Title Page
Contents
ABSTRACT 10
국문초록 12
CHAPTER 1. INTRODUCTION 14
CHAPTER 2. RELATED WORK 19
2.1. Container Runtime Security 19
2.2. System Call Filtering with Seccomp Profile 19
2.3. Dynamic-based Technique for Syscall Filtering 20
2.4. Static-based Technique for Syscall Filtering 22
CHAPTER 3. METHODOLOGY 23
3.1. Overall architecture 23
3.2. Dynamic Analysis for identifying Loaded Links 26
3.3. Static analysis for generating system call lists 29
3.4. Crash Analysis in Container Runtime 33
CHAPTER 4. EXPERIMENTS 36
4.1. Experiment Setting 36
4.2. Implement Details 36
4.2.1. Dynamically loaded libraries 37
4.2.2. Glibc Call Graph Construction 37
4.2.3. Seccomp Profile Generating 38
CHAPTER 5. EXPERIMENT RESULTS 40
5.1. Evaluation Metrics 40
5.1.1. Number of system calls in whitelists 40
5.1.2. Number of Removed Critical System Calls 41
5.1.3. CVE Assessment 43
CHAPTER 6. CONCLUSION 46
6.1. Conclusion 46
6.2. Limitations and Future Works 46
REFERENCES 47
[Table 3-1] Some missing syscalls found from Temporal approach after re-implementing. 27
[Table 3-2] Docker-slim improves missing system calls from Temporal approach by dynamic analysis. 28
[Table 3-3] Example of assembly code refer to system call instructions. 32
[Table 3-4] Mapping table for missing system calls from crash messages. 34
[Table 3-5] A comprehensive classification of Linux system calls in crash analysis. 35
[Table 4-1] Testing containerized applications with the specific version. 36
[Table 5-1] The count of retained system calls (out of 33 available) is assessed for two distinct phases: initialization and serving, and the missing is compared 41
[Table 5-2] Discover the critical system calls removed by our approach. 42
[Table 5-3] CVEs linking to system calls are mitigated. 44
[Figure 1-1] Different tasks in initialization and serving phase of containerized applications. 16
[Figure 3-1] The overall architecture of completing whitelists of system calls corresponding to each phase of container runtime. 24
[Figure 3-2] Sysdig tool collect loaded binaries and dynamically linked libraries during container runtime. 29
[Figure 3-3] Call graph construction from souce code of applications 30
[Figure 3-4] The transition takes place after the server's main process forks, and child processes are created in Apache and Nginx applications. 31
[Figure 4-1] Example of a Seccomp Profile containing a whitelist of system calls. 38