This paper addresses the challenge of balancing security and functional availability in container security policy enforcement. We propose an environment-aware, automated policy generation method that leverages eBPF-based kernel monitoring and multi-environment dynamic analysis to faithfully reconstruct runtime contexts—thereby uncovering implicit execution paths missed by conventional static or lightweight analysis. Our approach introduces a dual-dimension scoring mechanism (security vs. functionality) and a heuristic environment exploration strategy to enable customizable policy optimization. Evaluation across the Top 15 containers shows that our method identifies 16.5% more system calls on average than baseline approaches, covers 45 known vulnerability-related risks, and successfully blocks exploitation attempts for two representative vulnerabilities—CVE-2022-23648 and CVE-2023-2728—demonstrating substantial attack surface reduction.

This paper introduces BeaCon, a novel tool for the automated generation of adjustable container security policies. Unlike prior approaches, BeaCon leverages dynamic analysis to simulate realistic environments, uncovering container execution paths that may remain hidden during the profiling phase. To address the challenge of exploring vast profiling spaces, we employ efficient heuristics to reveal additional system events with minimal effort. In addition, BeaCon incorporates a security and functionality scoring mechanism to prioritize system calls and capabilities based on their impact on the host OS kernel's security and the functionality of containerized applications. By integrating these scores, BeaCon achieves a customized balance between security and functionality, enabling cloud providers to enforce security measures while maintaining tenant availability. We implemented a prototype of BeaCon using eBPF kernel technology and conducted extensive evaluations. Results from the top 15 containers, which revealed significant improvements, demonstrate that BeaCon identifies an average of 16.5% additional syscalls by applying diverse environments. Furthermore, we evaluated its effectiveness in mitigating risks associated with 45 known vulnerabilities (e.g., CVEs), showcasing its potential to significantly enhance container security. Additionally, we performed proof-of-concept demonstrations for two well-known security vulnerabilities, showing that BeaCon successfully reduces attack surface by blocking these exploits.