{"bundle_type":"pith_open_graph_bundle","bundle_version":"1.0","pith_number":"pith:2017:J5E6NF6L5UGQ2GTFAVN26SJF7H","short_pith_number":"pith:J5E6NF6L","canonical_record":{"source":{"id":"1712.05493","kind":"arxiv","version":1},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2017-12-15T00:54:21Z","cross_cats_sorted":[],"title_canon_sha256":"1f720a5592a0500af35b4ac7ae7c11df2c8fa1f17cb91d17843412ab305dce90","abstract_canon_sha256":"4d86b94de52331bb6544d8341fb085a250460a71bd41d37393cc9e3422497912"},"schema_version":"1.0"},"canonical_sha256":"4f49e697cbed0d0d1a65055baf4925f9e3a93a9e91a612e94648db512eac1186","source":{"kind":"arxiv","id":"1712.05493","version":1},"source_aliases":[{"alias_kind":"arxiv","alias_value":"1712.05493","created_at":"2026-05-18T00:27:56Z"},{"alias_kind":"arxiv_version","alias_value":"1712.05493v1","created_at":"2026-05-18T00:27:56Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.1712.05493","created_at":"2026-05-18T00:27:56Z"},{"alias_kind":"pith_short_12","alias_value":"J5E6NF6L5UGQ","created_at":"2026-05-18T12:31:21Z"},{"alias_kind":"pith_short_16","alias_value":"J5E6NF6L5UGQ2GTF","created_at":"2026-05-18T12:31:21Z"},{"alias_kind":"pith_short_8","alias_value":"J5E6NF6L","created_at":"2026-05-18T12:31:21Z"}],"events":[{"event_type":"record_created","subject_pith_number":"pith:2017:J5E6NF6L5UGQ2GTFAVN26SJF7H","target":"record","payload":{"canonical_record":{"source":{"id":"1712.05493","kind":"arxiv","version":1},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2017-12-15T00:54:21Z","cross_cats_sorted":[],"title_canon_sha256":"1f720a5592a0500af35b4ac7ae7c11df2c8fa1f17cb91d17843412ab305dce90","abstract_canon_sha256":"4d86b94de52331bb6544d8341fb085a250460a71bd41d37393cc9e3422497912"},"schema_version":"1.0"},"canonical_sha256":"4f49e697cbed0d0d1a65055baf4925f9e3a93a9e91a612e94648db512eac1186","receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-18T00:27:56.288074Z","signature_b64":"vQiiaIWjm/lkgMVYF/2OEQv+UNQKone2mP5QSWRvfzF7jBZJ2RvONnLUIcaf4VFWAPuVPTICQzGiRrddTDBtCA==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"4f49e697cbed0d0d1a65055baf4925f9e3a93a9e91a612e94648db512eac1186","last_reissued_at":"2026-05-18T00:27:56.287362Z","signature_status":"signed_v1","first_computed_at":"2026-05-18T00:27:56.287362Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"source_kind":"arxiv","source_id":"1712.05493","source_version":1,"attestation_state":"computed"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-18T00:27:56Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"/hil7hUahXtKr4Gnaf2fYFbFEwxezPsx4hYM7ZWWop6ODo3xzbQw3fC3mu5oVxN2nJXsaztY3i359+molGC7AA==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-06-21T22:33:08.832178Z"},"content_sha256":"0f6478dac5d3b9460160e9379b1f8e8e91c944d6b1bbafb7fe3a7685c1b51c98","schema_version":"1.0","event_id":"sha256:0f6478dac5d3b9460160e9379b1f8e8e91c944d6b1bbafb7fe3a7685c1b51c98"},{"event_type":"graph_snapshot","subject_pith_number":"pith:2017:J5E6NF6L5UGQ2GTFAVN26SJF7H","target":"graph","payload":{"graph_snapshot":{"paper":{"title":"Mining Sandboxes for Linux Containers","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"","cross_cats":[],"primary_cat":"cs.CR","authors_text":"David Lo, Liang Cai, Shanping Li, Xin Xia, Zhiyuan Wan","submitted_at":"2017-12-15T00:54:21Z","abstract_excerpt":"A container is a group of processes isolated from other groups via distinct kernel namespaces and resource allocation quota. Attacks against containers often