Abstract: An example method for a software container includes instantiating the following in a sandbox of a computing device: an operating system, a Berkeley Packet Filter (BPF) virtual machine within a kernel of the operating system, and a software container. The kernel monitors runtime behavior events of the software container, with the monitoring at least partially performed by the BPF virtual machine. Based on the monitoring, a respective risk score is assigned to each of the runtime behavior events that is potentially malicious, with each risk score indicating a likelihood that a corresponding behavior event is malicious. An overall risk score is assigned to the software container that indicates a likelihood that the software container is malicious based on the respective risk scores.

Abstract: An example method of sharing a resource between software containers includes detecting a request from a first software container to access a resource of a different, second software container, an operational state of the second software container being controlled by a container engine running on the host computing device. The method also includes accepting or rejecting the request based on whether the first and second software containers, which each contain a respective software application, are part of a same logical software application. An example host computing device configured to share resources between software containers is also disclosed.

Abstract: A computer-implemented method of providing security for a software container according to an example of the present disclosure includes receiving a software container image having a software application layer that is encrypted and includes a software application, and having a separate security agent layer that includes a security agent. The method includes receiving a request to instantiate the software container image as a software container. The method also includes, based on the request: launching the security agent and utilizing the security agent to decrypt and authenticate the software application layer, and control operation of the software application based on the authentication.

Abstract: An example computer-implemented method of preventing exploitation of software vulnerabilities includes determining that a software container is susceptible to a vulnerability, determining one or more soft spots required to exploit the vulnerability, and analyzing runtime behavior of the software container to determine if the software container uses the one or more soft spots. The method includes automatically applying a security policy that prevents the software container from using the one or more soft spots based on the analyzing indicating that the software container does not use the one or more soft spots at runtime.

Abstract: According to one aspect of the present disclosure, resource requests between software containers are accepted or rejected based on whether the software containers are part of a same logical software application. According to another aspect of the present disclosure, a request to start a software container is accepted or rejected based on whether the software container is digitally signed. According to another aspect of the present disclosure, a request to perform a container operational action for a first software container is accepted or rejected based on whether a security registry includes a rule governing the requested container operational action for the first software container, and if the software container is already running, based also on what entity started the software container.