US 12,248,569 B2
Prevention of container escape-based attacks of a host system
Daniel Prizmant, Sunnyvale, CA (US); Ariel M. Zelivansky, Mountain View, CA (US); Liron Levin, Kefar Sava (IL); and Eran Yanay, Modiin (IL)
Assigned to Palo Alto Networks, Inc., Santa Clara, CA (US)
Filed by Palo Alto Networks, Inc., Santa Clara, CA (US)
Filed on Mar. 29, 2024, as Appl. No. 18/621,511.
Application 18/621,511 is a continuation of application No. 17/651,198, filed on Feb. 15, 2022, granted, now 11,983,268.
Prior Publication US 2024/0241950 A1, Jul. 18, 2024
This patent is subject to a terminal disclaimer.
Int. Cl. G06F 21/55 (2013.01); G06F 21/52 (2013.01)
CPC G06F 21/554 (2013.01) [G06F 21/52 (2013.01); G06F 2221/034 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A method comprising:
detecting that a process executing on a host system has invoked a first function that returns a handle for a first object;
based on determining that the first object is an instance of CExecSvc.exe executing on the host system and the handle is for an instance of CExecSvc.exe, determining if the process is associated with a container and is attempting illegitimate access to the host system based, at least in part, on determining if the process is a child of CExecSvc.exe; and
based on determining that the process is associated with a container and is attempting illegitimate access to the host system, restricting access to the host system by the process, wherein restricting access to the host system by the process comprises reducing access permissions for the instance of CExecSvc.exe and returning to the process the handle for the instance of CExecSvc.exe with reduced access permissions.