Leaky Vessels deep dive: Escaping from Docker one syscall at a time

Breaking container isolation by racing the filesystem

The Snyk Security Labs team recently embarked on a research project into the Docker engine. During this project, I had the opportunity to perform what is arguably my favorite kind of research using my favorite selection of tools. The research panned out quite successfully, and we identified four high severity vulnerabilities that allow a malicious attacker to break out of a container environment with a controlled Dockerfile under docker build and, in one …

breaking container deep dive dive docker docker engine engine filesystem isolation kind kubernetes labs leaky vessels opportunity project research research project security snyk syscall team tools what is