Cloud-Native Sandboxes for Microservices: Understanding New Threats and Attacks

Conference:  BlackHat EU 2018



The presentation discusses the design of a container-based sandbox for cybersecurity purposes.
  • The container-based sandbox is designed to address the challenges of detecting vulnerabilities in container-based cloud systems.
  • The sandbox provides context awareness-based detection and efficient retrieval and building of context.
  • The sandbox is integrated into the Kubernetes community and can be easily used by Talos team.
  • The alignment of system calls can help generate unique patterns for creating signatures or for forensics purposes.
The presenter shared that they tested various methods for aligning system calls and found that using a formula with three attributes - importance, closeness, and sensitivity - was the most effective. They also shared an example of how the sandbox can detect remote command execution by aligning common processes used by the software to pass commands.


Sandboxing is a proven technique for detecting malware and targeted attacks. In practice, sandboxes inspect network traffic and identify the suspicious behaviors. However, the emergence of new forms of malware and exploits targeting microservices pose challenges for traditional sandboxing solutions in cloud-native environments.Contemporary sandboxes fail to support container-based environments. To address these challenges, we redesigned the sandboxing system by adopting the new emerging container techniques. We will also demonstrate how our sandbox improves the performance of detecting miscroservice-oriented attacks. Additionally, in this talk we will discuss how to extend our sandbox to benefit existing security products in order to achieve better accuracy.