PACED: Provenance-based Automated Container Escape Detection

The security of container-based microservices relies heavily on the isolation of operating system resources that is provided by namespaces. However, vulnerabilities exist in the isolation of containers that may be exploited by attackers to gain access to the host. These are commonly referred to as container escape attacks. While prior work has identified vulnerabilities in namespace isolation, no general container escape detection and warning system has been presented. We present Paced, a novel, realtime system to detect container-escape attacks. We define what constitutes a cross-namespace event and how such events can be used to detect a container escape attack. We develop a provenance-based approach to isolate cross-namespace events and propose a rule—privileged_flow—to detect attacks on Docker and Kubernetes environments. We evaluate our detection method on a suite of contemporary CVEs with container escape exploits, bad container configurations, and benchmarks. Paced achieves near-perfect accuracy with no false negatives. We release our implementation and datasets as free, open-source software.