Abstract

Linux capabilities represent an important security feature for enabling fine-grained management of privileges. However, limitations in selectively enabling capabilities for processes and lagging adoption from application developers often lead the operators to run containers with unnecessary privileges. Although this can potentially be addressed by modifying the application, minimizing the set of enabled capabilities, assigning capabilities to executable files, or using user-space utilities like Ptrace, those solutions typically require manual efforts, only provide partial protection, or incur significant overhead. In this thesis, we present CapMan, a solution that secures privileged containers by detecting and mitigating potential capability abuses at runtime. Our main idea is threefold. First, CapMan examines all capability requests made by system calls to ensure full protection. Second, CapMan performs the detection directly inside the Linux kernel to ensure its efficiency. Third, CapMan performs the mitigation in a transparent manner without requiring any change made to the application or container. We tackle several key challenges in realizing CapMan as follows: i) to ensure CapMan can cover every capability request, we study the Linux kernel source code to identify the kernel function used to handle such requests, and subsequently develop a kprobe-based kernel module to intercept those requests via that kernel function; ii) since user-space detection can introduce prohibitive delay, we design CapMan to perform its detection completely inside the kernel based on lightweight whitelisting and machine learning methods; iii) as Linux only allows the container itself to drop capabilities, CapMan performs its mitigation by overriding such rules in a safe manner using standard kernel functions and procedures.} Our evaluation of CapMan using real-world CVEs and capability abuses shows that it can mitigate all the tested capability abuses (most of which are missed by a state-of-the-art solution) with negligible performance overhead and resource consumption.