{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,25]],"date-time":"2026-03-25T14:30:02Z","timestamp":1774449002159,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":78,"publisher":"ACM","license":[{"start":{"date-parts":[[2023,11,15]],"date-time":"2023-11-15T00:00:00Z","timestamp":1700006400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2023,11,15]]},"DOI":"10.1145\/3576915.3623121","type":"proceedings-article","created":{"date-parts":[[2023,11,21]],"date-time":"2023-11-21T12:35:13Z","timestamp":1700570113000},"page":"3048-3062","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":16,"title":["Take Over the Whole Cluster: Attacking Kubernetes via Excessive Permissions of Third-party Applications"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0006-9346-6679","authenticated-orcid":false,"given":"Nanzi","family":"Yang","sequence":"first","affiliation":[{"name":"Xidian University, Xi'an, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2899-6121","authenticated-orcid":false,"given":"Wenbo","family":"Shen","sequence":"additional","affiliation":[{"name":"Zhejiang University, Hangzhou, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0709-7434","authenticated-orcid":false,"given":"Jinku","family":"Li","sequence":"additional","affiliation":[{"name":"Xidian University, Xi'an, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-2614-327X","authenticated-orcid":false,"given":"Xunqi","family":"Liu","sequence":"additional","affiliation":[{"name":"Xidian University, Xi'an, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-9154-1863","authenticated-orcid":false,"given":"Xin","family":"Guo","sequence":"additional","affiliation":[{"name":"Xidian University, Xi'an, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4251-1143","authenticated-orcid":false,"given":"Jianfeng","family":"Ma","sequence":"additional","affiliation":[{"name":"Xidian University, Xi'an, China"}]}],"member":"320","published-online":{"date-parts":[[2023,11,21]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813648"},{"key":"e_1_3_2_1_2_1","volume-title":"25th USENIX Security Symposium (USENIX Security 16)","author":"Aafer Yousra","year":"2016","unstructured":"Yousra Aafer, Xiao Zhang, and Wenliang Du. 2016. Harvesting Inconsistent Security Configurations in Custom Android {ROMs} via Differential Analysis. In 25th USENIX Security Symposium (USENIX Security 16). 1153--1168."},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-17146-8_12"},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2019.2950134"},{"key":"e_1_3_2_1_5_1","first-page":"23","article-title":"Drebin: Effective and explainable detection of android malware in your pocket","volume":"14","author":"Arp Daniel","year":"2014","unstructured":"Daniel Arp, Michael Spreitzenbarth, Malte Hubner, Hugo Gascon, Konrad Rieck, and CERT Siemens. 2014. Drebin: Effective and explainable detection of android malware in your pocket.. In Ndss, Vol. 14. 23--26.","journal-title":"Ndss"},{"key":"e_1_3_2_1_6_1","unstructured":"Kubernetes Authors. 2022. Kubernetes. https:\/\/kubernetes.io\/."},{"key":"e_1_3_2_1_7_1","unstructured":"Kubernetes Authors. 2023 a. Case Studies. https:\/\/kubernetes.io\/case-studies."},{"key":"e_1_3_2_1_8_1","unstructured":"Kubernetes Authors. 2023 b. Control Plane. https:\/\/kubernetes.io\/docs\/reference\/glossary\/?all=true#term-control-plane."},{"key":"e_1_3_2_1_9_1","unstructured":"Kubernetes Authors. 2023 c. DaemonSet. https:\/\/kubernetes.io\/docs\/concepts\/workloads\/controllers\/daemonset\/."},{"key":"e_1_3_2_1_10_1","unstructured":"Kubernetes Authors. 