CN113032129A - Method for generating process designated by user by blocking container - Google Patents
Method for generating process designated by user by blocking container Download PDFInfo
- Publication number
- CN113032129A CN113032129A CN202110438473.XA CN202110438473A CN113032129A CN 113032129 A CN113032129 A CN 113032129A CN 202110438473 A CN202110438473 A CN 202110438473A CN 113032129 A CN113032129 A CN 113032129A
- Authority
- CN
- China
- Prior art keywords
- container
- function
- ptrace
- pid
- name
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 249
- 230000008569 process Effects 0.000 title claims abstract description 218
- 230000000903 blocking effect Effects 0.000 title claims abstract description 28
- 238000012544 monitoring process Methods 0.000 claims description 8
- 241000700605 Viruses Species 0.000 claims description 7
- 230000006870 function Effects 0.000 description 47
- 238000005516 engineering process Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000007789 sealing Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000026676 system process Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/48—Program initiating; Program switching, e.g. by interrupt
- G06F9/4806—Task transfer initiation or dispatching
- G06F9/4812—Task transfer initiation or dispatching by interrupt, e.g. masked
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44505—Configuring for program initiating, e.g. using registry, configuration files
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The invention provides a method for generating a container blocking user specified process, which comprises the following steps: s1, starting a ptrace process, tracking all processes in the system, and loading an updated interface through a hot loading function; s2, if there is an interface to be updated, loading the latest process name of the interface to be updated into the ptrace process; s3, the Ptrace process matches whether the process is a process generating function or not by acquiring the system call of the process loaded into the container; s4, matching all process names loaded into the ptrace process newly through the process name matching function, and judging whether the process names are names of specified processes needing to be blocked and generated. According to the method and the device, the malicious process can be blocked by a hot update configuration method without restarting the container to reload the configuration file.
Description
Technical Field
The invention relates to the technical field of process blocking, in particular to a method for generating a process designated by a user through container blocking.
Background
The cloud technology is gradually mature, and under the emerging cloud primary technology, the container technology is more and more widely applied and popularized, such as: the docker, kata-runtime, gVisor and the like, particularly the micro-service distributed system in the Saas platform, are constructed based on one container as a basic component.
The wide application of the container is also accompanied by the intrusion attack of a hacker on the container for a large amount of occupation or the container escaping outwards to the intranet and extranet hosts. When a hacker packs a malicious program into a container and the container runs, the malicious program also runs. The container is a special process of a user mode, and the loading and running of the specified program are difficult to limit from the container level. The malicious process comprises a known malicious process name on the global market and a custom malicious process name set by a user.
The existing function of blocking a process running in a container is mainly based on AppArmor, and generation of an executable file in the container to the process is prohibited through a security configuration file, and the specific steps are as follows:
(1) generating an AppArmor blocking process;
(2) collecting the names of the generation processes needing to be blocked;
(3) writing the name of the process to be blocked into a configuration file;
(4) and (3) when the container runs, appointing to load the configuration file in the step (2).
Thus, when the container runs, the program is matched according to the configuration file in the step (2), when the container runs, whether the program is the program name of forbidden operation is judged, and if the program is the program name of forbidden operation, the process is blocked.
In the above step flow, the AppArmor technology has the following disadvantages: a container may run with a precondition and constraint. Precondition: the name of the process that wants to block the generation needs to be collected in advance, and the container runs and loads. The limiting conditions are as follows: if the container is already running and the name of the blocking generation process is to be added, the current container has to be stopped, the name of the blocking process is added again, and the container is run again.
In addition, there is also a technology SECCOMP which can achieve the effect of process blocking, but it achieves the effect of process generation only by blocking the process from calling the process generation interface of the system kernel layer, such as blocking frok (), vfrok (), clone (), execute () and the like to generate the system interface function with transmission with the process.
It is also obvious that its configuration condition only has system calling number corresponding to function name, and this matching is coarse grained, and it can block all the actions of calling system interface of container, so that it can make normal program unable to run. It also has the problem of AppArmor, there is no way to dynamically load a configuration file, and if the contents in the configuration file are modified, the container needs to be restarted to be loaded.
