Protect Containerized Applications with System Call Profiling

Explore container security through system call profiling in this 53-minute conference talk from AppSecUSA 2016. Dive into the differences between containers and virtual machines, understanding the unique security challenges posed by shared OS kernels. Learn how to develop accurate system call profiles using static analysis of container images and host system knowledge. Discover techniques for runtime monitoring and protection against malicious behavior with minimal performance overhead. Follow along as the speaker demonstrates system call profiling on a sample micro-service application, showcasing its effectiveness in detecting behavioral anomalies with low false positives. Gain insights into practical considerations, challenges, and the value of this non-intrusive approach for hardening and isolating containerized applications.

Introduction
Agenda
What is Container
Container vs VMS
Darker
Darker Hub
Security Challenges
AppArmor
Circum
Container Threat Model
Assumptions
Remote Attacks
Container Attacks
Container Characteristics
Darken File
Console Log
RightToLog
Demo
Key Control System Call
Performance Hit
Performance Hit 2
Application Types
Static Analysis
Challenges
Practical Considerations
Value of Twister
Questions