2023 d. Deployment. https:\/\/kubernetes.io\/docs\/concepts\/workloads\/controllers\/deployment\/."},{"key":"e_1_3_2_1_11_1","unstructured":"Kubernetes Authors. 2023 e. Namespaces. https:\/\/kubernetes.io\/docs\/concepts\/overview\/working-with-objects\/namespaces\/."},{"key":"e_1_3_2_1_12_1","unstructured":"Kubernetes Authors. 2023 f. Role and ClusterRole. https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/rbac\/##role-and-clusterrole."},{"key":"e_1_3_2_1_13_1","unstructured":"Kubernetes Authors. 2023 g. Secrets. https:\/\/kubernetes.io\/docs\/concepts\/configuration\/secret\/."},{"key":"e_1_3_2_1_14_1","unstructured":"Kubernetes Authors. 2023 h. Securing a Cluster. https:\/\/kubernetes.io\/docs\/tasks\/administer-cluster\/securing-a-cluster\/."},{"key":"e_1_3_2_1_15_1","unstructured":"Kubernetes Authors. 2023 i. Service Accounts. https:\/\/kubernetes.io\/docs\/concepts\/security\/service-accounts\/."},{"key":"e_1_3_2_1_16_1","unstructured":"Kubernetes Authors. 2023 j. StatefulSets. https:\/\/kubernetes.io\/docs\/concepts\/workloads\/controllers\/statefulset\/."},{"key":"e_1_3_2_1_17_1","unstructured":"Kubernetes Authors. 2023 k. Using RBAC Authorization. https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/rbac\/."},{"key":"e_1_3_2_1_18_1","unstructured":"Yuval Avrahami. 2021. Finding Azurescape -- Cross-Account Container Takeover in Azure Container Instances. https:\/\/unit42.paloaltonetworks.com\/azure-container-instances\/."},{"key":"e_1_3_2_1_19_1","unstructured":"AWS. 2023 a. Amazon EKS add-ons. https:\/\/docs.aws.amazon.com\/eks\/latest\/userguide\/eks-add-ons.html."},{"key":"e_1_3_2_1_20_1","unstructured":"AWS. 2023 b. Isolating tenant workloads to specific nodes. https:\/\/aws.github.io\/aws-eks-best-practices\/security\/docs\/multitenancy\/#isolating-tenant-workloads-to-specific-nodes."},{"key":"e_1_3_2_1_21_1","unstructured":"AWS. 2023 c. What is Amazon EKS? https:\/\/docs.aws.amazon.com\/eks\/latest\/userguide\/what-is-eks.html."},{"key":"e_1_3_2_1_22_1","unstructured":"Azure. 2023 a. Add-ons extensions and other integrations with Azure Kubernetes Service. https:\/\/learn.microsoft.com\/en-us\/azure\/aks\/integrations."},{"key":"e_1_3_2_1_23_1","unstructured":"Azure. 2023 b. Azure Kubernetes Service (AKS). https:\/\/azure.microsoft.com\/en-us\/products\/kubernetes-service."},{"key":"e_1_3_2_1_24_1","unstructured":"Azure. 2023 c. Best practices for advanced scheduler features in Azure Kubernetes Service (AKS). https:\/\/learn.microsoft.com\/en-us\/azure\/aks\/operator-best-practices-advanced-scheduler."},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/3380786.3391395"},{"key":"e_1_3_2_1_26_1","volume-title":"Kubernetes Autoscaling: YoYo Attack Vulnerability and Mitigation. arXiv e-prints","author":"David Ronen Ben","year":"2021","unstructured":"Ronen Ben David and Anat Bremler Barr. 2021. Kubernetes Autoscaling: YoYo Attack Vulnerability and Mitigation. arXiv e-prints (2021), arXiv-2105."},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1109\/CLOUD55607.2022.00022"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/CCWC47524.2020.9031195"},{"key":"e_1_3_2_1_29_1","unstructured":"ALESSANDRO BRUCATO. 2023. Detecting and mitigating CVE-2022-42889 a.k.a. Text4shell. https:\/\/sysdig.com\/blog\/cve-2022-42889-text4shell\/."},{"key":"e_1_3_2_1_30_1","volume-title":"2023 a","author":"Tencent Kubernetes Engine Distributed Cloud Center","unstructured":"Tencent Kubernetes Engine Distributed Cloud Center. 