Which security control is most effective at preventing container breakout attacks where a compromised container attempts to access the host OS?