Confine

This framework can generate Seccomp profiles for Docker images to harden container and reduce the Linux kernel attack surface available to the container. The general goal is to remove functionalities not required by containers by performing static analysis.

About Confine

While you can find a more complete and thorough description of how Confine works by reading our paper, we have summarized some of the most important points in this section. Read more...

Installation Guide

You can find the list of applications required to run Confine, along with their relevant installation commands in this section. Read more...

User Guide

The user guide provides a general overview of how to run different parts of the toolchain and to generate the results provided in the paper. Read more...

Step-by-Step Guide

We also provide a step-by-step guide which walks you through running Confine for a single Docker image, explaining what to expect in each of the program execution. Read more...

Test Monitoring Tool

We experienced event-loss issues in the dynamic analysis phase of Confine. As a result we have added support for other tools as well. Currently we support Sysdig and execsnoop. We have also added a tool to only test the monitoring phase of Confine. It launches the monitoring tool and a requested container, extracts the list of binaries and reports the number. We expect this number to be same in the same environment. It can be run multiple times to show whether or not events are being dropped.

sudo python3.8 dynAnalysisStressTest.py --imagename nginx --monitoringtool [sysdig/execsnoop] --count 100

NOTE: There seems to be an event-loss issue in the older versions of Sysdig. We recommend using the latest version (>0.26)

Paper for reference:

Please consider citing our paper if you found our tool set useful.

@inproceedings{confineraid20,
year={2020},
booktitle={Proceedings of the International Conference on Research in Attacks,
Intrusions, and Defenses (RAID)},
title={Confine: Automated System Call Policy Generation for Container Attack
Surface Reduction},
author={Ghavamnia, Seyedhamed and Palit, Tapti and Benameur, Azzedine and
Polychronakis, Michalis}
}

Name		Name	Last commit message	Last commit date
Latest commit History 104 Commits
cve.files		cve.files
go.syscalls		go.syscalls
libc-callgraphs		libc-callgraphs
other-callgraphs		other-callgraphs
python-utils		python-utils
sample.results		sample.results
website		website
.gitignore		.gitignore
EXERCISECMDS.md		EXERCISECMDS.md
LICENSE		LICENSE
README.html		README.html
README.md		README.md
addPrefixSuffixToStartNodes.py		addPrefixSuffixToStartNodes.py
binaryProfiler.py		binaryProfiler.py
checkLibc.py		checkLibc.py
confine.py		confine.py
constants.py		constants.py
container.py		container.py
containerProfiler.py		containerProfiler.py
containerTest.py		containerTest.py
convertOldImageListToJson.py		convertOldImageListToJson.py
createDockerList.py		createDockerList.py
createStats.py		createStats.py
default.seccomp.json		default.seccomp.json
dynAnalysisStressTest.py		dynAnalysisStressTest.py
extractDirectSyscalls.py		extractDirectSyscalls.py
extractDockerImages.py		extractDockerImages.py
extractSysCalls.py		extractSysCalls.py
filterProfileToCve.py		filterProfileToCve.py
finegrainProfileTest.py		finegrainProfileTest.py
images.json		images.json
images.json.bak		images.json.bak
images.json.raid		images.json.raid
images.list		images.list
phpAnalysis.py		phpAnalysis.py
seccomp.py		seccomp.py
sourceAnalysisInterface.py		sourceAnalysisInterface.py

License

shamedgh/confine

Folders and files

Latest commit

History

Repository files navigation

Confine

About Confine

Installation Guide

User Guide

Step-by-Step Guide

Test Monitoring Tool

Paper for reference:

About

Resources

License

Stars

Watchers

Forks

Languages