2023 a. Tencent Kubernetes Engine Distributed Cloud Center Operation Guide Product Documentation. https:\/\/main.qcloudimg.com\/raw\/document\/intl\/product\/pdf\/1144_45541_en.pdf."},{"key":"e_1_3_2_1_31_1","volume-title":"2023 b","author":"Tencent Kubernetes Engine Distributed Cloud Center","unstructured":"Tencent Kubernetes Engine Distributed Cloud Center. 2023 b. Tencent Kubernetes Engine Distributed Cloud Center Product Introduction Product Documentation. https:\/\/main.qcloudimg.com\/raw\/document\/intl\/product\/pdf\/1144_45535_en.pdf."},{"key":"e_1_3_2_1_32_1","unstructured":"Alibaba Cloud. 2023 a. Alibaba Cloud Container Service for Kubernetes (ACK). https:\/\/www.alibabacloud.com\/product\/kubernetes."},{"key":"e_1_3_2_1_33_1","unstructured":"Alibaba Cloud. 2023 b. App Marketplace. https:\/\/www.alibabacloud.com\/help\/en\/container-service-for-kubernetes\/latest\/app-marketplace."},{"key":"e_1_3_2_1_34_1","volume-title":"ANNUAL SURVEY 2022","author":"CNCF.","year":"2023","unstructured":"CNCF. 2023. ANNUAL SURVEY 2022. https:\/\/www.cncf.io\/reports\/cncf-annual-survey-2022\/."},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/LADC.2018.00013"},{"key":"e_1_3_2_1_36_1","unstructured":"Fluid. 2023. Adopters of Fluid. https:\/\/github.com\/fluid-cloudnative\/fluid\/blob\/master\/ADOPTERS.md#adopters-of-fluid."},{"key":"e_1_3_2_1_37_1","unstructured":"Cloud Native Computing Fundation. 2023 a. GRADUATED AND INCUBATING PROJECTS. https:\/\/www.cncf.io\/projects\/."},{"key":"e_1_3_2_1_38_1","unstructured":"Cloud Native Computing Fundation. 2023 b. SANDBOX PROJECTS. https:\/\/www.cncf.io\/sandbox-projects\/."},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2018.2879605"},{"key":"e_1_3_2_1_40_1","volume-title":"Proceedings of the 12th conference on security and privacy in wireless and mobile networks. 151--161","author":"William Enck Sigmund Albert","year":"2019","unstructured":"Sigmund Albert Gorski III and William Enck. 2019. Arf: identifying re-delegation vulnerabilities in android system services. In Proceedings of the 12th conference on security and privacy in wireless and mobile networks. 151--161."},{"key":"e_1_3_2_1_41_1","volume-title":"Security Analysis of Docker Containers for ARM Architecture. In 2022 IEEE\/ACM 7th Symposium on Edge Computing (SEC). IEEE, 224--236","author":"Haq Md Sadun","year":"2022","unstructured":"Md Sadun Haq, Ali cS aman Tosun, and Turgay Korkmaz. 2022. Security Analysis of Docker Containers for ARM Architecture. In 2022 IEEE\/ACM 7th Symposium on Edge Computing (SEC). IEEE, 224--236."},{"key":"e_1_3_2_1_42_1","volume-title":"KGSecConfig: A Knowledge Graph Based Approach for Secured Container Orchestrator Configuration. In 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)","author":"Haque Mubin Ul","unstructured":"Mubin Ul Haque, M Mehdi Kholoosi, and M Ali Babar. 2022. KGSecConfig: A Knowledge Graph Based Approach for Secured Container Orchestrator Configuration. In 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). IEEE, 420--431."},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1109\/TPDS.2020.3029088"},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"crossref","unstructured":"Tong Kong Liming Wang Duohe Ma Zhen Xu Qian Yang and Kai Chen. 2019. A secure container deployment strategy by genetic algorithm to defend against co-resident attacks in cloud computing. In 2019 IEEE 21st International Conference on High Performance Computing and Communications; IEEE 17th International Conference on Smart City; IEEE 5th International Conference on Data Science and Systems (HPCC\/SmartCity\/DSS). IEEE 1825--1832.","DOI":"10.1109\/HPCC\/SmartCity\/DSS.2019.00251"},{"key":"e_1_3_2_1_45_1","unstructured":"Kubevirt. 