BEACON: Automatic Container Policy Generation using Environment-aware Dynamic Analysis

TL;DR

BeaCon tackles container kernel attack surfaces by automatically generating minimal Seccomp and Capabilities policies using environment-aware dynamic analysis. It emulates diverse runtime environments, uses heuristics to efficiently explore configuration spaces, and collects system events with an eBPF-based monitor to synthesize intention-aware policies. The approach balances security and functionality via CVSS-informed security scores and environment-driven runtime coverage, achieving stronger mitigation of known vulnerabilities than static analyses with modest monitoring overhead. Evaluations on 167 official Docker images show BeaCon uncovers additional syscalls under varied environments and substantially reduces attack surfaces against CVEs while preserving container availability.

Abstract

This paper introduces BeaCon, a novel tool for the automated generation of adjustable container security policies. Unlike prior approaches, BeaCon leverages dynamic analysis to simulate realistic environments, uncovering container execution paths that may remain hidden during the profiling phase. To address the challenge of exploring vast profiling spaces, we employ efficient heuristics to reveal additional system events with minimal effort. In addition, BeaCon incorporates a security and functionality scoring mechanism to prioritize system calls and capabilities based on their impact on the host OS kernel's security and the functionality of containerized applications. By integrating these scores, BeaCon achieves a customized balance between security and functionality, enabling cloud providers to enforce security measures while maintaining tenant availability. We implemented a prototype of BeaCon using eBPF kernel technology and conducted extensive evaluations. Results from the top 15 containers, which revealed significant improvements, demonstrate that BeaCon identifies an average of 16.5% additional syscalls by applying diverse environments. Furthermore, we evaluated its effectiveness in mitigating risks associated with 45 known vulnerabilities (e.g., CVEs), showcasing its potential to significantly enhance container security. Additionally, we performed proof-of-concept demonstrations for two well-known security vulnerabilities, showing that BeaCon successfully reduces attack surface by blocking these exploits.

Figures (10)

• Figure 1: Architecture of BeaCon.
• Figure 2: Container event monitoring architecture in BeaCon. System calls are intercepted using sys_enter with Tracepoints, and capabilities are captured using cap_capable with Kprobes.
• Figure 3: The number of syscalls observed without Docker options applied (baseline) compared to those recorded when all tested options are enabled using BeaCon.
• Figure 4: The number of syscalls observed without a workload (baseline) compared to those recorded under workloads generated by BeaCon.
• Figure 5: Policy size under tunable specifications. Spec. 1 (vertical stripped bars) aims to minimize container failures with a security score of 0 and a functionality score of 1. In contrast, Spec. 3 (horizontal stripped bars) prioritizes stricter security policies, reflected in its security score of 0.7, while its functionality score is 0.25. Spec 2 (spotted bars) targets balanced functionality and security (0.5, 0.5).