Network Traffic Analysis

Prevasio Sandbox intercepts and inspects all network traffic generated by containers, including HTTPS traffic.

SSL/TLS inspection is enabled with Prevasio's MITM proxy certificate being dynamically injected into the virtual file system of the analysed container images.

Currently, Prevasio Sandbox provides HTTPS interception for the 10 most common Linux distributions.

The following example demonstrates an interception of HTTP and HTTPS traffic in a container spawned from a publicDocker Hub image.
Open Report

Vulnerability Scan

Prevasio Sandbox scans container images for the presence of any vulnerable packages and libraries.

For example, this️ Docker Hub image contains critical vulnerabilities in 28 packages.
Open Report

ML Classifier for Malware

Any x32/x64 ELF executable files created both during container image build phase and the runtime are scanned with Prevasio's Machine Learing (ML) model.

The ML model used by Prevasio relies on ELF file's static characteristics, its entropy, and the sequence of its disassembled code.

Here is an example of a malicious container image hosted at Docker Hub, that was picked up by Prevasio's ML Classifier.
Open Report
Let's see what happens if we recompile Mirai bot's source code, by using custom domains for C2 (command-and-control) traffic. The Dockerfile with instructions to fetch, modify, and compile Mirai source code is available here.

As you see in this example, the use of ML provides resistant detection, even if the malware was modified.

Open Report

Automated Pen-Test

Full static visibility of the container's internals is not sufficient to tell if a container image in question is safe indeed.

During the last stage of its analysis, Prevasio Sandbox simulates attackers' actions, first trying to fingerprint services running within the analysed container, and then engaging exploits against them.

In addition to that, the pen-test performs a brute-force attack against an identified service (such as SSH, FTP or SQL), in order to find weak credentials that would allow the attackers to log in.

As the pen-test is performed in an isolated environment, it poses no risk to the production environment.

The following example demonstrates how the automated pen-test has identified the type of MySQL server running inside a container spawned from thisDocker Hub image, then successfully brute-forced it and found working credentials against it.
Open Report

System Event Graph

Prevasio collects kernel-level system events within a running container:

  • File system events
  • Network events
  • Process lifecycle events
  • Kernel syscalls
  • User call events

These events are then correlated into a hierarchy, visually displayed in form of a force-directed graph. The graph allows to visually identify problematic containers and also quickly establish remote access points.

Here is an example of an event graph generated for ️this Docker Hub image. Please note the geographic distribution of the bitcoin peer-to-peer nodes.
Open Report