To sum up, the process of the existing container blocking the generation of the malicious process is as follows: collecting the name of a malicious process, exiting the container to run, modifying the configuration file of the container, reloading the configuration file after the modification is specified by the container, but the running of the malicious process cannot be dynamically blocked under the condition of not exiting the container.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a container blocking user-specified process generation method.
The invention is realized by the following technical scheme:
the invention provides a method for generating a container blocking user-specified process, which comprises the following steps:
s1, starting the ptrace process, tracking all processes in the system, including the container and the processes in the container, and loading the updated interface through a hot loading function.
And S2, if the interface needing to be updated exists, loading the latest process name of the interface needing to be updated into the ptrace process for matching by the process name matching function.
S3, the Ptrace process matches whether the process is a process generating function or not by acquiring the system call of the process loaded into the container;
if not, waiting for the next system call;
if the function is sys _ clone, sys _ fork and sys _ vfork function, acquiring the PID of the generated process, adding the PID into a PID pool of the container process, and monitoring the process loaded into the container by taking the PID pool as a monitoring condition;
and if the function is the sys _ execute function, acquiring the parameters of the generated process, acquiring the generated process name in the acquired parameters, and loading the generated process name into the ptrace process for matching.
S4, matching all process names loaded into the ptrace process newly through the process name matching function, and judging whether the process names are names of specified processes needing to be blocked;
if yes, the running of the program is blocked in a mode of clearing the register pointing path or in a mode of deleting the corresponding PID from the PID pool of the container process.
Wherein, the hot loading function in the step S1 is a function module in the ptrace process; and the method is used for storing the process names needing to be updated in the ptrace process when the process names needing to be blocked, which are set by a user, are updated or the virus names are known in the market.
The process name matching function in the step S2 and the step S4 is a function module in the ptrace process; and after the function generated by the catch-to-process is called, acquiring the parameter of the function, and matching the parameter with the process name which is stored in the ptrace process and needs to be matched.
The container process PID pool in step S3 is a PID set of all running processes in the container monitored by the ptrace process.
In the embodiment, the configuration file is reloaded without restarting the container, and the malicious process can be blocked by a hot update configuration method.
Drawings
FIG. 1 is a flowchart of a method for generating a container blocking user-specified process according to an embodiment of the present invention;
FIG. 2 is a timing diagram of a container and a ptrace process provided by an embodiment of the invention;
fig. 3 is a communication timing diagram of the Ptrace process and an external process according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
In order to facilitate understanding of the container blocking user-specified process generation method provided by the embodiment of the present invention, the present invention is described in detail below with reference to the accompanying drawings and specific embodiments.
Referring to fig. 1, fig. 1 is a flow chart provided by an embodiment of the present invention. The method for generating the container blocking user-specified process comprises the following steps:
s1, starting the ptrace process, tracking all processes in the system, including the container and the processes in the container, and loading the updated interface through a hot loading function.
And S2, if the interface needing to be updated exists, loading the latest process name of the interface needing to be updated into the ptrace process for matching by the process name matching function.
S3, the Ptrace process matches whether the process is a process generating function or not by acquiring the system call of the process loaded into the container;
if not, waiting for the next system call;
if the function is sys _ clone, sys _ fork and sys _ vfork function, acquiring the PID of the generated process, adding the PID into a PID pool of the container process, and monitoring the process loaded into the container by taking the PID pool as a monitoring condition;
and if the function is the sys _ execute function, acquiring the parameters of the generated process, acquiring the generated process name in the acquired parameters, and loading the generated process name into the ptrace process for matching.
S4, matching all process names loaded into the ptrace process newly through the process name matching function, and judging whether the process names are names of specified processes needing to be blocked;
if yes, the running of the program is blocked in a mode of clearing the register pointing path or in a mode of deleting the corresponding PID from the PID pool of the container process.
Wherein, the hot loading function in the step S1 is a function module in the ptrace process; and the method is used for storing the process names needing to be updated in the ptrace process when the process names needing to be blocked, which are set by a user, are updated or the virus names are known in the market.
The process name matching function in the step S2 and the step S4 is a function module in the ptrace process; and after the function generated by the catch-to-process is called, acquiring the parameter of the function, and matching the parameter with the process name which is stored in the ptrace process and needs to be matched.
The container process PID pool in step S3 is a PID set of all running processes in the container monitored by the ptrace process.
