Tesseract : a proposal for a container breakout tool

ContributorsPirkl, Théoorcid
Number of pages95
Imprimatur date2024-02-09
Defense date2024-02-09

Containers have tremendously simplified the job of Information Technology (IT) specialists. They offer a complete system abstraction, from hardware to networking. While containers offer powerful features, their thin isolation layer with the host renders misconfigurations dangerous, as they may leave the system or other containers vulnerable. As container use is on the up, so are attacks to break out of them. A category that is on the rise is automated attacks, which may allow an attacker to take over a system in a matter of seconds. We present a tool written in Rust to automate the exploration of containers from its environment to breakout attacks, showing what an attacker could automatically achieve, as well as mitigation advices to reduce the attack surface. Our tool is capable of compromising very popular containers, especially with third-party provided default configurations, and shows that breakouts could be achieved in seconds. We acknowledge that big organizations have assessed the risk of container breakouts and acted upon it, but notice no signs suggesting smaller organizations have followed through. We urge organizations to implement and enforce processes throughout the lifecycle of containers to reduce breakout risks, by implementing security measures at the very start of the container design.

Citation (ISO format)
PIRKL, Théo. Tesseract : a proposal for a container breakout tool. 2024.
Main files (1)
Master thesis
  • PID : unige:175106

Technical informations

Creation02/21/2024 2:25:47 PM
First validation02/26/2024 10:30:56 AM
Update time06/19/2024 1:52:22 PM
Status update06/19/2024 1:52:22 PM
Last indexation06/19/2024 1:52:25 PM
All rights reserved by Archive ouverte UNIGE and the University of GenevaunigeBlack