Abstract
To achieve economies of scale, popular Internet destinations concurrently serve hundreds or thousands of users on shared physical infrastructure. This resource sharing enables attacks that misuse permissions and affect other users. Our work uses containerization to create “single-use servers” which are dynamically instantiated and tailored for each user’s permissions. This isolates users and eliminates attacker persistence. Further, it simplifies analysis, allowing the fusion of logs to help defenders localize vulnerabilities associated with security incidents. We thus mitigate attacks and convert them into debugging traces to aid remediation. We evaluate the approach using three systems, including the popular WordPress content management system. It eliminates attacker persistence, propagation, and permission misuse. It has low CPU and latency costs and requires linear memory consumption, which we reduce with a customized page merging technique.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Cybersecurity Help: Privilege escalation in GDPR compliance plugin for wordpress. https://www.cybersecurity-help.cz/vdb/SB2018111101
Agache, A., et al.: Firecracker: lightweight virtualization for serverless applications. In: USENIX NSDI (2020)
Akamai: web attacks and gaming abuse. State of the Internet 5(3), 1–30 (2019). https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/soti-security-web-attacks-and-gaming-abuse-report-2019.pdf
Budding, R.J.: Wordpress PHP performance benchmark. https://www.savvii.com/blog/wordpress-php-performance-benchmark-2019/ (2019)
Bulekov, A., Jahanshahi, R., Egele, M.: Saphire: sandboxing PHP applications with tailored system call allowlists. In: USENIX Security Symposium (2021)
Cheng, R., et al.: Radiatus: a shared-nothing server-side web architecture. In: ACM Symposium on Cloud Computing (2016)
Cornelissen, B., Zaidman, A., Holten, D., Moonen, L., van Deursen, A., van Wijk, J.J.: Execution trace analysis through massive sequence and circular bundle views. J. Syst. Softw. 81(12), 2252–2268 (2008). https://doi.org/10.1016/j.jss.2008.02.068
Dunlap, G.W., King, S.T., Cinar, S., Basrai, M.A., Chen, P.M.: Revirt: enabling intrusion analysis through virtual-machine logging and replay. SIGOPS Oper. Syst. Rev. 36(SI), 211–224 (2003). https://doi.org/10.1145/844128.844148
Fred Klassen: tcpreplay-github. https://github.com/appneta/tcpreplay
Frei, A., Rennhard, M.: Histogram matrix: log file visualization for anomaly detection. In: IEEE Conference on Availability, Reliability and Security (2008)
Garg, A., Mishra, D., Kulkarni, P.: Catalyst: GPU-assisted rapid memory deduplication in virtualization environments. In: ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (2017)
Gupta, D., et al.: Difference engine: harnessing memory redundancy in virtual machines. Commun. ACM 53(10), 85–93 (2010)
Hardy, N.: The confused deputy: (or why capabilities might have been invented). SIGOPS OS Rev. 22(4), 36–38 (1988)
Kohler, E.: Hotcrp software. https://github.com/kohler/hotcrp
Manco, F., et al.: My VM is Lighter (and Safer) Than Your Container. In: ACM Symposium on Operating Systems Principles (2017)
Mehta, A., Elnikety, E., Harvey, K., Garg, D., Druschel, P.: Qapla: policy compliance for database-backed systems. In: USENIX Security (2017)
Neuman, B.C., Ts’o, T.: Kerberos: an authentication service for computer networks. IEEE Commun. Mag. 32(9), 33–38 (1994)
Nisi, D., Bianchi, A., Fratantonio, Y.: Exploring Syscall-based semantics reconstruction of android applications. In: USENIX RAID Symposium (2019)
NIST: CVE-2009-2762. https://nvd.nist.gov/vuln/detail/CVE-2009-2762
NIST: CVE-2012-3578. https://nvd.nist.gov/vuln/detail/CVE-2012-3578
NIST: CVE-2019-9879. https://nvd.nist.gov/vuln/detail/CVE-2019-9879
NIST: CVE-2019-9880. https://nvd.nist.gov/vuln/detail/CVE-2019-9880
NIST: CVE-2020-13693. https://nvd.nist.gov/vuln/detail/CVE-2020-13693
NIST: CVE-2021-24182. https://nvd.nist.gov/vuln/detail/CVE-2021-24182
NIST: CVE-2021-24183. https://nvd.nist.gov/vuln/detail/CVE-2021-24183
Oexman, D.: Changeset for wp-gdpr-compliance. https://plugins.trac.wordpress.org/changeset/1970366/wp-gdpr-compliance (2018)
Parno, B., McCune, J.M., Wendlandt, D., Andersen, D.G., Perrig, A.: Clamp: practical prevention of large-scale data leaks. In: IEEE Security and Privacy (2009)
PHP Devs.: OPcache. https://www.php.net/manual/en/book.opcache.php
PHP Devs.: Preloading manual. https://www.php.net/manual/en/opcache.preloading.php
Popov, N.: Extension exposing PHP 7 abstract syntax tree. https://github.com/nikic/php-ast
Provos, N., Mavrommatis, P., Rajab, M.A., Monrose, F.: All your iFRAMEs point to us. In: USENIX Security, pp. 1–15. USENIX, USA (2008)
Puentes, M.A.: PEGASUS: Powerful, Expressive, Graphical Analyzer for the Single-Use Server. Thesis, Worcester Polytechnic Institute (May 2021)
Raoufi, M., Deng, Q., Zhang, Y., Yang, J.: PageCmp: bandwidth efficient page deduplication through in-memory page comparison. In: IEEE Computer Society Annual Symposium on VLSI (2019)
Salah, T., Jamal Zemerly, M., Chan Yeob Yeun, Al-Qutayri, M., Al-Hammadi, Y.: The evolution of distributed systems towards microservices architecture. In: IEEE International Conference for Internet Technology and Secured Transactions (2016)
Stubbs, J., Moreira, W., Dooley, R.: Distributed systems of microservices using docker and serfnode. In: IEEE International Workshop on Science Gateways (2015)
Taylor, C.R.: leveraging software-defined networking and virtualization for a one-to-one client-server model. Master’s thesis, WPI (2014)
W3Techs: usage statistics and market share of WordPress. https://w3techs.com/technologies/details/cm-wordpress (2020)
W3Techs: usage statistics of server-side programming languages for websites. https://w3techs.com/technologies/overview/programming_language (2020)
WordPress.org: WordPress. https://www.wordpress.org/ (2003)
Xia, N., Tian, C., Luo, Y., Liu, H., Wang, X.: UKSM: swift memory deduplication via hierarchical and adaptive memory region distilling. In: USENIX Conference on File and Storage Technologies (2018)
You, L., Li, Y., Guo, F., Xu, Y., Chen, J., Yuan, L.: Leveraging array mapped tries in KSM for lightweight memory deduplication. In: IEEE NAS Conference (2019)
Acknowledgements
This material is based upon work supported by the National Science Foundation under Grant No. 1814402 and 1814234.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Lei, Y., Lanson, J.P., Shue, C.A., Wood, T.W. (2023). Attackers as Instructors: Using Container Isolation to Reduce Risk and Understand Vulnerabilities. In: Gruss, D., Maggi, F., Fischer, M., Carminati, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2023. Lecture Notes in Computer Science, vol 13959. Springer, Cham. https://doi.org/10.1007/978-3-031-35504-2_9
Download citation
DOI: https://doi.org/10.1007/978-3-031-35504-2_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-35503-5
Online ISBN: 978-3-031-35504-2
eBook Packages: Computer ScienceComputer Science (R0)