It is known that system calls are the primary way for programs to interact with an operating system. The system call interface comprises a plurality of functions which are assigned to the operating system and used by the application program running on the operating system. These functions allow for opening files, creating network connections, reading and writing from files, etc., and most events within the container go through system calls.
The process generation in the container is realized by calling the executable file in the < unord.h > header file, and loading the file generation process by specifying the executable file by the execl, execlp, execle, execv, execvp and execvpe functions. From the API of the system call interface, the 7 application layer sealing functions finally call the function exeve 59 in the system call under the 64-bit Linux platform.
The Ptrace () system call is a kind of monitoring specified pid process provided by the Linux system kernel, controls the running of the pid process, and can check and change its core image, i.e. the memory at running time. The method is mainly used for realizing breakpoint debugging. A tracked process runs until a signal occurs, the process is aborted and its parent process is notified. And under the state that the process is suspended, the memory space of the pid process can be read and written by the ptrace process.
The method is applied to the container by combining the system process generation calling principle and the ptrace process tracking principle. ptrace tracks PID of container processes, checks the processes within the container, and whether the processes are used to generate the relevant system calls. When a process is to be generated in the container, namely the executable file is changed into a running process, the exeve function under the 64-bit platform is called by the Linux system, and the ptrace mechanism is triggered. At this time, the values of the registers of the exerce process currently called in the container can be obtained in the ptrace process, and the parameters of the exerce function operation can be found by obtaining the values in the registers. These parameters include the absolute path and name of the file; using the ptrace process to match whether the name of the process within the parameters is the name that specifies that the spawning process needs to be blocked. If the process name is matched, the exeve function call is blocked successfully in two ways: the method comprises the steps that firstly, a complete path pointed by a register is modified, the path is cleared, the path seen by an execute function is a nonexistent path, and the successful calling of the execute function is blocked by clearing the path pointed by the register; and in the second mode, the system call number of the exeve function is modified to be a non-existent function system call number, and the operation fails because the corresponding system call function is found, namely, the operation of the program is blocked by deleting the corresponding PID from the PID pool of the container process, and after the PID is deleted, the system call number is a non-existent function system call number.
The existing generation process of blocking the malicious process by the container in the prior stage comprises the following steps: collecting the name of a malicious process, exiting the container to run, modifying the configuration file of the container, reloading the configuration file after the specified modification by the container, and dynamically blocking the running of the malicious process under the condition of not exiting the container.
Aiming at the technical difficulties, the more granular matching technical method matches the names of the processes to be generated: any process in the system can be tracked through the ptrace () interface provided by the Linux system, including containers and processes in the containers. Therefore, the system calling API interface and the parameters are used in the process execution process of the tracking, and the system calling API interface and the parameters of the process are matched.
The method captures a calling system interface of a tracking process by using ptrace: sys _ clone, sys _ fork, sys _ vfork, sys _ execute, and the like. The four interfaces are the interfaces of the kernel layer to the application layer, and the four interfaces are closed into a system libc interface function at the application layer, such as: execl, exeve, execve, frok, vfrok, clone, and the like. No matter how many layers are closed by the upper layer, one of the four system interfaces sys _ clone, sys _ fork, sys _ vfork and sys _ execute is finally called.
And acquiring from the matched system call interface through system call: the name of the executing process within the parameters of the interface. If the acquisition fails, the name of the process is acquired from the value stored in the register during the system call. The name of the acquired process is matched with the process set by the user or the name of a known malicious virus in the world. If not, no action is taken, and the next matching is waited. If the process name is matched, the process name is blocked from generating by using the two blocking modes. The two blocking modes are further detailed below by way of example.
The first blocking way is to modify the path of the process that needs to load the file. Exemplary, such as: when the path of the clone for generating the process file is 'bin/ls', the path is completely emptied, and the clone sees an empty path.
