Secure Namespaced Kernel Audit for Containers

Dec 1, 2021ยท
Soo Yee Lim
Soo Yee Lim
,
Bogdan Stelea
,
Xueyuan Han
,
Thomas Pasquier
ยท 1 min read
An overview of ProvBPF architecture
Abstract
Despite the wide usage of container-based cloud computing, container auditing for security analysis relies mostly on built-in host audit systems, which often lack the ability to capture high-fidelity container logs. State-of-the-art reference-monitor-based audit techniques greatly improve the quality of audit logs, but their system-wide architecture is too costly to be adapted for individual containers. Moreover, these techniques typically require extensive kernel modifications, making it difficult to deploy in practical settings. In this paper, we present saBPF (secure audit BPF), an extension of the eBPF framework capable of deploying secure system-level audit mechanisms at the container granularity. We demonstrate the practicality of saBPF in Kubernetes by designing an audit framework, an intrusion detection system, and a lightweight access control mechanism. We evaluate saBPF and show that it is comparable in performance and security guarantees to audit systems from the literature that are implemented directly in the kernel.
Type
Publication
In ACM Symposium on Cloud Computing

The software artifacts are open-sourced. For more information, please refer to the paper or contact me via email.