SPEAKER: Split-Phase Execution of Application Containers

  • Lingguang Lei
  • Jianhua Sun
  • Kun Sun
  • Chris Shenefiel
  • Rui Ma
  • Yuewu Wang
  • Qi Li
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10327)


Linux containers have recently gained more popularity as an operating system level virtualization approach for running multiple isolated OS distros on a control host or deploying large scale microservice-based applications in the cloud environment. The wide adoption of containers as an application deployment platform also attracts attackers’ attention. Since the system calls are the entry points for processes trapping into the kernel, Linux seccomp filter has been integrated into popular container management tools such as Docker to effectively constrain the system calls available to the container. However, Docker lacks a method to obtain and customize the set of necessary system calls for a given application. Moreover, we observe that a number of system calls are only used during the short-term booting phase and can be safely removed from the long-term running phase for a given application container. In this paper, we propose a container security mechanism called SPEAKER that can dramatically reduce the number of available system calls to a given application container by customizing and differentiating its necessary system calls at two different execution phases, namely, booting phase and running phase. For a given application container, we first separate its execution into booting phase and running phase and then trace the invoked system calls at these two phases, respectively. Second, we extend the Linux seccomp filter to dynamically update the available system calls when the application is running from the booting phase into the running phase. Our mechanism is non-intrusive to the application running in the container. We evaluate SPEAKER on the popular web server and data store containers from Docker hub, and the experimental results show that it can successfully reduce more than 50% and 35% system calls in the running phase for the data store containers and the web server containers, respectively, with negligible performance overhead.


Container System call Seccomp 



We would like to thank our shepherd Andrea Lanzi and our anonymous reviewers for their valuable comments and suggestions. We would also like to thank Xianchen Meng, Chong Guan, Yue Li, and Shengye Wan for their feedback and advice. This work is partially supported by U.S. ONR grants N00014-16-1-3216 and N00014-16-1-3214, the National Basic Research Program of China under GA No. 2013CB338001 (973 Program), the National Key Research & Development Program of China under GA No. 2016YFB0800102, and a Cisco award.