And the second blocking mode is to modify the system call number of the tracking process (namely, the running of the program is blocked by deleting the corresponding PID from the PID pool of the container process, and after the PID is deleted, the system call number is a non-existent function system call number). Exemplary, such as: the tracking process calls system call number 56, that is, the clone interface generation process sets system call number 56 to a non-existent system call number, such as: 99999.
reference is also made to fig. 2 and fig. 3, wherein fig. 2 is a timing diagram of a container and a Ptrace process provided by the embodiment of the present invention, and fig. 3 is a timing diagram of a Ptrace process and an external process communication provided by the embodiment of the present invention. When deleting the corresponding PID from the PID pool of the container process, the operation method is as follows: when the container is started, the Ptrace process acquires the pid of the container process; tracking by taking the container pid as a monitoring object of ptrace, and capturing a system call API; when the container calls the system API, the ptrace process is triggered, and the container is suspended; and the Ptrace process starts to match and detect whether the system API needs to be blocked and the corresponding API parameters.
According to the technical scheme, the configuration file can be reloaded without restarting the container, and the hot update configuration method is realized, and the specific realization method comprises the following steps:
and in the process of loading the ptrace interface, externally releasing a read configuration interface. When the process name set by a user is updated or the process name of a malicious virus on the market is updated, the updated virus name is taken as a collection idea to be made into a configuration file, and the configuration file is written into a ptrace running process by using the reading configuration interface.
When the process names are matched, the latest process name set by a user or the latest virus process name in the market can be matched. Thereby avoiding modifying the configuration like SECCOMP, AppAArmor, and avoiding restarting the container to load the configuration.
According to the technical scheme, the configuration file is not required to be reloaded by restarting the container, and the malicious process can be blocked by the hot updating configuration method.
The present invention is not limited to the above preferred embodiments, and any modifications, equivalent substitutions and improvements made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (4)
1. A container blocking user-specified process generation method is characterized by comprising the following steps:
s1, starting a ptrace process, tracking all processes in the system, including a container and the processes in the container, and loading an updated interface through a hot loading function;
s2, if there is an interface to be updated, loading the latest process name of the interface to be updated into the ptrace process for matching by the process name matching function;
s3, the Ptrace process matches whether the process is a process generating function or not by acquiring the system call of the process loaded into the container;
if not, waiting for the next system call;
if the function is sys _ clone, sys _ fork and sys _ vfork function, acquiring the PID of the generated process, adding the PID into a PID pool of the container process, and monitoring the process loaded into the container by taking the PID pool as a monitoring condition;
if the function is the sys _ execute function, acquiring parameters for generating the process, acquiring a generated process name in the acquired parameters, and loading the generated process name into the ptrace process for matching;
s4, matching all process names loaded into the ptrace process newly through the process name matching function, and judging whether the process names are names of specified processes needing to be blocked;
if yes, the running of the program is blocked in a mode of clearing the register pointing path or in a mode of deleting the corresponding PID from the PID pool of the container process.
2. The method for generating the container blocking user-specified process according to claim 1, wherein the hot-loading function is a function module in a ptrace process; and the method is used for storing the process names needing to be updated in the ptrace process when the process names needing to be blocked, which are set by a user, are updated or the virus names are known in the market.
3. The method for generating the container blocking user-specified process according to claim 1, wherein the process name matching function is a function module in a ptrace process; and after the function generated by the catch-to-process is called, acquiring the parameter of the function, and matching the parameter with the process name which is stored in the ptrace process and needs to be matched.
