Container Privilege Escalation and Escape Detection Method Based on Security-First Architecture.

Privilege escalation and escape attacks pose the greatest security threats for containers since they have a direct impact on the confidentiality, integrity, and availability of the underlying host and the entire container cloud platform. Meanwhile, there are numerous privilege escalation and container escape exploits. Existing works can only partially identify privilege escalation and escape attacks. Additionally, as they are at the same privilege level as the operating system, mal ware can easily get around them. In this work, we propose CPEED, a method based on security-first architecture to detect container privilege escalation and escape attacks caused by memory corruption exploits. First, We create a general attack model by studying the 25 memory corruption exploits and determine what to measure. Then, we address the difficulties in transferring semantic information from the computing subsystem to the security subsystem due to hardware isolation, and perform integrity measurements in the security subsystem. Experimental results demonstrate that CPEED can detect the privilege escalation and escape attacks effectively with minor performance impacts on computing workloads, and it is difficult for malware to evade detection.