Skip to main content
SpringerLink
Log in

Attackers as Instructors: Using Container Isolation to Reduce Risk and Understand Vulnerabilities

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13959))

  • 468 Accesses

Abstract

To achieve economies of scale, popular Internet destinations concurrently serve hundreds or thousands of users on shared physical infrastructure. This resource sharing enables attacks that misuse permissions and affect other users. Our work uses containerization to create “single-use servers” which are dynamically instantiated and tailored for each user’s permissions. This isolates users and eliminates attacker persistence. Further, it simplifies analysis, allowing the fusion of logs to help defenders localize vulnerabilities associated with security incidents. We thus mitigate attacks and convert them into debugging traces to aid remediation. We evaluate the approach using three systems, including the popular WordPress content management system. It eliminates attacker persistence, propagation, and permission misuse. It has low CPU and latency costs and requires linear memory consumption, which we reduce with a customized page merging technique.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 99.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Cybersecurity Help: Privilege escalation in GDPR compliance plugin for wordpress. https://www.cybersecurity-help.cz/vdb/SB2018111101

  2. Agache, A., et al.: Firecracker: lightweight virtualization for serverless applications. In: USENIX NSDI (2020)

    Google Scholar 

  3. Akamai: web attacks and gaming abuse. State of the Internet 5(3), 1–30 (2019). https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/soti-security-web-attacks-and-gaming-abuse-report-2019.pdf

  4. Budding, R.J.: Wordpress PHP performance benchmark. https://www.savvii.com/blog/wordpress-php-performance-benchmark-2019/ (2019)

  5. Bulekov, A., Jahanshahi, R., Egele, M.: Saphire: sandboxing PHP applications with tailored system call allowlists. In: USENIX Security Symposium (2021)

    Google Scholar 

  6. Cheng, R., et al.: Radiatus: a shared-nothing server-side web architecture. In: ACM Symposium on Cloud Computing (2016)

    Google Scholar 

  7. Cornelissen, B., Zaidman, A., Holten, D., Moonen, L., van Deursen, A., van Wijk, J.J.: Execution trace analysis through massive sequence and circular bundle views. J. Syst. Softw. 81(12), 2252–2268 (2008). https://doi.org/10.1016/j.jss.2008.02.068

    Article  Google Scholar 

  8. Dunlap, G.W., King, S.T., Cinar, S., Basrai, M.A., Chen, P.M.: Revirt: enabling intrusion analysis through virtual-machine logging and replay. SIGOPS Oper. Syst. Rev. 36(SI), 211–224 (2003). https://doi.org/10.1145/844128.844148

  9. Fred Klassen: tcpreplay-github. https://github.com/appneta/tcpreplay

  10. Frei, A., Rennhard, M.: Histogram matrix: log file visualization for anomaly detection. In: IEEE Conference on Availability, Reliability and Security (2008)

    Google Scholar 

  11. Garg, A., Mishra, D., Kulkarni, P.: Catalyst: GPU-assisted rapid memory deduplication in virtualization environments. In: ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (2017)

    Google Scholar 

  12. Gupta, D., et al.: Difference engine: harnessing memory redundancy in virtual machines. Commun. ACM 53(10), 85–93 (2010)

    Article  Google Scholar 

  13. Hardy, N.: The confused deputy: (or why capabilities might have been invented). SIGOPS OS Rev. 22(4), 36–38 (1988)

    Article  Google Scholar 

  14. Kohler, E.: Hotcrp software. https://github.com/kohler/hotcrp

  15. Manco, F., et al.: My VM is Lighter (and Safer) Than Your Container. In: ACM Symposium on Operating Systems Principles (2017)

    Google Scholar 

  16. Mehta, A., Elnikety, E., Harvey, K., Garg, D., Druschel, P.: Qapla: policy compliance for database-backed systems. In: USENIX Security (2017)

    Google Scholar 

  17. Neuman, B.C., Ts’o, T.: Kerberos: an authentication service for computer networks. IEEE Commun. Mag. 32(9), 33–38 (1994)

    Article  Google Scholar 

  18. Nisi, D., Bianchi, A., Fratantonio, Y.: Exploring Syscall-based semantics reconstruction of android applications. In: USENIX RAID Symposium (2019)

