Towards Improving Container Security by Preventing Runtime Escapes

Towards Improving Container Security by Preventing Runtime Escapes

Container escapes enable the adversary to execute code on the host from inside an isolated container. Notably, these high severity escape vulnerabilities originate from three sources: (1) container profile misconfigurations, (2) Linux kernel bugs, and (3) container runtime vulnerabilities. While the...

Full description

Saved in:
Bibliographic Details
Published in:Proceedings of the IEEE 2021-10, Vol.2021
Main Authors: Reeves, Michael, Tian, Dave Jing, Bianchi, Antonio, Celik, Z. Berkay
Format: Article
Language:eng
Subjects:
containers
ENGINEERING
security study
vulnerability analysis
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Container escapes enable the adversary to execute code on the host from inside an isolated container. Notably, these high severity escape vulnerabilities originate from three sources: (1) container profile misconfigurations, (2) Linux kernel bugs, and (3) container runtime vulnerabilities. While the first two cases have been studied in the literature, no works have investigated the impact of container runtime vulnerabilities. In this paper, to fill this gap, we study 59 CVEs for 11 different container runtimes. As a result of our study, we found that five of the 11 runtimes had nine publicly available PoC container escape exploits covering 13 CVEs. Our further analysis revealed all nine exploits are the result of a host component leaked into the container. Here, we apply a user namespace container defense to prevent the adversary from leveraging leaked host components and demonstrate that the defense stops seven of the nine container escape exploits.
ISSN:0018-9219
1558-2256