leverage kernel exploits through system call interface. In this paper, we present an approach that mines sandboxes for containers. We first explore the behaviors of a container by leveraging automatic testing, and extract the set of system calls accessed during testing. The set of system calls then results as a sandbox of the container. The mined sandbox restricts the container's access to system calls which are not seen during testing an"},"claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"1712.05493","kind":"arxiv","version":1},"verdict":{"id":null,"model_set":{},"created_at":null,"strongest_claim":"","one_line_summary":"","pipeline_version":null,"weakest_assumption":"","pith_extraction_headline":""},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"verdict_id":null},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-18T00:27:56Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"3kEvFkQmi9c28AVqN+PydcNlfNL64o0FRm6PebcQ/VXQ4UTaC+J9t/ht/+/q0FSEjkrMW2zZf4qcAmjyF5ZpBQ==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-06-21T22:33:08.832538Z"},"content_sha256":"5b766fb6286f1f37715520c216db98d9fd8a21053134664a9c28d012b93902a4","schema_version":"1.0","event_id":"sha256:5b766fb6286f1f37715520c216db98d9fd8a21053134664a9c28d012b93902a4"}],"timestamp_proofs":[],"mirror_hints":[{"mirror_type":"https","name":"Pith Resolver","base_url":"https://pith.science","bundle_url":"https://pith.science/pith/J5E6NF6L5UGQ2GTFAVN26SJF7H/bundle.json","state_url":"https://pith.science/pith/J5E6NF6L5UGQ2GTFAVN26SJF7H/state.json","well_known_bundle_url":"https://pith.science/.well-known/pith/J5E6NF6L5UGQ2GTFAVN26SJF7H/bundle.json","status":"primary"}],"public_keys":[{"key_id":"pith-v1-2026-05","algorithm":"ed25519","format":"raw","public_key_b64":"stVStoiQhXFxp4s2pdzPNoqVNBMojDU/fJ2db5S3CbM=","public_key_hex":"b2d552b68890857171a78b36a5dccf368a953413288c353f7c9d9d6f94b709b3","fingerprint_sha256_b32_first128bits":"RVFV5Z2OI2J3ZUO7ERDEBCYNKS","fingerprint_sha256_hex":"8d4b5ee74e4693bcd1df2446408b0d54","rotates_at":null,"url":"https://pith.science/pith-signing-key.json","notes":"Pith uses this Ed25519 key to sign canonical record SHA-256 digests. Verify with: ed25519_verify(public_key, message=canonical_sha256_bytes, signature=base64decode(signature_b64))."}],"merge_version":"pith-open-graph-merge-v1","built_at":"2026-06-21T22:33:08Z","links":{"resolver":"https://pith.science/pith/J5E6NF6L5UGQ2GTFAVN26SJF7H","bundle":"https://pith.science/pith/J5E6NF6L5UGQ2GTFAVN26SJF7H/bundle.json","state":"https://pith.science/pith/J5E6NF6L5UGQ2GTFAVN26SJF7H/state.json","well_known_bundle":"https://pith.science/.well-known/pith/J5E6NF6L5UGQ2GTFAVN26SJF7H/bundle.json"},"state":{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2017:J5E6NF6L5UGQ2GTFAVN26SJF7H","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"4d86b94de52331bb6544d8341fb085a250460a71bd41d37393cc9e3422497912","cross_cats_sorted":[],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2017-12-15T00:54:21Z","title_canon_sha256":"1f720a5592a0500af35b4ac7ae7c11df2c8fa1f17cb91d17843412ab305dce90"},"schema_version":"1.0","source":{"id":"1712.05493","kind":"arxiv","version":1}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"1712.05493","created_at":"2026-05-18T00:27:56Z"},{"alias_kind":"arxiv_version","alias_value":"1712.05493v1","created_at":"2026-05-18T00:27:56Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.1712.05493","created_at":"2026-05-18T00:27:56Z"},{"alias_kind":"pith_short_12","alias_value":"J5E6NF6L5UGQ","created_at":"2026-05-18T12:31:21Z"},{"alias_kind":"pith_short_16","alias_value":"J5E6NF6L5UGQ2GTF","created_at":"2026-05-18T12:31:21Z"},{"alias_kind":"pith_short_8","alias_value":"J5E6NF6L","created_at":"2026-05-18T12:31:21Z"}],"graph_snapshots":[{"event_id":"sha256:5b766fb6286f1f37715520c216db98d9fd8a21053134664a9c28d012b93902a4","target":"graph","created_at":"2026-05-18T00:27:56Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"paper":{"abstract_excerpt":"A