CN113221103B - Container safety protection method, system and medium - Google Patents
Container safety protection method, system and medium Download PDFInfo
- Publication number
- CN113221103B CN113221103B CN202110501670.1A CN202110501670A CN113221103B CN 113221103 B CN113221103 B CN 113221103B CN 202110501670 A CN202110501670 A CN 202110501670A CN 113221103 B CN113221103 B CN 113221103B
- Authority
- CN
- China
- Prior art keywords
- container
- starting
- detection
- privilege
- user information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
Abstract
The invention discloses a container safety protection method, a system and a medium, wherein the container safety protection method comprises the following steps: configuring a first starting parameter and a privilege detection program, and configuring a first user information set and a privilege extraction detection program; acquiring a starting instruction for the container, executing privilege escape detection operation based on the starting instruction, a first starting parameter and a privilege detection program to obtain a first detection result, and controlling the starting of the container based on the first detection result; acquiring a starting state of the container, executing an authorization escape detection operation based on the starting state, the first user information set and the authorization detection program to obtain a second detection result, and controlling a request of the container based on the second detection result; the method and the device can set container protection measures for various authority states in the container under the condition that the container shares an operating system kernel, effectively prevent malicious intrusion and various intrusion escape behaviors to the container, greatly improve the safety of the container and reduce potential safety hazards.
Description
Technical Field
The invention relates to the technical field of cloud platform security maintenance, in particular to a container security protection method, system and medium.
Background
With the rapid development of science and technology, a cloud platform is applied to most servers, in order to consider a light configuration mode, a container is often used as a technical support of a bottom layer at present, and the container is not provided with an operating system kernel and can be connected with a user file management layer in the server due to the structural design of the container; the operating environment of the container is associated with the operating system kernel of the server, so from the perspective of system security, all containers built under the platform are in a shared state for the operating system kernel of the server, and the safety protection measures for the container and the server system only have access authority for the user file management layer, so that the method has a single protection surface and extremely low security, and can generate great potential safety hazards.
Disclosure of Invention
The invention mainly solves the problems of single protection surface, extremely low safety and great potential safety hazard of the existing container protection method.
In order to solve the technical problems, the invention adopts a technical scheme that: a container safety protection method is provided, which comprises the following steps:
configuring a first starting parameter and a privilege detection program, and configuring a first user information set and a privilege extraction detection program;
acquiring a starting instruction for a container, executing privilege escape detection operation based on the starting instruction, the first starting parameter and the privilege detection program to obtain a first detection result, and controlling the starting of the container based on the first detection result;
acquiring the starting state of the container, executing a right-offering escape detection operation based on the starting state, the first user information set and the right-offering detection program to obtain a second detection result, and controlling the request of the container based on the second detection result.
As an improvement, the step of configuring the first user information set further comprises:
accessing an open source knowledge base, acquiring threat information corresponding to the container in the open source knowledge base, and extracting first threat user information corresponding to the threat information;
accessing a log file of the container, acquiring intrusion information in the log file, and extracting first intrusion user information corresponding to the intrusion information;
and integrating the first threat user information and the first intrusion user information to obtain the first user information set.
As an improvement, the privilege escape detection operation comprises:
calling the privilege detection program to access the mirror image file of the container, and judging whether the mirror image file contains starting data corresponding to the first starting parameter;
if yes, outputting the first detection result as abnormal configuration of the container starting item;
if not, calling the privilege detection program to access the starting item parameter of the container, and executing backup detection operation based on the starting item parameter and the first starting parameter.
As an improvement, the backup detection operation includes:
comparing whether the starting item parameters contain parameters matched with the first starting parameters or not;
if yes, outputting the first detection result as the configuration abnormity of the container starting item;
if not, outputting the first detection result as normal configuration of the container starting item.
As an improvement, the step of controlling the activation of the container based on the first detection result further comprises:
when the first detection result indicates that the configuration of the container starting item is abnormal, stopping starting the container;
and when the first detection result indicates that the configuration of the container starting item is normal, continuing the starting of the container.
As a refinement, the step of performing a privilege escape detection operation based on the startup status, the first user information set and the privilege detection program further comprises:
and when the starting state is that the container is triggered to start, executing the privilege escalation detection operation based on the first user information set and the privilege escalation detection program.
As an improvement, the override escape detection operation comprises:
calling the right-lifting detection program to obtain an access request of the container to an operating system directory, and identifying second user information corresponding to the access request;
judging whether user information corresponding to the first threat user information or the first intrusion user information exists in the second user information;
if the first detection result exists, outputting the second detection result as the abnormality of the operation user; and if the second detection result does not exist, outputting the second detection result as that the operation user is normal.
As an improvement, the step of controlling the request of the container based on the second detection result further includes:
when the second detection result is that the operation user is abnormal, the access request is rejected;
and when the second detection result is that the operation user is normal, allowing the access request.
The present invention also provides a container safety system comprising:
the system comprises an initialization module, a privilege detection module and a privilege-offering detection module;
the initialization module is used for configuring a first starting parameter and a privilege detection program and configuring a first user information set and a privilege extraction detection program;
the privilege detection module is used for acquiring a starting instruction for a container, executing privilege escape detection operation based on the starting instruction, the first starting parameter and the privilege detection program to obtain a first detection result, and controlling the starting of the container based on the first detection result;
the right-offering detection module is used for acquiring the starting state of the container, executing right-offering escape detection operation based on the starting state, the first user information set and the right-offering detection program to obtain a second detection result, and controlling the request of the container based on the second detection result.
The invention also provides a computer-readable storage medium having stored thereon a computer program which, when being executed by a processor, carries out the steps of the method for safeguarding containers.
The invention has the beneficial effects that:
1. the container safety protection method can realize that container protection measures for various authority states in the container are set under the condition that the container shares an operating system kernel, and the container is protected in all directions before and after being started, so that malicious intrusion and various intrusion escape behaviors to the container are effectively prevented, the safety of the container is greatly improved, potential safety hazards are reduced, and the defects of the prior art are overcome.
2. The container safety protection system provided by the invention can set container protection measures for various authority states in the container under the condition that the container shares an operating system kernel by mutually matching the initialization module, the privilege detection module and the privilege detection module, and carries out all-around protection before and after the container is started, thereby effectively preventing malicious intrusion and various intrusion escape behaviors of the container, greatly improving the safety of the container, reducing potential safety hazards and making up for the defects of the prior art.
3. The computer-readable storage medium can realize the cooperation of the guide initialization module, the privilege detection module and the privilege detection module, further realize the setting of container protection measures for various authority states in the container under the condition that the container shares an operating system kernel, carry out all-around protection before and after the container is started, effectively prevent malicious intrusion and various intrusion escape behaviors to the container, greatly improve the safety of the container, reduce potential safety hazards, make up for the defects of the prior art, and effectively improve the operability of the container safety protection method.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a flow chart of a method for securing a container according to embodiment 1 of the present invention;
FIG. 2 is a schematic flow chart of a safety protection method for a container according to embodiment 1 of the present invention;
fig. 3 is a diagram of the bottom architecture of a server in which a container is located according to the prior art described in embodiment 1 of the present invention;
fig. 4 is an architecture diagram of a container safety shield system according to embodiment 2 of the present invention.
Detailed Description
The following detailed description of the preferred embodiments of the present invention, taken in conjunction with the accompanying drawings, will make the advantages and features of the invention easier to understand by those skilled in the art, and thus will clearly and clearly define the scope of the invention.
In the description of the present invention, it should be noted that the described embodiments of the present invention are a part of the embodiments of the present invention, and not all embodiments; all other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the description of the present invention, it should be noted that the terms "first" and "second" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
In the description of the present invention, it should be noted that, unless explicitly specified or limited otherwise, the terms "startup parameter", "privilege detection program", "startup time point", "privilege escape detection operation", "user information set", "privilege escalation detection program", "startup state", "privilege escape detection operation", "configuration time period", "image file", "startup data", "backup detection operation", "open source knowledge base", "threat information", "threat user information", "intrusion user information", "operating system directory", "privilege detection module", "initialization module" are to be understood in a broad sense. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
In the description of the present invention, it is to be noted that:
IP is an identity address; ID is an identification code; CIS is an open source knowledge base; java is a programming language; linux is an operating system; kernel is a real-time operating system; python is a programming language; KVM/vmware/Xen is a virtual machine technology.
