Monitoring containerized environments for security state error detection


Project Description

Operating System (OS) virtualization, also known as container-based virtualization, has gained momentum over the past few years thanks to its lightweight nature and support for agility. However, its compelling features come at the price of a reduced isolation level compared to the traditional host-based virtualization techniques, exposing workloads to various threats, such as container escape. In those threats, compromised or rogue containers might exploit existing vulnerabilities or poor container deployment choices to successfully inject security state errors (e.g., breaking out of the namespace isolation mechanisms and running as a root at the host level). To effectively detect those security state errors, we would like to monitor containers at the system call level as the latter accurately maps processes to their activities. Hence, the objective of this project is firstly to study and compare existing monitoring tools (generic such as strace, or container-specific such as sysdig) and select the most suitable one according to a set of criteria (e.g., resource consumption, offered monitoring options). Secondly, the chosen monitoring tool will be instrumented for different scenarios (benign and anomalous settings) to generate relevant datasets capturing the behavior of containers with respect to a set of planned (malicious and benign) activities within a time window. The datasets will be subsequently vetted to extract critical system calls and execution paths that need to receive attention in the runtime detection process.
Program - Computer Science
Division - Computer, Electrical and Mathematical Sciences and Engineering
Center Affiliation - Resilient Computing and Cybersecurity Center
Field of Study - Operating Systems, Security, Containers

About the

Paulo Esteves-Verissimo

Professor, Computer Science and Director, Resilient Computing and Cybersecurity Center (Computer, Electrical and Mathematical Science and Engineering Division)

Paulo Esteves-Verissimo

Desired Project Deliverables

Put in place and document an efficient container monitoring mechanism that will be used subsequently in conjunction with an error detection artifact to uncover erroneous security states in Docker-based containerized environments. Using the established monitoring mechanism, the student will run a set of planned container activities and build datasets that will be used for system call and execution path analysis.