Sandboxing of biomedical applications in Linux containers based on system call evaluation

摘要

Applications for biomedical data processing often integrate external libraries and frameworks for common algorithmic tasks. It typically reduces development time and increases overall code quality.With the introduction of lightweight container-based virtualization, the bundling of applications and their required dependencies has become feasible, and containers can be transferred and executed in distributed environments.However, the incorporation of unreviewed code poses a security threat as it might contain malicious components. In this paper, measures to minimize risks of untrusted application execution are presented. Based on the system calls issued during sample execution of the application, both the container itself and the container runtime configuration are restricted to the set of actions the application requires. It is shown that the employed security measures are suited to counteract different attacks while application runtime is not affected.