Example 1
The embodiment provides a method for protecting a container, as shown in fig. 1 to 3, comprising the following steps:
first, it should be noted that the method described in this embodiment is applied to a Linux system, and there are two methods for building a cloud platform in the Linux system, one is implemented by using a conventional virtualization technology: KVM/vmware/Xen simulates physical equipment, and further builds an independent operating environment; the other is that a relatively independent operation environment is built by taking a container technology as a bottom technology; the relatively independent operation environment has poorer safety than the operation environment established by the traditional technology, the main reason is that although the containers achieve the characteristics of portability and agility, the containers are generally multiple and are associated with a kernel layer of a main operation system in a server, the only safety defense line is the isolation authority of the containers and a user file management layer, and the protection means is single; correspondingly, once an invading virus appears on any container or the isolation authority is broken through, the kernel of the operating system can be directly accessed, and once the kernel content is tampered, the whole system, the server and the container are greatly influenced; correspondingly, there are two main ways to consider the breakthrough of the isolation authority: the method described in this embodiment processes these two escape modes, and solves the above problem, and includes the following steps:
s100, configuring a first starting parameter and a privilege detection program, and configuring a first user information set and a right-lifting detection program;
step S100 specifically includes:
specifically, the privilege escape is usually operated during container configuration, and is usually operated by a person, and the specific behavior is to set an independent and fixed-line privilege starting parameter in an image file of the container, after configuration, the access right to the user file management layer is no longer default, and an access program specified by the parameter can access the management layer;
specifically, the privilege escape behavior is protected when the container is started, so that the first starting parameter and the privilege detection program are configured, specifically, the first starting parameter is a privilege configuration parameter that is commonly used in the field for the underlying container technology, and in this embodiment, the privilege configuration parameter is privileged; the privilege detection program is a detection program written by Java or python, and the detection program is provided with screening judgment logic corresponding to the first starting parameter;
specifically, the right-lifting escape behavior is generally a main enabling operation for a malicious program, and the specific operation is to lift the user access right of the original container to the right capable of operating the kernel of the operating system; for example, rewriting run container escape or docker-cp container escape;
specifically, the right-lifting escape behavior in the started container is considered to be stopped from the source, so that a user right level is required to be opened when the container is started; configuring a first user information set and a right-lift detection program; it should be noted that the authorization detection procedure includes, but is not limited to, a detection procedure, a screening procedure, or a container of a protection tool; the right-lifting detection program is respectively configured in each bottom container;
specifically, an open source knowledge base of an open source organization, such as a CIS, is accessed, wherein the open source knowledge base comprises threat information reported by each enterprise organization to a virtual cloud platform of the enterprise organization, so that threat information corresponding to the container in the open source knowledge base is obtained, and first threat user information corresponding to the threat information is extracted; the first threat user information is specific information of a master user corresponding to the threat information, and comprises an ID, a common IP, a domain name and the like;
specifically, in order to improve the security, the log file of the container needs to be accessed, and the intrusion information in the log file is acquired, where the intrusion information is specific data of the inside of the container for previous permission escape or malicious intrusion operation; extracting first intrusion user information corresponding to the intrusion information; the first intrusion user information is similar to the first threat user information and is also the ID, the common IP, the domain name and the like of the main user of the intrusion information;
specifically, after the information is obtained, the first threat user information and the first intrusion user information are integrated to obtain a first user information set, the first user information set is a corresponding access blacklist, and users allowed to access are correspondingly screened by using the blacklist, so that a white list user screening logic is realized, and the corresponding white list user screening logic exists in the right-lifting detection program.
S200, acquiring a starting instruction for the container, executing privilege escape detection operation based on the starting instruction, the first starting parameter and the privilege detection program to obtain a first detection result, and controlling the starting of the container based on the first detection result.
