Mining sandboxes for linux containers

Zhiyuan Wan, David Lo, Xin Xia, Liang Cai, Shanping Li

Research output: Chapter in Book/Report/Conference proceedingConference PaperResearchpeer-review

13 Citations (Scopus)


A container is a group of processes isolated from other groups via distinct kernel namespaces and resource allocation quota. Attacks against containers often leverage kernel exploits through system call interface. In this paper, we present an approach that mines sandboxes for containers. We first explore the behaviors of a container by leveraging automatic testing, and extract the set of system calls accessed during testing. The set of system calls then results as a sandbox of the container. The mined sandbox restricts the container's access to system calls which are not seen during testing and thus reduces the attack surface. In the experiment, our approach requires less than eleven minutes to mine sandbox for each of the containers. The enforcement of mined sandboxes does not impact the regular functionality of a container and incurs low performance overhead.

Original languageEnglish
Title of host publicationProceedings - 10th International Conference on Software Testing, Verification and Validation, ICST 2017
Subtitle of host publication13–17 March Tokyo, Japan
EditorsAtif Memon, Yasuharu Nishi , Ina Schieferdecker, Hironori Washizaki
Place of PublicationPiscataway NJ USA
PublisherIEEE, Institute of Electrical and Electronics Engineers
Number of pages11
ISBN (Electronic)9781509060313, 9781509060320
Publication statusPublished - 2017
Externally publishedYes
EventInternational Conference on Software Testing, Verification and Validation 2017 - Tokyo, Japan
Duration: 13 Mar 201717 Mar 2017
Conference number: 10th


ConferenceInternational Conference on Software Testing, Verification and Validation 2017
Abbreviated titleICST 2017
Internet address

Cite this