Hypervisor breakouts are not as uncommon an occurrence as one would hope. In an effort to identify kernel problems that could lead to privilege escalation, we can "intelligently" fuzz for Docker container breakouts with Trinity:
Trinity is a system call fuzzer which employs some techniques to pass semi-intelligent arguments to the syscalls being called.It passes illegal or unexpected parameters to various system calls in an attempt to crash the kernel. These attack vectors could they be used as a basis for an exploit - in this case, a container breakout. It comes with a health warning:
Warning: This program may seriously corrupt your files, including any of those that may be writable on mounted network file shares. It may create network packets that may cause disruption on your local network. Run at your own risk.Eric Windisch has wrapped Trinity in a simple Dockerfile to test the container. Run with
docker run -u nobody ewindisch/trinityThis will generate a lot of output - you can leave Trinity running until it triggers some "interesting" behaviour. This lwn.net article on Trinity that provides some background:
Trinity can be used in a number of ways. One possibility is simply to leave it running until it triggers a kernel panic and then look at the child logs and the system log in order to discover the cause of the panic. Dave has sometimes left systems running for hours or days in order to discover such failures. New system calls can be exercised using the -c command-line option described above. Another possible use is to discover unexpected (or undocumented) failure modes of existing system calls: suitable scripting on the log files can be used to obtain summaries of the various failures of a particular system call.
Go forth and fuzz.