  1. 1.
  2. 2.
  3. 3.
  4. 4.
  5. 5.
  6. 6.
  7. 7.
    Vulnerability summary for CVE-2014-9357.
  8. 8.
    AWS: Amazon EC2 container service.
  9. 9.
    Bacis, E., Mutti, S., Capelli, S., Paraboschi, S.: DockerPolicyModules: mandatory access control for docker containers. In: 2015 IEEE Conference on Communications and Network Security (CNS), pp. 749–750. IEEE (2015)Google Scholar
  10. 10.
    Bernaschi, M., Gabrielli, E., Mancini, L.V.: Enhancements to the Linux kernel for blocking buffer overflow based attacks. In: Annual Linux Showcase & Conference (2000)Google Scholar
  11. 11.
    Boettiger, C.: An introduction to docker for reproducible research. ACM SIGOPS Oper. Syst. Rev. 49(1), 71–79 (2015)CrossRefGoogle Scholar
  12. 12.
    Bruno, L.: Libseccomp: an enhanced seccomp (mode 2) helper library.
  13. 13.
    Bruno, L.: rkt - app container runtime.
  14. 14.
    Bui, T.: Analysis of docker security. arXiv preprint arXiv:1501.02967 (2015)
  15. 15.
    Oracle Corporation: Mysql 5.7 reference manual.
  16. 16.
    Garfinkel, T., Pfaff, B., Rosenblum, M., et al.: Ostia: a delegating architecture for secure system call interposition. In: NDSS (2004)Google Scholar
  17. 17.
    Garfinkel, T., et al.: Traps and pitfalls: practical problems in system call interposition based security tools. In: NDSS. vol. 3, pp. 163–176 (2003)Google Scholar
  18. 18.
    Giffin, J.T., Jha, S., Miller, B.P.: Detecting manipulated remote call streams. In: USENIX Security Symposium, pp. 61–79 (2002)Google Scholar
  19. 19.
    Google: Container engine on Google cloud platform.
  20. 20.
    Hallyn, S.E., Morgan, A.G.: Linux capabilities: making them work. In: Linux Symposium, vol. 8 (2008)Google Scholar
  21. 21.
    Helsley, M.: LXC: Linux container tools. IBM devloperWorks Technical Library (2009)Google Scholar
  22. 22.
    Red Hat Inc.: Red Hat OpenShift Container Platform.
  23. 23.
    Jachner, J., Agarwal, V.K.: Data flow anomaly detection. IEEE Trans. Softw. Eng. 4, 432–437 (1984)CrossRefGoogle Scholar
  24. 24.
    Jacobson, I., Booch, G., Rumbaugh, J., Rumbaugh, J., Booch, G.: The Unified Software Development Process, vol. 1. Addison-Wesley, Reading (1999)Google Scholar
  25. 25.
    Kamp, P.H., Watson, R.N.: Jails: confining the omnipotent root. In: The 2nd International SANE Conference, vol. 43, p. 116 (2000)Google Scholar
  26. 26.
    Kim, T., Zeldovich, N.: Practical and effective sandboxing for non-root users. In: USENIX Annual Technical Conference, pp. 139–144 (2013)Google Scholar
  27. 27.
    Kruegel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Automating mimicry attacks using static binary analysis. In: Proceedings of the 14th Conference on USENIX Security Symposium, p. 11. USENIX Association (2005)Google Scholar
  28. 28.
    Kruegel, C., Mutz, D., Valeur, F., Vigna, G.: On the detection of anomalous system call arguments. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 326–343. Springer, Heidelberg (2003). doi: 10.1007/978-3-540-39650-5_19 CrossRefGoogle Scholar
  29. 29.
    Kurmus, A., Sorniotti, A., Kapitza, R.: Attack surface reduction for commodity OS kernels: trimmed garden plants may attract less bugs. In: Proceedings of the Fourth European Workshop on System Security, p. 6. ACM (2011)Google Scholar
  30. 30.
    Kurmus, A., Tartler, R., Dorneanu, D., Heinloth, B., Rothberg, V., Ruprecht, A., Schröder-Preikschat, W., Lohmann, D., Kapitza, R.: Attack surface metrics and automated compile-time OS kernel tailoring. In: NDSS (2013)Google Scholar
  31. 31.
    Lee, K.H., Zhang, X., Xu, D.: High accuracy attack provenance via binary-based execution partition. In: NDSS (2013)Google Scholar
  32. 32.
    des Ligneris, B.: Virtualization of Linux based computers: the Linux-Vserver project. In: HPCS 2005, pp. 340–346. IEEE (2005)Google Scholar
  33. 33.
    Linn, C., Rajagopalan, M., Baker, S., Collberg, C.S., Debray, S.K., Hartman, J.H.: Protecting against unexpected system calls. In: Usenix Security (2005)Google Scholar
  34. 34.
    Maggi, F., Matteucci, M., Zanero, S.: Detecting intrusions through system call sequence and argument analysis. IEEE Trans. Dependable Secure Comput. 7(4), 381–395 (2010)CrossRefGoogle Scholar
  35. 35.
    Martignoni, L., Christodorescu, M., Jha, S.: Omniunpack: fast, generic, and safe unpacking of malware. In: Twenty-Third Annual Computer Security Applications Conference, 2007. ACSAC 2007, pp. 431–441. IEEE (2007)Google Scholar
  36. 36.
    Mattetti, M., Shulman-Peleg, A., Allouche, Y., Corradi, A., Dolev, S., Foschini, L.: Securing the infrastructure and the workloads of Linux containers. In: 2015 IEEE Conference on Communications and Network Security (CNS) (2015)Google Scholar
  37. 37.
    Menage, P., Jackson, P., Lameter, C.: Cgroups.
  38. 38.
    MongoDB, I.: Mongodb manual reference.
  39. 39.
    Mosberger, D., Jin, T.: Httperf: a tool for measuring web server performance. ACM SIGMETRICS Perform. Eval. Rev. 26(3), 31–37 (1998)CrossRefGoogle Scholar
  40. 40.
    Price, D., Tucker, A.: Solaris zones: operating system support for consolidating commercial workloads. In: Proceedings of the 18th USENIX Conference on System Administration. LISA (2004)Google Scholar
  41. 41.
    Provos, N.: Improving host security with system call policies. In: USENIX Security, vol. 3, p. 19 (2003)Google Scholar
  42. 42.
    Quest, K.C.: docker-slim: lean and mean docker containers.
  43. 43.
    Rastogi, V., Davidson, D., De Carli, L., Jha, S., McDaniel, P.: Towards least privilege containers with cimplifier. arXiv preprint arXiv:1602.08410 (2016)
  44. 44.
  45. 45.
    Redislabs: Redis commands reference.
  46. 46.
    Reshetova, E., Karhunen, J., Nyman, T., Asokan, N.: Security of OS-level virtualization technologies. In: Bernsmed, K., Fischer-Hübner, S. (eds.) NordSec 2014. LNCS, vol. 8788, pp. 77–93. Springer, Cham (2014). doi: 10.1007/978-3-319-11599-3_5 Google Scholar
  47. 47.
    Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A fast automaton-based method for detecting anomalous program behaviors. In: Proceedings of IEEE Security and Privacy, pp. 144–155 (2001)Google Scholar
  48. 48.
    Soltesz, S., Pötzl, H., Fiuczynski, M.E., Bavier, A., Peterson, L.: Container-based operating system virtualization: a scalable, high-performance alternative to hypervisors. In: ACM SIGOPS Operating Systems Review, pp. 275–287. ACM (2007)Google Scholar
  49. 49.
    van Surksum, K.: Microsoft announces support for docker container virtualization for next version of windows server (2014)Google Scholar
  50. 50.
    Wagner, D., Dean, R.: Intrusion detection via static analysis. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy (2001)Google Scholar
  51. 51.
    Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 255–264. ACM (2002)Google Scholar
  52. 52.
    Walsh, D.J.: Docker security in the future.
  53. 53.
    Watson, R.N., Anderson, J., Laurie, B., Kennaway, K.: Capsicum: practical capabilities for UNIX. In: USENIX Security Symposium, vol. 46, p. 2 (2010)Google Scholar
  54. 54.
    Zeng, Q., Xin, Z., Wu, D., Liu, P., Mao, B.: Tailored application-specific system call tables. Technical report, Pennsylvania State University (2014)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Lingguang Lei
    • 1
    • 3
  • Jianhua Sun
    • 2
  • Kun Sun
    • 3
  • Chris Shenefiel
    • 5
  • Rui Ma
    • 1
  • Yuewu Wang
    • 1
  • Qi Li
    • 4
  1. 1.Institute of Information EngineeringChinese Academy of SciencesBeijingChina
  2. 2.College of William and MaryWilliamsburgUSA
  3. 3.George Mason UniversityFairfaxUSA
  4. 4.Tsinghua UniversityBeijingChina
  5. 5.Cisco Systems, Inc.RaleighUSA

Personalised recommendations