Step S200 specifically includes:
s210, in a normal case, the container is not configured with privilege for its own security, generally operated manually, and belongs to an abnormal operation, so that corresponding security measures need to be performed before the container is started: when a starting instruction is received, executing privilege escape detection operation based on a first starting parameter and a privilege detection program;
s220, the privilege escape detection operation comprises the following steps: calling a privilege detection program to access the mirror image file of the container, wherein the detection program judges whether the mirror image file contains starting data corresponding to the first starting parameter; if yes, judging that the container contains privilege configuration logic, and outputting a first detection result as abnormal configuration of the container starting item; if not, the privilege configuration is considered to be deeply embedded in the starting item, so that a privilege detection program is called to access the starting item parameter of the container, and backup detection operation is executed based on the starting item parameter and the first starting parameter;
s221, the backup detection operation includes: comparing whether the startup parameters contain parameters matched with the first startup parameters or not; correspondingly, in this embodiment, if it is detected that the startup item parameter includes a primary established, it is determined that the startup item parameter includes a parameter matching the first startup parameter; if yes, outputting a first detection result as abnormal configuration of the container starting item; if not, outputting a first detection result as normal configuration of the container starting item;
s230, when the first detection result is that the configuration of the container starting item is abnormal, the potential safety hazard of the container is judged, the abnormal state of the container is returned, and the operating system returns information according to the state to terminate all starting processes of the container;
s240, when the first detection result is that the configuration of the container starting item is normal, judging that the container has no potential safety hazard, returning to the normal state of the container, and continuing the starting process of the container by the operating system according to the state return information;
through the steps, the privilege escape behavior is deeply detected, the corresponding detection result is output, and the corresponding protection measure is executed according to the detection result.
S300, acquiring a starting state of the container, executing a right-lifting escape detection operation based on the starting state, the first user information set and the right-lifting detection program to obtain a second detection result, and controlling a request of the container based on the second detection result;
step S300 specifically includes:
s310, in order to prevent some high-performance escape programs or malicious programs, when the starting state is that the container is triggered to start, namely the container is just started, the right-offering escape detection operation is executed based on the first user information set and the right-offering detection program;
s320, correspondingly, the right-lifting escape detection operation includes: because the bottom access logic is that when the container is started, some users needing to operate can firstly request to be connected to the operating system directory;
s321, calling a right-lifting detection program to access the access request of the container to the operating system directory, and identifying second user information corresponding to the access request; it should be noted that the second user information is user information requesting access to the operating system directory;
s322, judging whether user information corresponding to the first threat user information or the first intrusion user information exists in the second user information; judging that a user invades or generates a security threat as long as any user information corresponding to the first threat user information or the first invasion user information exists;
s323, if the access request exists, outputting a second detection result as the abnormality of the operation user, judging that the access request has potential safety hazard, and rejecting the access request;
s324, if the system directory does not exist, outputting a second detection result that the operation user is normal, and giving access permission to the access request, wherein the container corresponding to the access request can operate the system directory;
correspondingly, if the container keeps running continuously, the user information corresponding to the access request given access permission can be collected, and the corresponding white list authority file is generated and continuously updated.
Through the step, the right-offering escape behavior can be deeply detected, the corresponding detection result is also output, and a countermeasure is taken according to the detection result.
By the container safety protection method described in the embodiment, safety protection loss of two escape behaviors in the prior container technology can be made up, the safety of the container is further improved, the safety risk in the operation process of the server is reduced, and the competitiveness of a product is improved.
Example 2
The present embodiment provides a container safety shield system, as shown in fig. 4, including: the system comprises an initialization module, a privilege detection module and a privilege escalation detection module;
in the container safety protection system, an initialization module is used for configuring a first starting parameter and a privilege detection program and configuring a first user information set and a privilege extraction detection program;
specifically, the initialization module accesses an open source knowledge base of an open source mechanism, acquires threat information corresponding to the container in the open source knowledge base, and extracts first threat user information corresponding to the threat information;
specifically, in order to improve the security, the initialization module accesses a log file of the container and acquires intrusion information in the log file, wherein the intrusion information is specific data of previous authority escape or malicious intrusion operation in the container; the initialization module extracts first intrusion user information corresponding to the intrusion information;
specifically, after the information is obtained, the initialization module integrates the first threat user information and the first intrusion user information to obtain a first user information set.
In the container security protection system, a privilege detection module is used for acquiring a starting instruction for a container, executing privilege escape detection operation based on the starting instruction, the first starting parameter and the privilege detection program to obtain a first detection result, and controlling the starting of the container based on the first detection result;
specifically, when a start instruction is received, the privilege detection module executes privilege escape detection operation based on a first start parameter and a privilege detection program;
specifically, the privilege escape detection operation includes: the privilege detection module calls a privilege detection program to access the mirror image file of the container, and the privilege detection module calls the detection program to judge whether the mirror image file contains starting data corresponding to the first starting parameter; if yes, the privilege detection module judges that the container contains privilege configuration logic, and the privilege detection module outputs a first detection result as abnormal configuration of the container starting item; if not, the privilege detection module calls a privilege detection program to access the starting item parameter of the container, and executes backup detection operation based on the starting item parameter and the first starting parameter;
specifically, the backup detection operation includes: the privilege detection module compares whether the parameters of the starting item contain parameters matched with the first starting parameters or not; if yes, the privilege detection module sets the first detection result as abnormal configuration of the container starting item; if not, the privilege detection module sets the first detection result as normal configuration of the container starting item; when the first detection result is that the configuration of the container starting item is abnormal, the privilege detection module judges that potential safety hazard exists in the container, the abnormal state of the container is returned, and the operating system returns information according to the state to terminate all starting processes of the container; when the first detection result is that the configuration of the container starting item is normal, the privilege detection module judges that the container has no potential safety hazard and returns to the normal state of the container, and the operating system returns information according to the state and continues the starting process of the container.
