Poster: TCLP: Enforcing least privileges to prevent containers from kernel vulnerabilities

Abstract

While containerization has emerged as a lightweight approach to package, deploy, and run legacy applications in a resource-efficient manner, the shared kernel-resource model used by containers introduces critical security concerns. Specifically, the abuse of system calls by a compromised container can trigger the security vulnerabilities of a host kernel. Unfortunately, even though existing solutions provide powerful protection mechanisms against such issues, how to define the capabilities of containers is still up to operators. In this work, we thus introduce TCLP, a dynamic analysis system that helps operators configure the least capabilities of containers to protect not only themselves but also a host. TCLP monitors the system calls triggered by containers in run time and finds the least capabilities required to run the containers based on the collected system calls. Finally, operators configure the minimal capabilities discovered by TCLP for their containers, reducing the risk of kernel vulnerabilities.