4. The method for generating the container blocking user specified process according to claim 1, wherein the PID pool of the container process is a PID set of all running processes in a container monitored by a ptrace process.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110438473.XA CN113032129A (en) | 2021-04-22 | 2021-04-22 | Method for generating process designated by user by blocking container |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110438473.XA CN113032129A (en) | 2021-04-22 | 2021-04-22 | Method for generating process designated by user by blocking container |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113032129A true CN113032129A (en) | 2021-06-25 |
Family
ID=76457426
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110438473.XA Pending CN113032129A (en) | 2021-04-22 | 2021-04-22 | Method for generating process designated by user by blocking container |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113032129A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113918955A (en) * | 2021-09-29 | 2022-01-11 | 杭州默安科技有限公司 | Linux kernel vulnerability permission promotion detection blocking method and system |
| CN114676424A (en) * | 2022-05-25 | 2022-06-28 | 杭州默安科技有限公司 | Container escape detection and blocking method, device, equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108021807A (en) * | 2017-12-29 | 2018-05-11 | 浙江大学 | The fine granularity sandbox policy execution method of linux container |
| CN108229163A (en) * | 2016-12-21 | 2018-06-29 | 武汉安天信息技术有限责任公司 | A kind of malicious application detection device and method based on Android virtual containers |
| US20180357068A1 (en) * | 2016-06-13 | 2018-12-13 | Dynatrace Llc | Method And System For Automated Agent Injection In Container Environments |
| CN109240809A (en) * | 2017-07-11 | 2019-01-18 | 阿里巴巴集团控股有限公司 | Process maintenance management method, container maintaining method, device and operating system |
| CN110874263A (en) * | 2019-11-06 | 2020-03-10 | 北京宝兰德软件股份有限公司 | Method and device for monitoring instances of docker container |
-
2021
- 2021-04-22 CN CN202110438473.XA patent/CN113032129A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180357068A1 (en) * | 2016-06-13 | 2018-12-13 | Dynatrace Llc | Method And System For Automated Agent Injection In Container Environments |
| CN108229163A (en) * | 2016-12-21 | 2018-06-29 | 武汉安天信息技术有限责任公司 | A kind of malicious application detection device and method based on Android virtual containers |
| CN109240809A (en) * | 2017-07-11 | 2019-01-18 | 阿里巴巴集团控股有限公司 | Process maintenance management method, container maintaining method, device and operating system |
| CN108021807A (en) * | 2017-12-29 | 2018-05-11 | 浙江大学 | The fine granularity sandbox policy execution method of linux container |
| CN110874263A (en) * | 2019-11-06 | 2020-03-10 | 北京宝兰德软件股份有限公司 | Method and device for monitoring instances of docker container |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113918955A (en) * | 2021-09-29 | 2022-01-11 | 杭州默安科技有限公司 | Linux kernel vulnerability permission promotion detection blocking method and system |
| CN114676424A (en) * | 2022-05-25 | 2022-06-28 | 杭州默安科技有限公司 | Container escape detection and blocking method, device, equipment and storage medium |
| CN114676424B (en) * | 2022-05-25 | 2022-09-06 | 杭州默安科技有限公司 | Container escape detection and blocking method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Corina et al. | Difuze: Interface aware fuzzing for kernel drivers | |
| CN113032129A (en) | Method for generating process designated by user by blocking container | |
| US6823460B1 (en) | Method and system for intercepting an application program interface | |
| US8645923B1 (en) | Enforcing expected control flow in program execution | |
| CN107330320B (en) | Method and device for monitoring application process | |
| US8006246B2 (en) | Apparatus for forcibly terminating thread blocked on input/output operation and method for the same | |
| CN104598823A (en) | Kernel level rootkit detection method and system in Andriod system | |
| US20010051970A1 (en) | Virtual machine with reinitialisation | |
| KR20050054818A (en) | Security-related programming interface | |
| CN103699839A (en) | Method and device of detection processing of core-level rootkit | |
| CN110765394A (en) | So file loading method and device, storage medium and terminal equipment | |
| CN114595462A (en) | Data processing method and device | |
| CN105205398A (en) | Shell checking method based on dynamic behaviors of APK (android package) packing software | |
| AU4888302A (en) | Method and system for intercepting an application program interface | |
| CN112307402B (en) | Webpage component creation method and device, electronic equipment and readable storage medium | |
| CN111581639B (en) | Universal automatic shelling method and system for Android shelling application program | |
| KR20150017925A (en) | A detect system against malicious processes by using the full path of access files | |
| CN113312623B (en) | Process detection method and device in access control, electronic equipment and storage medium | |
| RU96267U1 (en) | SYSTEM OF COMPLETING ANTI-VIRUS DATABASES UNDER THE DETECTION OF UNKNOWN MALIGNANT COMPONENTS | |
| CN111259392B (en) | Kernel module-based malicious software interception method and device | |
| CN109344028B (en) | Super-user-permission-free process behavior monitoring device and method | |
| US9804932B2 (en) | Method and device for processing data and electronic apparatus | |
| CN114546717A (en) | Method and device for starting android intelligent terminal, intelligent terminal and storage medium | |
| CN116628694B (en) | Anti-serialization 0day security risk defense method, device and equipment | |
| CN105138346B (en) | Application installation method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |