Lost along the Way: Understanding and Mitigating Path-Misresolution Threats to Container Isolation

Filesystem isolation enforced by today's container technology has been found to be less effective in the presence of host-container interactions increasingly utilized by container tools. This weakened isolation has led to a type of path misresolution (Pamir) vulnerabilities, which have been considered to be highly risky and continuously reported over the years. In this paper, we present the first systematic study on the Pamir risk and the existing fixes to related vulnerabilities. Our research reveals that in spite of significant efforts being made to patch vulnerable container tools and address the risk, the Pamir vulnerabilities continue to be discovered, including a new vulnerability (CVE-2023-0778) we rediscovered from patched software. A key insight of our study is that the Pamir risk is inherently hard to prevent at the level of container tools, due to their heavy reliance on third-party components. While security inspections should be applied to all components to mediate host-container interactions, third-party component developers tend to believe that container tools should perform security checks before invoking their components, and are therefore reluctant to patch their code with the container-specific protection. Moreover, due to the large number of components today's container tools depend on, re-implementing all of them is impractical. Our study shows that kernel-based filesystem isolation is the only way to ensure isolation always in place during host-container interactions. In our research, we design and implement the first such an approach that extends the filesystem isolation to dentry objects, by enforcing access control on host-container interactions through the filesystem. Our design addresses the fundamental limitation of one-way isolation characterizing today's container, uses carefully-designed policies to ensure accurate and comprehensive interaction control, and implants the protection into the right kernel location to minimize the performance impact. We verify our approach using model checking, which demonstrates its effectiveness in eliminating the Pamir risk. Our evaluation further shows that our approach incurs negligible overheads, vastly outperforming all existing Pamir patches, and maintains compatibility with all mainstream container tools. We have released our code and filed a request to incorporate our technique into the Linux kernel.