SysCap: Profiling and Crosschecking Syscall and Capability Configurations for Docker Images

Due to its advantages of faster start-up speed and better resource utilization efficiency, container technology has been widely deployed in software deployment. However, the benefits of containers come at the cost of weak isolation for the underlying shared OS kernel. To enhance the security of containers, it is critical to customize secure configurations for each specific container, including the system call list and the capability list. However, existing solutions mainly focus on system call profiling and most of these approaches still demand huge human efforts to manually configure and successfully run each container. Moreover, the dependency between capability and system call has not been considered and cross-checked during the profiling process. In this paper, we develop a toolkit named SysCap to automatically customize required system calls and capabilities for Docker images. SysCap provides a static analyzer tool to construct a libc-to-syscall mapping via analyzing the libc and a syscall-to-capability mapping via analyzing the Linux kernel. When given a Docker image, SysCap parses the Docker image statically to obtain the binary-level called functions in the target layer and then queries them with the libc-to-syscall mapping to obtain the required system calls. Next, SysCap queries the obtained system calls with the syscall-to-capability mapping to obtain the required capabilities. Thus, SysCap can customize a secure configuration of system call and capability for a given Docker image. We test SysCap on the top 193 Docker images from Dockerhub, and the experimental results show that SysCap works on all images and can reduce the attack surface effectively.