2023. Adopters. https:\/\/github.com\/kubevirt\/kubevirt\/blob\/main\/ ADOPTERS.md."},{"key":"e_1_3_2_1_46_1","unstructured":"Kubewarden. 2023. Adopters. https:\/\/github.com\/kubewarden\/kubewarden-controller\/blob\/main\/ADOPTERS.md\/."},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-60876-1_11"},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00070"},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1145\/3274694.3274720"},{"key":"e_1_3_2_1_50_1","volume-title":"Whispers between the containers: High-capacity covert channel attacks in docker. In 2016 IEEE trustcom\/bigdatase\/ispa","author":"Luo Yang","unstructured":"Yang Luo, Wu Luo, Xiaoning Sun, Qingni Shen, Anbang Ruan, and Zhonghai Wu. 2016. Whispers between the containers: High-capacity covert channel attacks in docker. In 2016 IEEE trustcom\/bigdatase\/ispa. IEEE, 630--637."},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.comcom.2018.03.011"},{"key":"e_1_3_2_1_52_1","volume-title":"2020 USENIX Annual Technical Conference (USENIX ATC 20)","author":"Nam Jaehyun","year":"2020","unstructured":"Jaehyun Nam, Seungsoo Lee, Hyunmin Seo, Phil Porras, Vinod Yegneswaran, and Seungwon Shin. 2020. {BASTION}: A security enforcement network stack for container networks. In 2020 USENIX Annual Technical Conference (USENIX ATC 20). 81--95."},{"key":"e_1_3_2_1_53_1","unstructured":"OpenFeature. 2023. Adopters. https:\/\/github.com\/open-feature\/community\/blob\/main\/ ADOPTERS.md\/."},{"key":"e_1_3_2_1_54_1","unstructured":"OpenKruise. 2023. Users. https:\/\/github.com\/openkruise\/kruise#users."},{"key":"e_1_3_2_1_55_1","unstructured":"Inc O'Reilly Media. 2023. Chapter 1. Container Security Threats. https:\/\/www.oreilly.com\/library\/view\/container-security\/9781492056690\/ch01.html."},{"key":"e_1_3_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1145\/3529320.3529325"},{"key":"e_1_3_2_1_57_1","volume-title":"Dibyendu Brinto Bose, and Rahul Pandita.","author":"Rahman Akond","year":"2023","unstructured":"Akond Rahman, Shazibul Islam Shamim, Dibyendu Brinto Bose, and Rahul Pandita. 2023. Security Misconfigurations in Open Source Kubernetes Manifests: An Empirical Study. ACM Transactions on Software Engineering and Methodology (2023)."},{"key":"e_1_3_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1109\/SecDev51306.2021.00022"},{"key":"e_1_3_2_1_59_1","unstructured":"Deb Richardson. 2021. What I learned about Kubernetes and Knative Serverless. https:\/\/www.redhat.com\/en\/blog\/what-i-learned-about-kubernetes-and-knative-serverless."},{"key":"e_1_3_2_1_60_1","volume-title":"Pablo Garcia Bringas, and Gonzalo \u00c1lvarez","author":"Sanz Borja","year":"2013","unstructured":"Borja Sanz, Igor Santos, Carlos Laorden, Xabier Ugarte-Pedrero, Pablo Garcia Bringas, and Gonzalo \u00c1lvarez. 2013. Puma: Permission usage to detect malware in android. In International joint conference CISIS'12-ICEUTE 12-SOCO 12 special sessions. Springer, 289--298."},{"key":"e_1_3_2_1_61_1","unstructured":"Alibaba Container Service. 2020. From Serverless Containers to Serverless Kubernetes. https:\/\/www.alibabacloud.com\/blog\/from-serverless-containers-to-serverless-kubernetes_596533."},{"key":"e_1_3_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1145\/3468264.3473495"},{"key":"e_1_3_2_1_63_1","volume-title":"30th USENIX Security Symposium (USENIX Security 21)","author":"Shen Bingyu","year":"2021","unstructured":"Bingyu Shen, Lili Wei, Chengcheng Xiang, Yudong Wu, Mingyao Shen, Yuanyuan Zhou, and Xinxin Jin. 2021. Can systems explain permissions better? understanding users' misperceptions under smartphone runtime permission model. In 30th USENIX Security Symposium (USENIX Security 21). 