    Google Scholar 

  19. NIST: CVE-2009-2762. https://nvd.nist.gov/vuln/detail/CVE-2009-2762

  20. NIST: CVE-2012-3578. https://nvd.nist.gov/vuln/detail/CVE-2012-3578

  21. NIST: CVE-2019-9879. https://nvd.nist.gov/vuln/detail/CVE-2019-9879

  22. NIST: CVE-2019-9880. https://nvd.nist.gov/vuln/detail/CVE-2019-9880

  23. NIST: CVE-2020-13693. https://nvd.nist.gov/vuln/detail/CVE-2020-13693

  24. NIST: CVE-2021-24182. https://nvd.nist.gov/vuln/detail/CVE-2021-24182

  25. NIST: CVE-2021-24183. https://nvd.nist.gov/vuln/detail/CVE-2021-24183

  26. Oexman, D.: Changeset for wp-gdpr-compliance. https://plugins.trac.wordpress.org/changeset/1970366/wp-gdpr-compliance (2018)

  27. Parno, B., McCune, J.M., Wendlandt, D., Andersen, D.G., Perrig, A.: Clamp: practical prevention of large-scale data leaks. In: IEEE Security and Privacy (2009)

    Google Scholar 

  28. PHP Devs.: OPcache. https://www.php.net/manual/en/book.opcache.php

  29. PHP Devs.: Preloading manual. https://www.php.net/manual/en/opcache.preloading.php

  30. Popov, N.: Extension exposing PHP 7 abstract syntax tree. https://github.com/nikic/php-ast

  31. Provos, N., Mavrommatis, P., Rajab, M.A., Monrose, F.: All your iFRAMEs point to us. In: USENIX Security, pp. 1–15. USENIX, USA (2008)

    Google Scholar 

  32. Puentes, M.A.: PEGASUS: Powerful, Expressive, Graphical Analyzer for the Single-Use Server. Thesis, Worcester Polytechnic Institute (May 2021)

    Google Scholar 

  33. Raoufi, M., Deng, Q., Zhang, Y., Yang, J.: PageCmp: bandwidth efficient page deduplication through in-memory page comparison. In: IEEE Computer Society Annual Symposium on VLSI (2019)

    Google Scholar 

  34. Salah, T., Jamal Zemerly, M., Chan Yeob Yeun, Al-Qutayri, M., Al-Hammadi, Y.: The evolution of distributed systems towards microservices architecture. In: IEEE International Conference for Internet Technology and Secured Transactions (2016)

    Google Scholar 

  35. Stubbs, J., Moreira, W., Dooley, R.: Distributed systems of microservices using docker and serfnode. In: IEEE International Workshop on Science Gateways (2015)

    Google Scholar 

  36. Taylor, C.R.: leveraging software-defined networking and virtualization for a one-to-one client-server model. Master’s thesis, WPI (2014)

    Google Scholar 

  37. W3Techs: usage statistics and market share of WordPress. https://w3techs.com/technologies/details/cm-wordpress (2020)

  38. W3Techs: usage statistics of server-side programming languages for websites. https://w3techs.com/technologies/overview/programming_language (2020)

  39. WordPress.org: WordPress. https://www.wordpress.org/ (2003)

  40. Xia, N., Tian, C., Luo, Y., Liu, H., Wang, X.: UKSM: swift memory deduplication via hierarchical and adaptive memory region distilling. In: USENIX Conference on File and Storage Technologies (2018)

    Google Scholar 

  41. You, L., Li, Y., Guo, F., Xu, Y., Chen, J., Yuan, L.: Leveraging array mapped tries in KSM for lightweight memory deduplication. In: IEEE NAS Conference (2019)

    Google Scholar 

Download references

Acknowledgements

This material is based upon work supported by the National Science Foundation under Grant No. 1814402 and 1814234.

Author information

Authors and Affiliations

  1. Worcester Polytechnic Institute, Worcester, MA, USA

    Yunsen Lei, Julian P. Lanson & Craig A. Shue

  2. George Washington University, Washington, D.C., USA

    Timothy W. Wood

Authors
  1. Yunsen Lei
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Julian P. Lanson
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Craig A. Shue
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Timothy W. Wood
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yunsen Lei .

Editor information

Editors and Affiliations

  1. Graz University of Technology, Graz, Austria

    Daniel Gruss

  2. AWS Italy, Milan, Italy

    Federico Maggi

  3. Universität Hamburg, Hamburg, Germany

    Mathias Fischer

  4. Politecnico di Milano, Milan, Italy

    Michele Carminati

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Lei, Y., Lanson, J.P., Shue, C.A., Wood, T.W. (2023). Attackers as Instructors: Using Container Isolation to Reduce Risk and Understand Vulnerabilities. In: Gruss, D., Maggi, F., Fischer, M., Carminati, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2023. Lecture Notes in Computer Science, vol 13959. Springer, Cham. https://doi.org/10.1007/978-3-031-35504-2_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-35504-2_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-35503-5

  • Online ISBN: 978-3-031-35504-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation