skip to main content

Monitoring containerized environments for security state error detection

Project

Project Details

Program
Computer Science
Field of Study
Operating Systems, Security, Containers
Division
Computer, Electrical and Mathematical Sciences and Engineering
Center Affiliation
Resilient Computing and Cybersecurity Center

Project Description

Operating System (OS) virtualization, also known as container-based virtualization, has gained momentum over the past few years thanks to its lightweight nature and support for agility. However, its compelling features come at the price of a reduced isolation level compared to the traditional host-based virtualization techniques, exposing workloads to various threats, such as container escape. In those threats, compromised or rogue containers might exploit existing vulnerabilities or poor container deployment choices to successfully inject security state errors (e.g., breaking out of the namespace isolation mechanisms and running as a root at the host level). To effectively detect those security state errors, we would like to monitor containers at the system call level as the latter accurately maps processes to their activities. Hence, the objective of this project is firstly to study and compare existing monitoring tools (generic such as strace, or container-specific such as sysdig) and select the most suitable one according to a set of criteria (e.g., resource consumption, offered monitoring options). Secondly, the chosen monitoring tool will be instrumented for different scenarios (benign and anomalous settings) to generate relevant datasets capturing the behavior of containers with respect to a set of planned (malicious and benign) activities within a time window. The datasets will be subsequently vetted to extract critical system calls and execution paths that need to receive attention in the runtime detection process.

About the Researcher

Paulo Esteves-Verissimo
Professor, Computer Science
Computer, Electrical and Mathematical Science and Engineering Division

Affiliations

Education Profile

  • Ph.D., Electrical and Computer Engineering, University of Lisbon (PT), 1990
  • MSc, Electrical and Computer Engineering, University of Lisbon IST (PT), 1984
  • Lic., Electrical Engineering, University of Lisbon IST (PT), 1978

Research Interests

Professor Esteves-VerA­ssimo is currently interested in architectures, middleware and algorithms for resilient modular and distributed computing. It is increasingly believed that Resilient Computing will become the main paradigm for achieving secure and dependable operation of computer systems and networks in a near future, improving classic Cybersecurity techniques. This is due to important intrinsic characteristics of this B.o.K., such as: common approach to accidental and malicious faults/attacks; incremental and adaptive protection against polymorphic threat surfaces; elasticity, plasticity and sustainability. To this end, he investigates such paradigms and techniques reconciling security and dependability, as well as novel ways to apply them in order to achieve system resilience, in areas like: autonomous vehicles from earth to space; distributed control systems; digital health and genomics; SDN-based infrastructures; or blockchain and cryptocurrencies. His research is published in over 200 peer-refereed international publications and 5 international books. He was invited as well to present it in more than 70 keynote speeches or distinguished lectures at reputed venues. Esteves-VerA­ssimo also has a solid systems and engineering track record, having contributed to the design and engineering of several advanced industrial prototypes of distributed, fault-tolerant, secure or real-time systems, emerging from R&D projects he took part in.

Selected Publications

  • Jiangshan Yu, David Kozhaya, JA©rA©mie Decouchant, Paulo Esteves-VerA­ssimo. RepuCoin: Your Reputation is Your Power (2019). In IEEE Trans. on Computers, 68(8), 1225-1237.
  • Kreutz, Diego; Ramos, F. M. V.; Verissimo, Paulo; Rothenberg, C. E.; Azodolmolky, S.; Uhlig, S. ""Software-Defined Networking: A Comprehensive Survey"", in Proceedings of the IEEE (2015), 103(1), 14-76.
  • Giuliana Veronese, Miguel Correia, Alysson Bessani, Lau Lung, Paulo Verissimo, ""Efficient Byzantine Fault-Tolerance"", IEEE Tacs. on Computers, vol. 62, no. 1, Jan. 2013.
  • Paulo Sousa, Alysson Bessani, Miguel Correia, Nuno Ferreira Neves, Paulo VerA­ssimo. Highly Available Intrusion-Tolerant Services with Proactive-Reactive Recovery. IEEE Tacs. on Parallel and Distributed Systems. Apr. 2010.
  • VerA­ssimo, P., Casimiro, A.: The timely computing base model and architecture. IEEE Tacs. on Computers, Special Issue on Asynchronous Real-Time Distr. Systems (2002).
  • D. Powell, D. Seaton, G. Bonn, P. VerA­ssimo, and F. Waeselynk. The Delta-4 approach to dependability in open distributed computing systems. In N. Suri, C. Walter, and M. Hugue, editors, Adv. in Ultra-Dependable Distr. Sys. IEEE Computer Society, 1995.

Desired Project Deliverables

Put in place and document an efficient container monitoring mechanism that will be used subsequently in conjunction with an error detection artifact to uncover erroneous security states in Docker-based containerized environments. Using the established monitoring mechanism, the student will run a set of planned container activities and build datasets that will be used for system call and execution path analysis.

Recommended Student Background

Operating Systems
Security
Linux
C/C++, Python