Description
While container virtualization dominates today’s infrastructure, the ‘container’ itself is
a fundamental illusion, shifting security focus to the underlying isolation mechanisms
in shared environments. However, despite the critical nature of these isolation mechanisms,
existing runtime security solutions primarily focus on payload-centric threat
detection and policy enforcement. By relying heavily on the container orchestrator to
resolve context, these tools create a blind spot when attackers bypass the control plane
to silently degrade the underlying boundaries at runtime. To bridge this visibility gap,
this thesis introduces an engine-agnostic monitoring architecture to continuously monitor
these isolation boundaries for modifications. The proposed architecture leverages
eBPF to inspect foundational system calls and dynamically reconstruct and monitor a
container’s isolation context at runtime, with negligible overhead and without modifying
the underlying host or orchestration stack. Consequently, by removing the orchestrator
abstraction layer as a dependency, this thesis demonstrates that isolation mechanisms
can be dynamically evaluated directly at the root of the operating system.
|
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching