Linux capabilities represent an important security feature for enabling fine-grained management of privileges. However, limitations in selectively enabling capabilities for processes and lagging adoption from application developers often lead the operators to run containers with unnecessary privileges. Although this can potentially be addressed by modifying the application, minimizing the set of enabled capabilities, assigning capabilities to executable files, or using user space utilities like Ptrace, those solutions typically require manual efforts, only provide partial protection, or incur significant overhead. In this paper, we present CapMan, a solution that secures privileged containers by detecting and mitigating potential capability abuses at runtime. Our main idea is threefold. First, CapMan examines all capability requests made by system calls to ensure full protection. Second, CapMan performs the detection directly inside the Linux kernel to ensure its efficiency. Third, CapMan mitigates capability abuses in a transparent manner without requiring any change made to the application or container. Our evaluation of CapMan using real-world CVEs and capability abuses shows that it can mitigate all the tested capability abuses (most of which are missed by a state-of-the-art solution) with negligible performance overhead.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

CapMan: Detecting and Mitigating Linux Capability Abuses at Runtime to Secure Privileged Containers

  • Alireza Moghaddas Borhan,
  • Hugo Kermabon-Bobinnec,
  • Lingyu Wang,
  • Yosr Jarraya,
  • Suryadipta Majumdar

摘要

Linux capabilities represent an important security feature for enabling fine-grained management of privileges. However, limitations in selectively enabling capabilities for processes and lagging adoption from application developers often lead the operators to run containers with unnecessary privileges. Although this can potentially be addressed by modifying the application, minimizing the set of enabled capabilities, assigning capabilities to executable files, or using user space utilities like Ptrace, those solutions typically require manual efforts, only provide partial protection, or incur significant overhead. In this paper, we present CapMan, a solution that secures privileged containers by detecting and mitigating potential capability abuses at runtime. Our main idea is threefold. First, CapMan examines all capability requests made by system calls to ensure full protection. Second, CapMan performs the detection directly inside the Linux kernel to ensure its efficiency. Third, CapMan mitigates capability abuses in a transparent manner without requiring any change made to the application or container. Our evaluation of CapMan using real-world CVEs and capability abuses shows that it can mitigate all the tested capability abuses (most of which are missed by a state-of-the-art solution) with negligible performance overhead.