In the container safety protection system, a privilege escalation detection module is configured to obtain a starting state of the container, execute a privilege escalation detection operation based on the starting state, the first user information set, and the privilege escalation detection program to obtain a second detection result, and control a request of the container based on the second detection result.
Specifically, when the starting state is that the container is triggered to start, namely the container is just started, the privilege escalation detection module executes privilege escalation detection operation based on the first user information set and the privilege escalation detection program;
specifically, the privilege escape detection operation includes: the right-lifting detection module calls a right-lifting detection program to access an access request of the container to the operating system directory, and identifies second user information corresponding to the access request;
specifically, the right-lifting detection module judges whether user information corresponding to the first threat user information or the first intrusion user information exists in the second user information; if any user information corresponding to the first threat user information or the first intrusion user information exists, the privilege escalation detection module judges that a user intrudes or generates a security threat;
specifically, if the access request exists, the right-granting detection module sets a second detection result as the abnormality of the operating user, and at this time, the right-granting detection module judges that the access request has potential safety hazard, and the right-granting detection module rejects the access request; if not, the right-lifting detection module sets the second detection result as that the operation user is normal, and gives the access request access permission, and the container corresponding to the access request can operate the system catalog.
Through the container safety protection system described in this embodiment, through the mutual cooperation of each module, remedy the safety protection disappearance to two kinds of escape behaviors among the prior container technology, further improved the security of container, reduced the security risk in the server operation process, improved the competitiveness of product.
Example 3
The present embodiments provide a computer-readable storage medium comprising:
the storage medium is used for storing computer software instructions for implementing the container security protection method described in embodiment 1, and includes a program for executing the above-mentioned program configured for the container security protection method; specifically, the executable program may be embedded in the container security system described in embodiment 2, so that the container security system may implement the container security method described in embodiment 1 by executing the embedded executable program.
Furthermore, the computer-readable storage medium of the present embodiments may take any combination of one or more readable storage media, where a readable storage medium includes an electronic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof.
Different from the prior art, the container safety protection method, the container safety protection system and the container safety protection medium can set container protection measures for multiple authority states in the container under the condition that the container shares an operating system kernel through the method, so that malicious intrusion and multiple intrusion escape behaviors to the container are effectively prevented, effective technical support is provided for the method through the system, the safety of the container is finally greatly improved, potential safety hazards are reduced, and the defects of the prior art are overcome.
The numbers of the embodiments disclosed in the embodiments of the present invention are merely for description, and do not represent the merits of the embodiments.
It will be understood by those skilled in the art that all or part of the steps of implementing the above embodiments may be implemented by hardware, and a program that can be implemented by the hardware and can be instructed by the program to be executed by the relevant hardware may be stored in a computer readable storage medium, where the storage medium may be a read-only memory, a magnetic or optical disk, and the like.
The above description is only an embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes performed by the present specification and drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (6)
1. A method of safeguarding a container, comprising the steps of:
configuring a first starting parameter and a privilege detection program, and configuring a first user information set and a privilege extraction detection program;
acquiring a starting instruction for a container, executing privilege escape detection operation based on the starting instruction, the first starting parameter and the privilege detection program to obtain a first detection result, and controlling the starting of the container based on the first detection result;
acquiring a starting state of the container, executing a right-offering escape detection operation based on the starting state, the first user information set and the right-offering detection program to obtain a second detection result, and controlling a request of the container based on the second detection result;
the first starting parameter is a privilege configuration parameter in the underlying container technology, and the privilege configuration parameter is privileged;
the step of configuring the first set of user information further comprises:
accessing an open source knowledge base, acquiring threat information corresponding to the container in the open source knowledge base, and extracting first threat user information corresponding to the threat information; accessing a log file of the container, acquiring intrusion information in the log file, and extracting first intrusion user information corresponding to the intrusion information; integrating the first threat user information and the first intrusion user information to obtain a first user information set;
the privilege escape detection operation comprises:
calling the privilege detection program to access the mirror image file of the container, and judging whether the mirror image file contains starting data corresponding to the first starting parameter; if yes, outputting the first detection result as abnormal configuration of the container starting item; if not, calling the privilege detection program to access the starting item parameter of the container, and executing backup detection operation based on the starting item parameter and the first starting parameter;
the step of performing a claim evasion detection operation based on the activation status, the first set of user information, and the claim detection program further comprises:
when the starting state is that the container is triggered to start, executing the privilege escalation detection operation based on the first user information set and the privilege escalation detection program;
the privilege escape detection operation comprises:
calling the right-lifting detection program to obtain an access request of the container to an operating system directory, and identifying second user information corresponding to the access request; judging whether user information corresponding to the first threat user information or the first intrusion user information exists in the second user information; if the first detection result exists, outputting the second detection result as the abnormality of the operation user; and if the second detection result does not exist, outputting the second detection result as that the operation user is normal.
2. The method of claim 1, wherein the backup detection operation comprises:
comparing whether the starting item parameters contain parameters matched with the first starting parameters or not;
if yes, outputting the first detection result as the configuration abnormity of the container starting item;
if not, outputting the first detection result as the configuration of the container starting item is normal.
3. The method of claim 2, wherein the step of controlling activation of the container based on the first detection further comprises:
when the first detection result indicates that the configuration of the container starting item is abnormal, stopping starting the container;
and when the first detection result indicates that the configuration of the container starting item is normal, continuing the starting of the container.
4. The method of claim 1, wherein the step of controlling the request for the container based on the second detection result further comprises:
when the second detection result is that the operation user is abnormal, the access request is rejected;
and when the second detection result is that the operation user is normal, allowing the access request.
5. A container safety protection system based on the container safety protection method according to any one of claims 1 to 4, comprising: the system comprises an initialization module, a privilege detection module and a privilege-offering detection module;
the initialization module is used for configuring a first starting parameter and a privilege detection program and configuring a first user information set and a privilege extraction detection program;
the privilege detection module is used for acquiring a starting instruction for a container, executing privilege escape detection operation based on the starting instruction, the first starting parameter and the privilege detection program to obtain a first detection result, and controlling the starting of the container based on the first detection result;