751--768."},{"key":"e_1_3_2_1_64_1","doi-asserted-by":"publisher","DOI":"10.1145\/3411495.3421357"},{"key":"e_1_3_2_1_65_1","unstructured":"Container Security Site. 2023. Container Breakout Vulnerabilities. https:\/\/www.container-security.site\/attackers\/container_breakout_vulnerabilities.html."},{"key":"e_1_3_2_1_66_1","volume-title":"27th USENIX Security Symposium (USENIX Security 18)","author":"Sun Yuqiong","year":"2018","unstructured":"Yuqiong Sun, David Safford, Mimi Zohar, Dimitrios Pendarakis, Zhongshu Gu, and Trent Jaeger. 2018. Security namespace: making linux security frameworks available to containers. In 27th USENIX Security Symposium (USENIX Security 18). 1423--1439."},{"key":"e_1_3_2_1_67_1","doi-asserted-by":"publisher","DOI":"10.1145\/3366615.3368356"},{"key":"e_1_3_2_1_68_1","unstructured":"Sysdig. 2022. Sysdig 2022 Cloud-Native Security and Usage Report. https:\/\/sysdig.com\/2022-cloud-native-security-and-usage-report\/."},{"key":"e_1_3_2_1_69_1","unstructured":"Oren Teich. 2019. Cloud Run a managed Knative service is GA. https:\/\/cloud.google.com\/blog\/products\/serverless\/knative-based-cloud-run-services-are-ga."},{"key":"e_1_3_2_1_70_1","unstructured":"Google Cloud terms. [n. d.]. Isolate your workloads in dedicated node pools. https:\/\/cloud.google.com\/kubernetes-engine\/docs\/how-to\/isolate-workloads-dedicated-nodes."},{"key":"e_1_3_2_1_71_1","unstructured":"Google Cloud terms. 2023 a. GKE Features. https:\/\/cloud.google.com\/kubernetes-engine#section-2."},{"key":"e_1_3_2_1_72_1","unstructured":"Google Cloud terms. 2023 b. Google Cloud Marketplace. https:\/\/cloud.google.com\/marketplace."},{"key":"e_1_3_2_1_73_1","unstructured":"Google Cloud terms. 2023 c. Google Kubernetes Engine(GKE). https:\/\/cloud.google.com\/kubernetes-engine."},{"key":"e_1_3_2_1_74_1","volume-title":"29th USENIX Security Symposium (USENIX Security 20)","author":"Tuncay G\u00fcliz Seray","year":"2020","unstructured":"G\u00fcliz Seray Tuncay, Jingyu Qian, and Carl A Gunter. 2020. See no evil: phishing for permissions with false transparency. In 29th USENIX Security Symposium (USENIX Security 20). 415--432."},{"key":"e_1_3_2_1_75_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.51"},{"key":"e_1_3_2_1_76_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.32"},{"key":"e_1_3_2_1_77_1","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484744"},{"key":"e_1_3_2_1_78_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2023.103173"}],"event":{"name":"CCS '23: ACM SIGSAC Conference on Computer and Communications Security","location":"Copenhagen Denmark","acronym":"CCS '23","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3576915.3623121","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3576915.3623121","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,21]],"date-time":"2025-08-21T01:55:21Z","timestamp":1755741321000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3576915.3623121"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,11,15]]},"references-count":78,"alternative-id":["10.1145\/3576915.3623121","10.1145\/3576915"],"URL":"https:\/\/doi.org\/10.1145\/3576915.3623121","relation":{},"subject":[],"published":{"date-parts":[[2023,11,15]]},"assertion":[{"value":"2023-11-21","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}