container is a group of processes isolated from other groups via distinct kernel namespaces and resource allocation quota. Attacks against containers often leverage kernel exploits through system call interface. In this paper, we present an approach that mines sandboxes for containers. We first explore the behaviors of a container by leveraging automatic testing, and extract the set of system calls accessed during testing. The set of system calls then results as a sandbox of the container. The mined sandbox restricts the container's access to system calls which are not seen during testing an","authors_text":"David Lo, Liang Cai, Shanping Li, Xin Xia, Zhiyuan Wan","cross_cats":[],"headline":"","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2017-12-15T00:54:21Z","title":"Mining Sandboxes for Linux Containers"},"references":{"count":0,"internal_anchors":0,"resolved_work":0,"sample":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"1712.05493","kind":"arxiv","version":1},"verdict":{"created_at":null,"id":null,"model_set":{},"one_line_summary":"","pipeline_version":null,"pith_extraction_headline":"","strongest_claim":"","weakest_assumption":""}},"verdict_id":null}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:0f6478dac5d3b9460160e9379b1f8e8e91c944d6b1bbafb7fe3a7685c1b51c98","target":"record","created_at":"2026-05-18T00:27:56Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"4d86b94de52331bb6544d8341fb085a250460a71bd41d37393cc9e3422497912","cross_cats_sorted":[],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2017-12-15T00:54:21Z","title_canon_sha256":"1f720a5592a0500af35b4ac7ae7c11df2c8fa1f17cb91d17843412ab305dce90"},"schema_version":"1.0","source":{"id":"1712.05493","kind":"arxiv","version":1}},"canonical_sha256":"4f49e697cbed0d0d1a65055baf4925f9e3a93a9e91a612e94648db512eac1186","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"4f49e697cbed0d0d1a65055baf4925f9e3a93a9e91a612e94648db512eac1186","first_computed_at":"2026-05-18T00:27:56.287362Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-05-18T00:27:56.287362Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"vQiiaIWjm/lkgMVYF/2OEQv+UNQKone2mP5QSWRvfzF7jBZJ2RvONnLUIcaf4VFWAPuVPTICQzGiRrddTDBtCA==","signature_status":"signed_v1","signed_at":"2026-05-18T00:27:56.288074Z","signed_message":"canonical_sha256_bytes"},"source_id":"1712.05493","source_kind":"arxiv","source_version":1}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:0f6478dac5d3b9460160e9379b1f8e8e91c944d6b1bbafb7fe3a7685c1b51c98","sha256:5b766fb6286f1f37715520c216db98d9fd8a21053134664a9c28d012b93902a4"],"state_sha256":"afc1cb8bac5ee23f14e26c36cdf97ee834aefab7676962aa52245adf7f35fbda"},"bundle_signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"qMqFzYv/A3pUE1Nen8H41163VOEhb+QKr+dKzRrwLfIP/cR5hAfm/tDrbeEY9Fvf8urcThLbfzOT1oZ4JaeeAg==","signed_message":"bundle_sha256_bytes","signed_at":"2026-06-21T22:33:08.834329Z","bundle_sha256":"646c0767104dd4cb4590877c5f29d9df0079004adc74b7186555da7a252b5931"}}