Open AccessPosted Content
Secure Namespaced Kernel Audit for Containers
TL;DR: In this article, an extension of the eBPF framework capable of deploying secure system-level audit mechanisms at the container granularity is presented, called saBPF (secure audit BPF).
read more
Abstract: Despite the wide usage of container-based cloud computing, container auditing for security analysis relies mostly on built-in host audit systems, which often lack the ability to capture high-fidelity container logs. State-of-the-art reference-monitor-based audit techniques greatly improve the quality of audit logs, but their system-wide architecture is too costly to be adapted for individual containers. Moreover, these techniques typically require extensive kernel modifications, making them difficult to deploy in practical settings.
In this paper, we present saBPF (secure audit BPF), an extension of the eBPF framework capable of deploying secure system-level audit mechanisms at the container granularity. We demonstrate the practicality of saBPF in Kubernetes by designing an audit framework, an intrusion detection system, and a lightweight access control mechanism. We evaluate saBPF and show that it is comparable in performance and security guarantees to audit systems from the literature that are implemented directly in the kernel.
read more
Chat with Paper
AI Agents for this Paper
Find similar papers on Google Scholar, PubMed and Arxiv
Write a critical review of this paper
Analyze citations of this paper to find unaddressed research gaps
References
•Proceedings Article
Design and implementation of a TCG-based integrity measurement architecture
Reiner Sailer,Xiaolan Zhang,Trent Jaeger,Leendert van Doorn +3 more
- 13 Aug 2004
TL;DR: This work shows that many of the Microsoft NGSCB guarantees can be obtained on today's hardware and today's software and that these guarantees do not require a new CPU mode or operating system but merely depend on the availability of an independent trusted entity, a TPM for example.
PostMark: A New File System Benchmark
Jeffrey Katcher
- 01 Jan 1997
TL;DR: Network Appliance Filers (file server appliances) are shown to provide superior performance (via NFS or CIFS) compared to local disk alternatives, especially at higher loads.
660
•Proceedings Article
Linux Security Modules: General Security Support for the Linux Kernel
Chris Wright,Crispin Cowan,Stephen Smalley,James Morris,Greg Kroah-Hartman +4 more
- 05 Aug 2002
TL;DR: The design and implementation of LSM are presented and the challenges in providing a truly general solution that minimally impacts the Linux kernel are discussed.
501
HOLMES: Real-Time APT Detection through Correlation of Suspicious Information Flows
Sadegh M. Milajerdi,Rigel Gjomemo,Birhanu Eshete,R. C. Sekar,V. N. Venkatakrishnan +4 more
- 19 May 2019
TL;DR: In this paper, the authors present HOLMES, a system that implements a new approach to the detection of Advanced and persistent Threats (APTs), inspired by several case studies of real-world APTs that highlight some common goals of APT actors.
426
SPADE: support for provenance auditing in distributed environments
Ashish Gehani,Dawood Tariq +1 more
- 03 Dec 2012
TL;DR: The system has been designed to decouple the collection, storage, and querying of provenance metadata, with a novel provenance kernel that mediates between the producers and consumers ofprovenance information, and handles the persistent storage of records.