Monitoring containerized environments for security state error detection

Overview

Operating System (OS) virtualization, also known as container-based virtualization, has gained momentum over the past few years thanks to its lightweight nature and support for agility. However, its compelling features come at the price of a reduced isolation level compared to the traditional host-based virtualization techniques, exposing workloads to various threats, such as container escape. In those threats, compromised or rogue containers might exploit existing vulnerabilities or poor container deployment choices to successfully inject security state errors (e.g., breaking out of the namespace isolation mechanisms and running as a root at the host level). To effectively detect those security state errors, we would like to monitor containers at the system call level as the latter accurately maps processes to their activities. Hence, the objective of this project is firstly to study and compare existing monitoring tools (generic such as strace, or container-specific such as sysdig) and select the most suitable one according to a set of criteria (e.g., resource consumption, offered monitoring options). Secondly, the chosen monitoring tool will be instrumented for different scenarios (benign and anomalous settings) to generate relevant datasets capturing the behavior of containers with respect to a set of planned (malicious and benign) activities within a time window. The datasets will be subsequently vetted to extract critical system calls and execution paths that need to receive attention in the runtime detection process.

Expected deliverables

Put in place and document an efficient container monitoring mechanism that will be used subsequently in conjunction with an error detection artifact to uncover erroneous security states in Docker-based containerized environments. Using the established monitoring mechanism, the student will run a set of planned container activities and build datasets that will be used for system call and execution path analysis.

Questions and Answers

Where to find answers to Frequently Asked Questions about applying to VSRP?

Visit Frequently Asked Questions page on VSRP site.

Contacts

Supervisors

Biography

Paulo Esteves-Veríssimo is a professor in the Computer Science (CS) program at KAUST. Previously, he was a professor and FNR PEARL Chair at the University of Luxembourg's (Uni.lu) Faculty of Science, Technology and Medicine (FSTM). He also led the CritiX Research Lab at the SnT Centre at Uni.lu, which achieved world-class results and established enduring research capacity in resilient computing, cybersecurity, and dependability.

He has also been a professor and a board member of the University of Lisbon (ULisboa), Portugal. At ULisboa, he created the Navigators research group and was the founding director of Laboratório de Sistemas Informáticos de Grande Escala (LaSIGE). From its founding in 1998, the computer science and engineering lab LaSIGE has carried out research in leading-edge areas backed by key indicators of excellence.

He was UNILU-SnT’s representative at the European Cyber Security Organization (ESCO) and member of its Scientific & Technical Committee (STC). He served as Chair of the IFIP WG 10.4 on Dependable Computing and Fault-Tolerance and vice-chair of the Steering Committee of the IEEE/IFIP DSN conference. He is a Fellow of the IEEE, a Fellow of the ACM and an associate editor of IEEE Transactions on Emerging Topics in Computing (TETC).

Research Interests

Professor Esteves-Veríssimo is interested in architectures, middleware and algorithms for resilient modular and distributed computing. In addition to examining paradigms and techniques that reconcile security and dependability, he also explores novel applications of these paradigms and techniques. By doing so, he achieves system resilience in areas such as autonomous vehicles, distributed control systems, digital health and genomics, and blockchain and cryptocurrency.

Dr. Esteves-Veríssimo’s research has featured in over 200 peer-reviewed international publications and five international books. He has delivered over 70 keynote speeches and distinguished lectures at reputable venues. As a systems and engineering specialist, he has contributed to designing and engineering several advanced industrial prototypes of distributed, fault-tolerant, secure or real-time systems developed through research and development.

Education
PhD (Dr. rer. nat.)
Electrical and Computer Engineering, University of Lisbon, Portugal, 1990
Master
Electrical and Computer Engineering, University of Lisbon, Portugal, 1984
Licentiate (Lic.)
Electrical Engineering, University of Lisbon, Portugal, 1978