Prof-gen: Practical Study on System Call Whitelist Generation for Container Attack Surface Reduction

Container escape, which exploits vulnerabilities in the shared kernel to break container isolation, is a severe security threat in cloud-native computing. To alleviate the threat, we should allow the minimum number of system calls required by individual containers, but figuring out which system calls an arbitrary container will need is a challenging problem. This paper presents Prof-gen that autom...