, CACM.

[44]  Xiangyu Zhang,et al.  High Accuracy Attack Provenance via Binary-based Execution Partition , 2013, NDSS.