Poster: TCLP: Enforcing Least Privileges to Prevent Containers from Kernel Vulnerabilities
While containerization has emerged as a lightweight approach to package, deploy, and run legacy applications in a resource-efficient manner, the shared kernel-resource model used by containers introduces critical security concerns. Specifically, the abuse of system calls by a compromised container can trigger the security vulnerabilities of a host kernel. Unfortunately, even though existing solutions provide powerful protection mechanisms against such issues, how to define the capabilities of containers is still up to operators. In this work, we thus introduce TCLP, a dynamic analysis system that helps operators configure the least capabilities of containers to protect not only themselves but also a host. TCLP monitors the system calls triggered by containers in run time and finds the least capabilities required to run the containers based on the collected system calls. Finally, operators configure the minimal capabilities discovered by TCLP for their containers, reducing the risk of kernel vulnerabilities.
- Publisher
- ACM
- Issue Date
- 2019-11-12
- Language
- English
- Citation
ACM Conference on Computer and Communications Security, pp.2665 - 2667
- Appears in Collection
- EE-Conference Papers(학술회의논문)
- Files in This Item
- There are no files associated with this item.
This item is cited by other documents in WoS
| ⊙ Detail Information in WoSⓡ | Click to see |  |
| ⊙ Cited 3 items in WoS | Click to see citing articles in |  |
Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.