In this paper we introduce Timeloops a novel technique for automatically learning system call filtering policies for containerized microservices applications. At run-time, Timeloops automatically learns which system calls a program should be allowed to invoke while rejecting attempts to call spurious system calls. Further, Timeloops addresses many of the shortcomings of state-of-the-art static analysis-based techniques, such as the ability to generate tight filters for programs written in interpreted languages such as PHP, Python, and JavaScript. Timeloops has a simple and robust implementation because it is mainly built out of commodity, and proven, technologies such as seccomp-BPF, systemd, and Podman containers, with fewer than 500 lines of code. We demonstrate the utility of Timeloops by learning system calls for individual services and two microservices benchmark applications, which utilize popular technologies like Python Flask, Nginx (with PHP and Lua modules), Apache Thrift, Memcached, Redis, and MongoDB. Further, the amortized performance of Timeloops is similar to that of an unhardened system while producing a smaller system call filter than state-of-the-art static analysis-based techniques.
翻译:在本文中,我们引入了“Temerloops”的新型技术,用于对集装箱化微服务应用程序自动学习系统叫过滤政策。在运行时,“Timerloops”自动学习一个系统叫的程序应该被允许引用,而拒绝称为虚假系统电话的尝试。此外,“Temerlops”解决了最先进的静态分析技术的许多缺陷,例如能够为以PHP、Python和JavaScript等翻译语言编写的程序生成紧密过滤器。“Timerlops”有一个简单而有力的实施,因为它主要是由商品制造的,并且已经证明,Seccomp-BPF、系统化和波德曼集装箱等技术,其代码小于500行。我们通过学习系统号召个人服务和两个微观服务基准应用程序来展示“Timloops”的效用,这些技术使用流行技术,如Python Flask、Nginx(PHP和Lia模块)、Afraft Thrift、Memced、Redis和MongDB。此外, 等。此外,“时间loops”系统的摊分解性性性性功能与非硬化分析系统类似,而制作较小型的系统。