the privilege escalation detection module is configured to acquire a starting state of the container, execute a privilege escalation detection operation based on the starting state, the first user information set, and the privilege escalation detection program to obtain a second detection result, and control a request of the container based on the second detection result.
6. A computer-readable storage medium, having a computer program stored thereon, which, when being executed by a processor, carries out the steps of the method of safeguarding a container according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110501670.1A CN113221103B (en) | 2021-05-08 | 2021-05-08 | Container safety protection method, system and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110501670.1A CN113221103B (en) | 2021-05-08 | 2021-05-08 | Container safety protection method, system and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113221103A CN113221103A (en) | 2021-08-06 |
| CN113221103B true CN113221103B (en) | 2022-09-20 |
Family
ID=77094091
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110501670.1A Active CN113221103B (en) | 2021-05-08 | 2021-05-08 | Container safety protection method, system and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113221103B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116302298A (en) * | 2021-12-07 | 2023-06-23 | 中兴通讯股份有限公司 | Container operation method, device, electronic equipment and storage medium |
Citations (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105069353A (en) * | 2015-08-11 | 2015-11-18 | 武汉大学 | Security reinforcement method for credible container based on Docker |
| CN105393255A (en) * | 2013-07-05 | 2016-03-09 | 比特梵德知识产权管理有限公司 | Process evaluation for malware detection in virtual machines |
| CN107679399A (en) * | 2017-10-19 | 2018-02-09 | 郑州云海信息技术有限公司 | A kind of Malicious Code Detection sandbox system and detection method based on container |
| CN107864062A (en) * | 2016-12-14 | 2018-03-30 | 中国电子科技网络信息安全有限公司 | A kind of container firewall system dispositions method |
| CN108171050A (en) * | 2017-12-29 | 2018-06-15 | 浙江大学 | The fine granularity sandbox strategy method for digging of linux container |
| CN109743199A (en) * | 2018-12-25 | 2019-05-10 | 中国联合网络通信集团有限公司 | Containerization management system based on micro services |
| WO2019174193A1 (en) * | 2018-03-16 | 2019-09-19 | 华为技术有限公司 | Container escape detection method, apparatus and system, and storage medium |
| CN110784446A (en) * | 2019-09-18 | 2020-02-11 | 平安科技(深圳)有限公司 | User permission-based cloud resource acquisition method and device and computer equipment |
| CN110851241A (en) * | 2019-11-20 | 2020-02-28 | 杭州安恒信息技术股份有限公司 | Safety protection method, device and system for Docker container environment |
| CN111191226A (en) * | 2019-07-04 | 2020-05-22 | 腾讯科技(深圳)有限公司 | Method, device, equipment and storage medium for determining program by using privilege-offering vulnerability |
| CN111684418A (en) * | 2018-03-01 | 2020-09-18 | 华睿泰科技有限责任公司 | System and method for running applications on a multi-tenant container platform |
| CN111726357A (en) * | 2020-06-18 | 2020-09-29 | 北京优特捷信息技术有限公司 | Attack behavior detection method and device, computer equipment and storage medium |
| CN111783090A (en) * | 2020-06-08 | 2020-10-16 | Oppo广东移动通信有限公司 | Information processing method and device, equipment and storage medium |
| CN111783106A (en) * | 2019-07-08 | 2020-10-16 | 谷歌有限责任公司 | System and method for detecting file system modifications via multi-tier file system state |
| CN111783087A (en) * | 2020-06-02 | 2020-10-16 | Oppo广东移动通信有限公司 | Method and device for detecting malicious execution of executable file, terminal and storage medium |
| CN111881453A (en) * | 2020-07-20 | 2020-11-03 | 北京百度网讯科技有限公司 | Container escape detection method and device and electronic equipment |
| CN112395617A (en) * | 2019-08-15 | 2021-02-23 | 奇安信安全技术(珠海)有限公司 | Method and device for protecting docker escape vulnerability, storage medium and computer equipment |
| CN112464221A (en) * | 2019-09-09 | 2021-03-09 | 北京奇虎科技有限公司 | Method and system for monitoring memory access behavior |
| US10963583B1 (en) * | 2020-06-04 | 2021-03-30 | Cyberark Software Ltd. | Automatic detection and protection against file system privilege escalation and manipulation vulnerabilities |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR102017810B1 (en) * | 2012-04-18 | 2019-10-21 | 짐페리엄 리미티드 | Preventive Instrusion Device and Method for Mobile Devices |
| CN106560832A (en) * | 2015-12-31 | 2017-04-12 | 哈尔滨安天科技股份有限公司 | Method and system intercepting Linux core malicious process escalating privilege |
| CN106778242B (en) * | 2016-11-28 | 2020-10-16 | 北京奇虎科技有限公司 | Kernel vulnerability detection method and device based on virtual machine |
| CN106982235B (en) * | 2017-06-08 | 2021-01-26 | 江苏省电力试验研究院有限公司 | IEC 61850-based electric power industry control network intrusion detection method and system |
| US10984098B2 (en) * | 2018-04-06 | 2021-04-20 | Palo Alto Networks, Inc. | Process privilege escalation protection in a computing environment |
-
2021
- 2021-05-08 CN CN202110501670.1A patent/CN113221103B/en active Active
