Li, Shaohu and Zhou, Jin and Li, Xinxin and Meng, Weizhi and Gong, Bei and Hu, Jun (2026) Hela : A System Call Restriction Framework for Protecting the Entire Containers Lifecycle. IEEE Transactions on Cloud Computing. ISSN 2168-7161
Full text not available from this repository.Abstract
Limiting the number of system calls used by container processes can effectively reduce the kernel attack surface. Existing container system call restriction schemes only focus on the minimum system call set of applications in containers, and lack restrictions on the container runtime runc and other container components that create containers. To solve these problems, this paper proposes Hela, a system call restriction framework that can limit container runtimes and container applications. Hela introduces the Attack Surface Exposure Score (ASES), defined as the dot product of a container's system call usage vector and a risk-weight vector, to quantify exposure. Hela calculates and compares the ASES indicators of various partitioning schemes and selects the best partitioning boundary in the common hook nodes of runc. Hela divides the container creation phase into two phases and generates a minimum set of system calls for each phase. The advantage of Hela is that it combines seccomp with eBPF to achieve accurate parameter checking and efficient system call whitelist switching. Experimental results show that Hela can reduce the kernel attack surface of runc in container runtime compared to traditional schemes. Security experiments prove that our method can mitigate vulnerabilities involving runc and system call parameters.