Linux containers (e.g., docker) have emerged as an important and lightweight execution environment for processes. Compared to traditional isolation mechanisms, such as virtual machines which have a dedicated hypervisor, containers do not present the same degree of isolation [1]. However, the docker framework allows that different runtimes can be specified. For example, the gVisor runtime [2] was shown to provide strong isolation against attacks breaking out of the environment. Thus, this runtime was found to be suitable for the use case of dynamic malware analysis, where malware is analyzed at runtime to observe its behavior [3].
Aside from breaking out of the container isolation, another threat must be considered in the scenario of dynamic malware analysis: Malware may be able to detect that it is executed in a sandboxed environment and obfuscate its behavior to avoid being included into future detection systems. Thus, the objective of this thesis is the following. First, an overview over container isolation techniques must be obtained. Secondly, an approach for the detection of the runtime environment must be proposed (i.e., an approach for a process to find out if it is executed in a container). Thirdly, the approach must be implemented as a prototype. Finally, a set of experiments must be executed, where the prototype is deployed in different containerized settings to assess its effectiveness.
[1] D. Huang, H. Cui, S. Wen and C. Huang, "Security Analysis and Threats Detection Techniques on Docker Container," 2019 IEEE 5th International Conference on Computer and Communications (ICCC), Chengdu, China, 2019, pp. 1214-1220
[2] gVisor: "Gvisor - the container security platform," https://gvisor.dev/docs/
[3] J. von der Assen, A. Huertas Celdrán, A. Zermin, R. Mogicato, G. Bovet, B. Stiller: "SecBox: A Lightweight Container-based Sandbox for Dynamic Malware Analysis," IEEE/IFIP Network Operations and Management Symposium (NOMS 2023), Miami, USA, May 2023, pp. 1-3
Supervisors: Jan von der Assen
back to the main page