Patent Citations (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105393255A (en) * | 2013-07-05 | 2016-03-09 | 比特梵德知识产权管理有限公司 | Process evaluation for malware detection in virtual machines |
| CN105069353A (en) * | 2015-08-11 | 2015-11-18 | 武汉大学 | Security reinforcement method for credible container based on Docker |
| CN107864062A (en) * | 2016-12-14 | 2018-03-30 | 中国电子科技网络信息安全有限公司 | A kind of container firewall system dispositions method |
| CN107679399A (en) * | 2017-10-19 | 2018-02-09 | 郑州云海信息技术有限公司 | A kind of Malicious Code Detection sandbox system and detection method based on container |
| CN108171050A (en) * | 2017-12-29 | 2018-06-15 | 浙江大学 | The fine granularity sandbox strategy method for digging of linux container |
| CN111684418A (en) * | 2018-03-01 | 2020-09-18 | 华睿泰科技有限责任公司 | System and method for running applications on a multi-tenant container platform |
| WO2019174193A1 (en) * | 2018-03-16 | 2019-09-19 | 华为技术有限公司 | Container escape detection method, apparatus and system, and storage medium |
| CN109743199A (en) * | 2018-12-25 | 2019-05-10 | 中国联合网络通信集团有限公司 | Containerization management system based on micro services |
| CN111191226A (en) * | 2019-07-04 | 2020-05-22 | 腾讯科技(深圳)有限公司 | Method, device, equipment and storage medium for determining program by using privilege-offering vulnerability |
| CN111783106A (en) * | 2019-07-08 | 2020-10-16 | 谷歌有限责任公司 | System and method for detecting file system modifications via multi-tier file system state |
| CN112395617A (en) * | 2019-08-15 | 2021-02-23 | 奇安信安全技术(珠海)有限公司 | Method and device for protecting docker escape vulnerability, storage medium and computer equipment |
| CN112464221A (en) * | 2019-09-09 | 2021-03-09 | 北京奇虎科技有限公司 | Method and system for monitoring memory access behavior |
| CN110784446A (en) * | 2019-09-18 | 2020-02-11 | 平安科技(深圳)有限公司 | User permission-based cloud resource acquisition method and device and computer equipment |
| CN110851241A (en) * | 2019-11-20 | 2020-02-28 | 杭州安恒信息技术股份有限公司 | Safety protection method, device and system for Docker container environment |
| CN111783087A (en) * | 2020-06-02 | 2020-10-16 | Oppo广东移动通信有限公司 | Method and device for detecting malicious execution of executable file, terminal and storage medium |
| US10963583B1 (en) * | 2020-06-04 | 2021-03-30 | Cyberark Software Ltd. | Automatic detection and protection against file system privilege escalation and manipulation vulnerabilities |
| CN111783090A (en) * | 2020-06-08 | 2020-10-16 | Oppo广东移动通信有限公司 | Information processing method and device, equipment and storage medium |
| CN111726357A (en) * | 2020-06-18 | 2020-09-29 | 北京优特捷信息技术有限公司 | Attack behavior detection method and device, computer equipment and storage medium |
| CN111881453A (en) * | 2020-07-20 | 2020-11-03 | 北京百度网讯科技有限公司 | Container escape detection method and device and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113221103A (en) | 2021-08-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11663323B2 (en) | Process privilege escalation protection in a computing environment | |
| US8650578B1 (en) | System and method for intercepting process creation events | |
| CN102667794B (en) | The method and system of unauthorized update is avoided for the protection of operating system | |
| KR102297133B1 (en) | Computer security systems and methods using asynchronous introspection exceptions | |
| KR102307534B1 (en) | Systems and methods for tracking malicious behavior across multiple software entities | |
| US9202046B2 (en) | Systems and methods for executing arbitrary applications in secure environments | |
| CN102081722B (en) | Method and device for protecting appointed application program | |
| US20070113062A1 (en) | Bootable computer system circumventing compromised instructions | |
| US8397292B2 (en) | Method and device for online secure logging-on | |
| US8413253B2 (en) | Protecting persistent secondary platform storage against attack from malicious or unauthorized programs | |
| US20160232347A1 (en) | Mitigating malware code injections using stack unwinding | |
| JP2010517164A (en) | Protect operating system resources | |
| CN107690645A (en) | Use the behavior malware detection of interpreter virtual machine | |
| CN110058921B (en) | Dynamic isolation and monitoring method and system for memory of client virtual machine | |
| US11416611B2 (en) | Countering malware detection evasion techniques | |
| CN113221103B (en) | Container safety protection method, system and medium | |
| US20230289465A1 (en) | Data Protection Method and Apparatus, Storage Medium, and Computer Device | |
| CN109583206B (en) | Method, device, equipment and storage medium for monitoring access process of application program | |
| KR101013419B1 (en) | Guarding apparatus and method for system | |
| CN112446029A (en) | Trusted computing platform | |
| KR101207434B1 (en) | System and Method for Preventing Collision Between Different Digital Documents Protection System | |
| US9858109B2 (en) | Module management in a protected kernel environment | |
| WO2022093186A1 (en) | Code execution using trusted code record | |
| CN114329444A (en) | System safety improving method and device | |
| CN112733091A (en) | Control method and device for accessing external equipment by application program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |