CN117827362A - Container escape detection method, electronic equipment and system - Google Patents
Container escape detection method, electronic equipment and system Download PDFInfo
- Publication number
- CN117827362A CN117827362A CN202211200843.7A CN202211200843A CN117827362A CN 117827362 A CN117827362 A CN 117827362A CN 202211200843 A CN202211200843 A CN 202211200843A CN 117827362 A CN117827362 A CN 117827362A
- Authority
- CN
- China
- Prior art keywords
- address
- namespace
- host
- user
- belongs
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title description 79
- 238000000034 method Methods 0.000 claims abstract description 772
- 230000008569 process Effects 0.000 claims abstract description 673
- 230000015654 memory Effects 0.000 claims description 39
- 238000004590 computer program Methods 0.000 claims description 5
- 230000006399 behavior Effects 0.000 description 33
- 230000007246 mechanism Effects 0.000 description 16
- 238000004891 communication Methods 0.000 description 13
- 238000010586 diagram Methods 0.000 description 11
- 238000004886 process control Methods 0.000 description 11
- 230000006870 function Effects 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 7
- 238000012545 processing Methods 0.000 description 6
- 230000003287 optical effect Effects 0.000 description 5
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 150000003071 polychlorinated biphenyls Chemical group 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 239000012634 fragment Substances 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- FFBHFFJDDLITSX-UHFFFAOYSA-N benzyl N-[2-hydroxy-4-(3-oxomorpholin-4-yl)phenyl]carbamate Chemical compound OC1=C(NC(=O)OCC2=CC=CC=C2)C=CC(=C1)N1CCOCC1=O FFBHFFJDDLITSX-UHFFFAOYSA-N 0.000 description 1
- 238000011900 installation process Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 238000013468 resource allocation Methods 0.000 description 1
- 238000011895 specific detection Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
Abstract
The application provides a method, electronic equipment and a system for detecting container escape, wherein the method comprises the following steps: when the host determines that the name space of the process is the initial name space, the host acquires the address of the buffer area to which the process belongs; when the host determines that the address of the buffer area to which the process belongs is not equal to the address in the name space to which the process belongs, the host prompts alarm information, and the alarm information is used for prompting the process to generate container escape. By implementing the embodiment of the application, the accuracy is high, and the escape of the container can be effectively detected.
Description
Technical Field
Embodiments of the present application relate to virtualization technologies, and in particular, to a method, an electronic device, and a system for detecting container escape.
Background
The container technology is a technology of packaging application programs into a single container, and the container technology isolates each application program, breaks the dependency and connection relation between the application programs, that is, a huge service system can be combined by containers in which a plurality of different application programs are hosted under the support of the container technology. The container technique effectively partitions resources managed by a single operating system into isolated groups to better balance conflicting resource usage requirements among the isolated groups, and belongs to the operating system level virtualization technique, which is widely used due to its lightweight nature.
The user can create and run containers based on container mirroring in the host machine, wherein the host machine can be a physical machine or a virtual machine, and each container has an independent process running space, and ideally, the processes in the container can only run in the process running space of the container. However, when there is a malicious process in the container, the malicious process is likely to leave the process run space of the container, and then spread out attacks on hosts or other containers, a phenomenon known as container escape.
Currently, container escape can be classified into the following 4 types, (1) container escape caused by unsafe configuration; (2) container escape due to unsafe mounting; (3) container escape due to relevant program vulnerabilities; (4) container escape due to kernel vulnerabilities. How to detect container escape caused by kernel loopholes is a problem that needs to be solved in the industry.
Disclosure of Invention
In the method for detecting container escape, a host can prompt alarm information when the address of a buffer area to which a process belongs is not equal to the address in a naming space in which the process belongs, and the alarm information is used for prompting the process to generate container escape. The method has high accuracy and can effectively detect the escape of the container.
In a first aspect, embodiments of the present application provide a method for detecting escape of a container, the method including:
when the host determines that the name space of the process is the initial name space, the host acquires the address of the buffer area to which the process belongs;
when the host determines that the address of the buffer area to which the process belongs is not equal to the address in the name space to which the process belongs, the host prompts alarm information, and the alarm information is used for prompting the process to generate container escape.
In the embodiment of the application, the namespace where the process is located is an initial namespace, that is, a namespace indicated by init_nsproxy that can be accessed by the process is represented, so as to ensure the safety of the namespace; therefore, the host can detect the process based on the address sleb_cache of the buffer area to which the process belongs; because the reliability of the slab-cache is higher, the slab-cache is compared with the address pid-cache in the name space where the process is located; when the two are different, it can be determined that the process does not have permission to access the namespace indicated by init_nsproxy, that is, the process is maliciously tampered with, and the container escapes. The method has high accuracy and can effectively detect the escape of the container.
With reference to the first aspect, in one possible implementation manner, the method includes:
The host machine obtains the address of the buffer area corresponding to the process based on the address space of the process.
In the embodiment of the application, the address space pid_cache of the process is not easy to tamper, so that the reliability is high, and the reliability of the address slab_cache of the cache area corresponding to the process is high, which is determined based on the address space pid_cache of the process.
With reference to the first aspect, in one possible implementation manner, when determining that a namespace where a process is located is an initial namespace, the host obtains an address of a cache area where the process belongs, including:
when the host determines that the name space of the process is the initial name space, acquiring a user identification of the process;
when the host determines that the user identifier is the identifier of the root user, the host acquires the address of the buffer area to which the process belongs.
With reference to the first aspect, in a possible implementation manner, the user identifier is at least one of a user identifier UID and a user group identifier GID; the identity of the root user is zero.
With reference to the first aspect, in one possible implementation manner, when determining that a namespace where a process is located is an initial namespace, the host obtains an address of a cache area where the process belongs, including:
when the host determines that the namespace of the process is the initial namespace, acquiring a hierarchy level of the namespace of the process;
When the host determines that the hierarchy is zero, the host acquires the address of the buffer area to which the process belongs.
With reference to the first aspect, in one possible implementation manner, before acquiring an address of a cache region to which the process belongs, the method further includes:
the host machine acquires a data structure of a process; the data structure includes an identification of a namespace in which the process is located;
the host determines that the namespace in which the process is located is the initial namespace when the identifier nsproxy of the namespace in which the process is located is equal to the identifier init_nsproxy of the initial namespace.
In a second aspect, embodiments of the present application provide a method for detecting escape of a container, the method including:
when the host determines that the mounting point of the process is the root directory, the host acquires the address of a cache region to which the process belongs;
when the host determines that the address of the buffer area to which the process belongs is not equal to the address in the name space to which the process belongs, the host prompts alarm information, and the alarm information is used for prompting the process to generate container escape.
In the embodiment of the application, the mount point of the process is a root directory, that is, the process can access all files under the root directory, and in order to ensure the security of the files under the root directory, the process needs to be detected; therefore, the host can detect the process based on the address sleb_cache of the buffer area to which the process belongs; because the reliability of the address of the buffer area to which the process belongs is higher, the address of the buffer area to which the process belongs is compared with the address pid_cache in the name space to which the process belongs, and when the address pid_cache is unequal, the process is considered to have no authority to access all files under the root directory, the process is tampered maliciously, and the container escape condition occurs.
It should be noted that, in the embodiment of the present application, a detection mechanism based on a mount point is added in the kernel code, so that a behavior of escaping into the root directory can be detected, and a container escaping behavior of utilizing the occurrence of kernel holes is effectively monitored, thereby improving system security.
With reference to the second aspect, in one possible implementation manner, the method includes:
the host machine obtains the address of the buffer area corresponding to the process based on the address space of the process.
With reference to the second aspect, in one possible implementation manner, when determining that a namespace where a process is located is an initial namespace, the host obtains an address of a cache area where the process is located, including:
when the host determines that the name space of the process is the initial name space, acquiring a user identification of the process;
when the host determines that the user identifier of the process is the identifier of the root user, the host acquires the address of the cache region to which the process belongs.
With reference to the second aspect, in a possible implementation manner, the user identifier is at least one of a user identifier UID and a user group identifier GID; the identity of the root user is zero.
With reference to the second aspect, in one possible implementation manner, when determining that a namespace where a process is located is an initial namespace, the host obtains an address of a cache area where the process is located, including:
When the host determines that the namespace of the process is the initial namespace, acquiring a hierarchy of the namespace of the process;
when the host determines that the hierarchy is zero, the host acquires the address of the buffer area to which the process belongs.
With reference to the second aspect, in one possible implementation manner, before acquiring an address of a cache area to which the process belongs, the method further includes:
the host machine acquires a data structure of a process; the data structure comprises a mounting point identifier of the process;
when the mount point identifier is the root directory identifier, the host determines that the mount point of the process is the root directory.
In a third aspect, embodiments of the present application provide a device for detecting escape of a container, the device comprising:
the acquisition unit is used for acquiring the address of the cache region to which the process belongs when the namespace to which the process belongs is determined to be the initial namespace;
and the prompting unit is used for prompting the alarm information when the address of the buffer area to which the process belongs is determined to be unequal to the address in the name space to which the process belongs, and the alarm information is used for prompting the process to generate container escape.
In the embodiment of the application, the namespace where the process is located is an initial namespace, that is, a namespace which represents that the process can be indicated by init_nsproxy, so as to ensure the safety of the namespace; therefore, the host can detect the process based on the address sleb_cache of the buffer area to which the process belongs; because the reliability of the slab-cache is higher, the slab-cache is compared with the address pid-cache in the name space where the process is located; when the two are different, it can be determined that the process does not have permission to access the namespace indicated by init_nsproxy, that is, the process is maliciously tampered with, and the container escapes. The method has high accuracy and can effectively detect the escape of the container.
It should be noted that, in the embodiment of the present application, a detection mechanism based on a mount point is added in the kernel code, so that a behavior of escaping into the root directory can be detected, and a container escaping behavior of utilizing the occurrence of kernel holes is effectively monitored, thereby improving system security.
With reference to the third aspect, in one possible implementation manner, the acquiring unit is configured to:
and acquiring the address of the buffer area corresponding to the process based on the address space of the process.
In the embodiment of the application, the address space pid_cache of the process is not easy to tamper, so that the reliability is high, and the reliability of the address slab_cache of the cache area corresponding to the process is high, which is determined based on the address space pid_cache of the process.
With reference to the third aspect, in one possible implementation manner,
the acquiring unit is used for acquiring the user identification of the process when the namespace where the process is located is determined to be the initial namespace;
and the acquisition unit is used for acquiring the address of the cache region to which the process belongs when the user identifier is determined to be the identifier of the root user.
With reference to the third aspect, in one possible implementation manner, the user identifier is at least one of a user identifier UID and a user group identifier GID; the identity of the root user is zero.
With reference to the third aspect, in one possible implementation manner, the obtaining unit is configured to:
when the namespace where the process is located is determined to be the initial namespace, acquiring a hierarchy level of the namespace where the process is located;
and when the hierarchy is determined to be zero, acquiring the address of the cache region to which the process belongs.
With reference to the third aspect, in a possible implementation manner, the apparatus further includes a determining unit,
the acquisition unit is used for acquiring the data structure of the process; the data structure includes an identification of a namespace in which the process is located;
the determining unit is used for determining that the name space where the process is located is the initial name space when the identifier nsproxy of the name space where the process is located is equal to the identifier init_nsproxy of the initial name space.
In a fourth aspect, embodiments of the present application provide a device for detecting escape of a container, the device comprising:
the acquisition unit is used for acquiring the address of the cache region to which the process belongs when the mounting point of the process is determined to be the root directory;
and the prompting unit is used for prompting the alarm information when the address of the buffer area to which the process belongs is determined to be unequal to the address in the name space to which the process belongs, and the alarm information is used for prompting the process to generate container escape.
In the embodiment of the application, the namespace nsproxy where the process is located is an initial namespace init_nsproxy, that is, a namespace which represents that the process can be indicated by init_nsproxy, so as to ensure the safety of the namespace; therefore, the host can detect the process based on the address sleb_cache of the buffer area to which the process belongs; because the reliability of the slab-cache is higher, the slab-cache is compared with the address pid-cache in the name space where the process is located; when the two are different, it can be determined that the process does not have permission to access the namespace indicated by init_nsproxy, that is, the process is maliciously tampered with, and the container escapes. The method has high accuracy and can effectively detect the escape of the container.
With reference to the fourth aspect, in one possible implementation manner, the acquiring unit is configured to:
and acquiring the address of the buffer area corresponding to the process based on the address space of the process.
With reference to the fourth aspect, in one possible implementation manner, the acquiring unit is configured to:
when determining that the name space of the process is the initial name space, acquiring a user identifier of the process;
and when the user identification of the process is determined to be the identification of the root user, acquiring the address of the cache region to which the process belongs.
With reference to the fourth aspect, in a possible implementation manner, the user identifier is at least one of a user identifier UID and a user group identifier GID; the identity of the root user is zero.
With reference to the fourth aspect, in one possible implementation manner, the acquiring unit is configured to:
acquiring a hierarchy of a namespace where a process is located when determining that the namespace where the process is located is an initial namespace;
and when the hierarchy is determined to be zero, acquiring the address of the cache region to which the process belongs.
With reference to the fourth aspect, in a possible implementation manner, the apparatus further includes a determining unit,
the acquisition unit is used for acquiring the data structure of the process; the data structure comprises a mounting point identifier of the process;
and the determining unit is used for determining that the mounting point of the process is the root directory when the mounting point identifier is the root directory identifier.
In a fifth aspect, embodiments of the present application provide a method for detecting escape of a container, the method including:
when the host determines that the mounting point of the process is the root directory, acquiring target data from a data structure of the process;
when the target data accords with the preset condition, the host prompts alarm information which is used for prompting the process to generate container escape.
In the embodiment of the application, the detection mechanism based on the mounting point is added in the kernel code, so that the behavior of escaping to the root directory can be detected, and the container escaping behavior of utilizing the occurrence of kernel loopholes can be effectively monitored, thereby improving the system security.
With reference to the fifth aspect, in one possible implementation manner, the target data is a hierarchy of namespaces where the target data is located; when the target data accords with the preset condition, the host prompts the alarm information, which comprises the following steps:
and prompting the alarm information when the host determines that the hierarchy of the namespaces where the processes are located is zero.
With reference to the fifth aspect, in a possible implementation manner, the target data is a user identifier of the process; when the target data accords with the preset condition, the host prompts the alarm information, which comprises the following steps:
and prompting the alarm information when the host determines that the user identifier of the process is the identifier of the root user.
With reference to the fifth aspect, in a possible implementation manner, the user identifier is at least one of a user identifier UID and a user group identifier GID; the identity of the root user is zero.
With reference to the fifth aspect, in a possible implementation manner, the method further includes:
the host machine acquires a data structure of a process; the data structure comprises a mounting point identifier of the process;
When the mount point identifier is the root directory identifier, the host determines that the mount point of the process is the root directory.
In a sixth aspect, embodiments of the present application provide a device for detecting escape of a container, the device comprising:
the acquisition unit is used for acquiring target data from the data structure of the process when the mounting point of the process is determined to be the root directory;
the prompting unit is used for prompting the alarm information when the target data accords with the preset condition, and the alarm information is used for prompting the process to generate container escape.
In the embodiment of the application, the detection mechanism based on the mounting point is added in the kernel code, so that the behavior of escaping to the root directory can be detected, and the container escaping behavior of utilizing the occurrence of kernel loopholes can be effectively monitored, thereby improving the system security.
With reference to the sixth aspect, in one possible implementation manner, the target data is a hierarchy of namespaces where the target data is located; the prompting unit is used for:
and prompting the alarm information when determining that the hierarchy of the namespaces where the processes are located is zero.
With reference to the sixth aspect, in one possible implementation manner, the target data is a user identifier of the process; the prompting unit is used for:
and prompting the alarm information when the host determines that the user identifier of the process is the identifier of the root user.
With reference to the sixth aspect, in a possible implementation manner, the user identifier is at least one of a user identifier UID and a user group identifier GID; the identity of the root user is zero.
With reference to the sixth aspect, in a possible implementation manner, the apparatus further includes a determining unit:
the acquisition unit is used for acquiring the data structure of the process; the data structure comprises a mounting point identifier of the process;
and the determining unit is used for determining that the mounting point of the process is the root directory when the mounting point identifier of the host is the root directory identifier.
In a seventh aspect, embodiments of the present application provide an electronic device, including one or more functional modules, where the one or more functional modules are configured to perform a method for detecting container escape in a possible implementation manner of any one of the first aspect.
In an eighth aspect, the present application provides a computer storage medium comprising computer instructions which, when run on an electronic device, cause a communication apparatus to perform a method of detecting container escape in any one of the possible implementations of the above.
In a ninth aspect, the present application provides a computer program product for, when run on a computer, causing the computer to perform the method of detecting container escape in any one of the possible implementations of the above aspect.
In a tenth aspect, the present application provides a chip comprising: a processor and an interface, the processor and the interface cooperating such that the chip performs the method of detecting container escape in any one of the possible implementations of the above aspect.
It will be appreciated that the electronic device provided in the seventh aspect, the computer-readable storage medium provided in the eighth aspect, the computer program product provided in the ninth aspect, and the chip provided in the tenth aspect are all configured to perform the methods provided by the embodiments of the present application. Therefore, the advantages achieved by the method can be referred to as the advantages of the corresponding method, and will not be described herein.
Drawings
FIG. 1 is a hierarchical relationship diagram of a namespace provided by embodiments of the present application;
FIG. 2 is a schematic diagram of a detection process provided in an embodiment of the present application;
FIG. 3 is a schematic diagram of a detection system provided in an embodiment of the present application;
fig. 4 is a schematic view of a container escape scenario provided in an embodiment of the present application;
FIG. 5 is a schematic illustration of another container escape scenario provided by embodiments of the present application;
FIG. 6 is a flow chart of a method for detecting container escape provided in an embodiment of the present application;
FIG. 7 is a flow chart of another method for detecting container escape provided by embodiments of the present application;
FIG. 8A is a flow chart of a method for detecting container escape provided in an embodiment of the present application;
FIG. 8B is a flow chart of another method for detecting container escape provided by embodiments of the present application;
FIG. 9A is a flow chart of a method for detecting container escape provided in an embodiment of the present application;
FIG. 9B is a flow chart of another method for detecting container escape provided by embodiments of the present application;
fig. 10 is a schematic structural diagram of a device 100 for detecting container escape according to an embodiment of the present disclosure;
fig. 11 is a schematic structural diagram of a device 110 for detecting container escape according to an embodiment of the present disclosure;
fig. 12 is a schematic structural diagram of another device 120 for detecting container escape according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and thoroughly described below with reference to the accompanying drawings. Wherein, in the description of the embodiments of the present application, "/" means or is meant unless otherwise indicated, for example, a/B may represent a or B; the text "and/or" is merely an association relation describing the associated object, and indicates that three relations may exist, for example, a and/or B may indicate: the three cases where a exists alone, a and B exist together, and B exists alone, and in addition, in the description of the embodiments of the present application, "plural" means two or more than two.
The terms "first," "second," and the like, are used below for descriptive purposes only and are not to be construed as implying or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature, and in the description of embodiments of the present application, unless otherwise indicated, the meaning of "a plurality" is two or more.
Technical terms related to the present application are first described below.
Container technology
1. A container: is an instance created based on an image, which is an object that includes user configuration and running configuration required to implement the functionality of the image. Containers are running instances of image creation that can be started, stopped, deleted, each being a platform that is isolated from each other and that ensures security. The container provides an isolated environment for the running program and tightly controls the resources that can be accessed by the program therein.
The container provides isolated runtime space for applications: each container contains an exclusive complete user environment space, and changes in one container do not affect the operating environment of the other containers. To achieve this, container technology uses a series of system-level mechanisms such as using Linux namespaces for spatial isolation, determining which files a container can access by mount points of the file system, and determining how much resources each container can utilize by cgroups. In addition, the same system kernel is shared among the containers, so that when the same library is used by a plurality of containers, the use efficiency of the memory can be improved.
2. The container escapes: refers to one such process and result: firstly, an attacker obtains the command execution capability under a certain authority in a container through hijacking containerized service logic, direct control (a scene that the CaaS and other legal rights of the container are obtained) and the like; an attacker uses this command execution capability to further obtain, by some means, the command execution capability under a certain authority on the direct host (often sees the scenario of "physical machine runs virtual machine, virtual machine rerun container", the direct host under the scenario refers to the virtual machine at the outer layer of the container).
(II) namespaces (Namespace)
The nalmespace is mainly used for resource isolation, and resources of different nalmespace are not visible. The resources mainly realized by the nacespace are as follows: IPC/NetWork/Mount/PID/User/UTS/Cgroup.
There are six different namespaces currently implemented, namely a mount namespace, a UTS namespace, an inter-process communication (IPC) namespace, a user namespace, a process identification (process identifier, PID) namespace, and a network namespace. Namespaces simply provide an abstraction of global resources, placing resources in different namespaces, the resources in each namespace being isolated from each other, the resources in each namespace being invoked by different processes. The resources are placed in different containers (different namespaces), each isolated from the other.
2. Namespaces
(1) PID number is an identification that the kernel uniquely distinguishes each process.
The PID number is a number in Linux that uniquely identifies a process in its namespace and is assigned to it, called a process ID number, abbreviated PID. Processes that occur when using fork or clone system calls are each assigned a new unique PID value by the kernel.
(2) Namespaces also have hierarchical relationships.
The level of the nacespace at which the process is located: representing the level of the current namespace, the initial namespace has a level of 0, its child namespaces have a level of 1, which are incremented in turn, and the child namespaces are visible to the parent namespaces. From a given level setting, the kernel can infer how many IDs a process will be associated with.
The Namespace also has the concept of a hierarchy, with level representing the hierarchy at which different Namespaces are located. level indicates which layer the naspace is at. When creating a child process through a clone function or a fork function, whether a new nacespce is created or not can be specified, and if not, the nacespce of the parent process is integrated by default; otherwise, a new naspec is created with level in task_struct plus 1.
A high level of nasspace can be seen by a low level of nasspace that the high level process has multiple PID numbers. For example, the system defaults to a Namespace mirror to be level0, a new Namespace is created under level0, called level1, and a process is running in level. The PID number of this process in level is 1, and since the high level PID naspace needs to be seen by the low level PID naspace, this process is PID xxx in level0, and xxx this PID number is assigned according to the PID sequence in level 0.
FIG. 1 illustrates a hierarchical relationship diagram of namespaces.
As shown in FIG. 1, four namespaces are illustratively shown in FIG. 1, with one parent namespace derived from two child namespaces; wherein the hierarchy of the parent namespace is 0 (i.e., level 0); the hierarchy of the child namespaces is 1 (i.e., level 1). Taking namespaces as an example, since the namespaces are isolated from each other, each namespace can have a process with PID number 1; however, because of the hierarchy of namespaces, the parent namespaces are aware of the existence of child namespaces, and the child namespaces are mapped into the parent namespaces, six processes of the two child namespaces in level 1 of FIG. 1 are mapped to PID numbers 5-10 of their parent namespaces, respectively.
(III) Process
1. The process is a program or command being executed, and each process is an operating entity, has own address space and occupies certain system resources. The program is a process once it is run.
A process can be seen as an instance of program execution. Processes are independent entities of system resource allocation, each process having an independent address space. One process cannot access the variables and data structures of another process, and if it is desired for one process to access the resources of another process, inter-process communication, such as pipes, files, sockets, etc., needs to be used.
The process is a dynamic entity composed of text segments, user data segments and system data segments. The system data segment stores control information of the process. Including a process control block (process control block, PCB).
The pcb is a data structure used to describe and control the running of processes, is part of the process entity, and is the most important record-type data structure in the operating system. In general, the PCB includes the following:
(1) Process identifier (internal, external): for uniquely identifying a process;
(2) Information of the processor (general purpose registers, instruction counter, program status word PSW, stack pointer of the user);
(3) Process scheduling information (process state, priority of process, other information needed for process scheduling, event);
(4) Process control information (address of data of program, resource list, process synchronization and communication mechanism, link pointer);
the content defined in the data structure is supported for later management, so that different operating systems make some adjustments to the content of the PCB according to their own characteristics. The PCB structure of different operating systems is different.
The Linux process control block is a data structure defined by a structure task_struct, and includes various information required for managing a process. All process control blocks of the Linux system are organized into a structure array form.
Process control block of Linux (task_struct)
the task_struct is a unique identifier of the existence of the process and is also the core of the Linux process entity.
The Linux kernel uses a task_struct data structure to associate all process-related data and structures, and all algorithms related to processes and programs of the Linux kernel are built around the data structure, which is one of the most important data structures in the kernel.
When a new process is created, the system applies for an empty task_struct area, i.e., an empty PCB block, in the memory and fills in the required information. And simultaneously, a pointer to the structure is filled into the task [ ] array. The PCB currently in the run state process is pointed out with the pointer array current_set [ ]. This is because Linux supports a multiprocessor system, where there may be multiple processes running simultaneously, current_set is defined as an array of pointers.
(IV) mounting
The Mount nacespace is used for isolating Mount points of the file system, so that different Mount nacespace has independent Mount point information and different nacespace cannot influence each other.
1. And (3) mounting: a storage device is typically attached to an existing directory, and access to this directory is to access the contents of the storage device.
For the Linux system, all files are placed in a tree directory structure starting from a root directory, and any hardware device is in the form of a file. For example, linux wants to use a hardware device of a usb disk, and a directory of Linux itself and a file directory of the hardware device must be combined into one, which is called mounting.
2. Mounting point: the mount operation conceals the files in the original Linux directory, so that the Linux directory is selected, preferably a new empty operation directory is created for mounting, and after mounting, the operation directory is called a mount point.
3. Root directory
Root directory of Linux system (/): the file system of Linux and UNIX is a hierarchical tree file structure rooted at "/", which is therefore referred to as a root directory. Each file and directory starts here.
Only root users have write rights under the directory. The directory and/or root directory are different, and/root directory is the master directory of the root user.
In linux, the root directory "/" is the top-level directory of the directory structure of the file system, and is the top-level directory, and all files and directories are placed under the root directory "/"; the root directory "/" is also followed by subdirectories "/bin", "/home", "/usr", etc.
(V) Linux user and user group
The system manager authorizes each process to use a given user identifier (USER Ientification, UID). Each initiated process has a user UID that initiates the process. The child process has the same UID as the parent process. The users may be members of a group, each group also having a user group identification (Group Identification, GID).
1. User identifier UID: the system is used to distinguish integers from different users.
Linux uses a 32-bit integer record and distinguishes between different users. This number distinguishing between different users is called User ID, UID for short. Users in Linux systems are classified into 3 types, namely, ordinary users, root users and system users.
The root user, also called an administrator account, is typically UID 0. The root user can manage the general user and the whole system. The general user refers to all real users using the Linux system, for example, the UID of the general user may be specified by an administrator at the time of creation, and if the UID of the general user is not specified, the UID may be more than 500; the user's UID may also be numbered from 1000 to 60000 by default. The system user refers to a user who is necessary for the system to operate, but is not a real user, that is, the system user is automatically created in the installation process and does not have the capability of logging into the system.
2. User group identifier GID: the system is used to distinguish integers from different user groups.
In the Linux system, there are users and also user groups. The different user groups are also distinguished by numbers, and such an ID for distinguishing the different user groups is called a Group ID, i.e., GID.
The UID and GID are managed by the Linux kernel and decide whether a certain request should be granted privileges through a kernel-level system call. For example, when a process attempts to write to a file, the kernel checks the UID and GID of the creating process to determine if it has sufficient rights to modify the file.
All containers running on the same host share the same kernel (the kernel of the host). The great value of containerization is that all of these separate containers (in essence processes) can share a kernel. This means that even if hundreds or thousands of containers are running on the docker host, there is still only one set of UID and GID controlled by the kernel. The same UID represents the same user in the host and container (even though different usernames are displayed in different places).
And (six) a sleb is a memory allocation mechanism of the Linux operating system, and a sleb allocation algorithm adopts a cache to store kernel objects.
The task is to aim at objects which are often distributed and released, such as process descriptors, and the sizes of the objects are generally smaller, if the distribution and release are directly performed by adopting a partner system, a large amount of memory fragments are caused, and the processing speed is too slow. The slot allocator manages based on the objects, and the objects of the same type are classified into one type (such as a process descriptor is one type), so that each time an object is applied, the slot allocator allocates a unit with the size from a slot list, and when the object is released, the unit is saved in the list again, and the unit is not returned to a partner system directly, so that internal fragments are avoided. The sleb allocator does not discard the allocated objects, but releases them and saves them in memory. When a new object is later requested again, it can be obtained directly from the sleb without repeated initialization.
The organization of an object cache, the memory area of the cache is divided into a plurality of slebs, each consisting of one or more consecutive page frames containing both allocated objects and free objects.
The slab allocation algorithm uses cache to store kernel objects. When a cache is created, several objects marked as free are initially included. The number of objects is related to the size of the sleb. Initially, all objects are marked as idle. When the object of the kernel data structure is needed, the object can be directly obtained from the cache and initialized to be used.
Consider next how a kernel assigns a slot to an object representing a process descriptor. In Linux systems, the type of process descriptor is struct task_struct, which is about 1.7KB in size. When the Linux kernel creates a new task, it obtains the memory required by the struct task_struct object from the cache. There will be allocated structtask_struct objects marked as free on the Cache to fulfill the request.
There are three states for the slot of Linux:
full: all objects in the sleb are marked for use.
Empty: all objects in the sleb are marked as idle.
Part (c): objects in a sleb are marked as used and some are marked as free.
The sleb allocator allocates from a partially idle sleb first. If so, allocation is made from an empty slot. If not, a new slot is allocated from the physical continuous page and assigned to a cache, and then space is allocated from the new slot.
The following examples exemplify a case where the container escapes.
First, the data structure task_struct of the process is introduced.
In Linux systems, each process includes a process control block PBC, i.e., a data structure (task_struct), containing all the information of the process in the kernel. The task_struct of a process includes the following information:
(1) Process identification: comprising PID/UID or GID
(2) State of process
(3) Process scheduling information
(4) Process priority
(5) Process communication information
(6) And (5) mounting point identification: a file system fs indicating that the process can operate, including reading and writing files
(7) Identification of the namespace in which the process resides (nsproxy): namespace for identifying the process
Wherein:
nsproxy: the pointer points to the nascent related field, and it is known by nsproxy which pidnascent the task_struct belongs to.
Since the Linux kernel provides multiple namespaces, such as PID namespaces, a process may belong to multiple namespaces. For the purpose of simplifying task_struct, the kernel introduces nsproxy to uniformly manage the nacespace to which the process belongs.
nsproxy stores a set of pointers to various types of nasspace, acting as a proxy for processes accessing various nasspace. Since there may be multiple processes in the same Namespace, nsproxy may be shared among processes, and the count field in nsproxy is responsible for recording the number of references to the structure.
2. Identification of initial namespace init_nsproxy: the system predefines an init_nsproxy, which serves as default nsproxy. init_nsproxy is a defined initial global namespace in which pointers to the initial namespace objects of the subsystems are stored, with higher permissions.
Based on the above, an attacker can tamper the nsproxy in the process task_struct into init_nsproxy by using some kernel vulnerabilities, thereby completing the right-raising.
Next, a prior art is described which can detect the escape of the container.
In 2019, a primary detection mechanism is provided by external open source, and by detecting whether the nsproxy of the process is init_nsproxy, whether the current process is a root process and whether the level of the current process is 0, the behavior escaping to init nassphere is detected. The root process refers to a process running with root rights. The specific detection process can be seen in fig. 2.
As shown in fig. 2, the host may first obtain a task_struct of the current process, and obtain nsproxy from the task_struct; ending the test when nsproxy is not initnsproxy; when nsproxy is initnsproxy, checking whether UID or GID of the current process is the UID or GID of the root user; ending the detection when the UID or the GID of the current process is not the UID or the GID of the root user; checking whether the level of the name space of the current process is 0 when the UID or the GID of the current process is the UID or the GID of the root user; ending the detection when the level of the name space of the current process is 0; when the UID or level of the GID of the current process is not 0, determining that the process has container escape, and prompting warning information (namely warning).
The detection principle of fig. 2 is that assuming that the nsproxy of the process is init nsproxy, the process is a root process, the level is 0, which means that the root process is the level of 0, since the level is 0, the namerspace of all child nodes can be operated, but the namerspace of the mount point in the nsproxy data structure is single, so here all the namerspace other than fs is acquired.
Where level represents the level at which different nasspace are located. level indicates which layer the naspace is at. When passing through a clone or a fork child process, it can be specified whether to create a new naspec, if not, the default integration parent process's naspec is default, otherwise, a new naspec is created, with the level in the task_struct incremented by 1.
However, the approach shown in FIG. 2 does not address container escape caused by some other kernel vulnerabilities. For example, an attacker changes the UID and GID in the task_stro ct structure body to the UID and GID of the root user, and changes the level of the current process to 0, so that the detection mechanism shown in fig. 2 can be bypassed; for another example, when an attacker tampers the operation directory (i.e. mount point) of the attack process to the root directory by using the kernel vulnerability, the detection mechanism shown in fig. 2 may be bypassed, so as to implement the behavior of acquiring the nasespace of fs.
The system architecture and the service scenario of the embodiments of the present application are described below. It should be noted that, the system architecture and the service scenario described in the present application are for more clearly describing the technical solution of the present application, and do not constitute a limitation on the technical solution provided in the present application, and those skilled in the art can know that, with the evolution of the system architecture and the appearance of the new service scenario, the technical solution provided in the present application is also applicable to similar technical problems.
In order to more clearly and specifically describe the method for detecting the escape of the container provided by the embodiment of the present application, the detection system provided by the embodiment of the present application is described below.
Referring to fig. 3, fig. 3 is a schematic diagram of a detection system according to an embodiment of the present application.
As shown in fig. 3, the system includes a physical machine, one or more Virtual Machines (VMs) running on top of the operating system of the physical machine (only virtual machine 1, virtual machine 2, virtual machine 3 are shown in fig. 3).
The physical machine is responsible for managing and distributing hardware resources, and presents a virtual hardware platform for the virtual machine, for example, provides a virtual CPU, a memory, a virtual disk, a virtual network card and the like for the virtual machine. One or more containers may be created in the virtual machine, two containers in virtual machine 1, container 1 and container 2 being exemplarily shown in fig. 3; two containers in the virtual machine 2, container 3 and container 4; two containers in the virtual machine 3, container 5 and container 6. The virtual machine may utilize a container to provide a relatively independent and isolated operating environment for the process, e.g., container 1 supports operation of process 1 and container 2 supports operation of process 2.
Wherein:
(1) Virtual machine: refers to one or more virtual computers that are emulated on a physical computer, which may function as if they were a real physical computer.
(2) Process (process): is the entity that executes the instructions and processes can be used to cause programs to run to execute the various instructions.
(3) A container: for providing relatively independent and isolated operating environments for processes, the container illustratively contains independent file systems, namespaces, resource views, and the like. Examples of containers: after a process runs in the environment provided by the container, the container may be referred to as a container instance.
In some embodiments, the physical machine may include: a central processing unit (Central Processing Unit, CPU), a memory, a Hard disk, a main board, a 3D processing graphics card, and the like, and based on these hardware, a virtual machine management (Virtual Machine Manager, VMM) module and at least one virtual machine may be included in the physical machine, and the VMM and the VM are software modules in the physical machine, wherein:
the CPU is used for executing various logic calls; the VMM is used for creating at least one virtual machine and virtualizing physical resources in the physical machine into a plurality of virtual resources for the virtual machine to use; within each virtual machine are independent storage and computing units, and each virtual machine is similar in function and structure.
The method for detecting the escape of the container provided by the embodiment of the application is executed by a host machine, and the host machine can be the physical machine or the virtual machine.
It is understood that the detection system shown in fig. 3 is merely an exemplary implementation of the embodiments of the present application, and the system architecture in the embodiments of the present application includes, but is not limited to, the above architecture.
Because the host is a shared kernel, when an attacker escapes to the privileged container by utilizing the kernel vulnerability, the escape behavior can be effectively detected by the method for detecting the container escape provided by the embodiment of the application, and corresponding countermeasures can be taken for the behavior. Among them, the privilege container refers to some namespace with higher authority, such as init_nsproxy.
Next, some scenarios in which the method for detecting container escape according to the embodiments of the present application is applied will be exemplarily described. The method for detecting the container escape can detect that the container escape occurs in the processes in the following three scenes.
In the first scenario, an attacker may use a kernel vulnerability to modify UID or GID of a process to 0, modify nsproxy of the process to init_nsproxy, modify level of a namespace of the process to 0, i.e., UID or gid=0, tsk- > nsproxy=init_nsproxy, PID- > level=0, and when a detection program (dmesg) does not detect a log, the detection shown in fig. 2 may be successfully bypassed; then the attacker can get other nasspace than the mount namespace through the process.
In this scenario, the container escape can be detected by the method of detecting container escape shown in fig. 6 or fig. 7.
In the second scenario, an attacker can modify the user identifier UID or GID of a process to 0 and modify the mount point (tsk- > fs) to the root directory (init_task- > fs) by using the kernel vulnerability, and successfully bypasses the detection shown in fig. 2; then the attacker can acquire the naspace of the mount file system through the process. For example, as shown in fig. 4, assuming that the process before modification can only acquire the content of the rop directory, when an attacker modifies its UID or GID to 0 and modifies the mount point to the root directory, the modified process can acquire the mount file system fs, i.e. can acquire the namespace of fs.
In this scenario, the container escape can be detected by the method of detecting container escape shown in fig. 8A to 9B.
In a third scenario, an attacker may use a kernel vulnerability to modify the user identifier UID or GID of a process to 0, modify the nsproxy of the process to init_nsproxy, modify the level of the namespace of the process to 0, i.e., tsk- > nsproxy=init_nsproxy, PID- > level=0, tsk- > fs to init_task- > fs, and successfully bypass the detection shown in fig. 2; then the attacker can acquire all the nasspace through the process. As shown in fig. 5, the modified process may obtain the rights of the root user; further, a host name (hostname) of the host is acquired; acquiring network card information of a host; and obtaining the file mount of the host.
In this scenario, the container escape can be detected by the method of detecting container escape shown in fig. 6 or fig. 7.
The method for detecting container escape provided in the embodiments of the present application is described in detail below.
Referring to fig. 6, fig. 6 is a method for detecting container escape according to an embodiment of the present application. The method may comprise some or all of the following steps:
s101: the host detects whether the namespace in which the process resides is an initial namespace.
In one implementation, the host may obtain a data structure (task_struct) of the process, where the task_struct includes an identifier nsproxy of a namespace in which the process is located; the host can detect whether the namespace where the process is located is an initial namespace (task- > nsproxy= init nsproxy); when the identifier nsproxy of the namespace where the process is located is determined to be equal to the identifier init_nsproxy of the initial namespace, determining that the namespace where the process is located is the initial namespace; when determining that the namespace where the process is located is the initial namespace, executing step S102; when it is determined that the namespace in which the process is located is not the initial namespace, step S104 is performed.
In some embodiments, the host may start to detect whether the current process has escape behavior when the current process is invoked by the system, or when the current process performs a process scheduling, process exit, or a copy-on-a-space (copy-on) operation, i.e., start to execute step S101. It should be noted that the present application may be applied to a scene with high real-time performance for escape detection.
It should be noted that nsproxy stores a set of pointers to each type of nacespace, which acts as a proxy for processes accessing each nacespace. Since there may be multiple processes in the same Namespace, nsproxy may be shared among the processes; init_nsproxy stores pointers to the initial namespace objects of the subsystems, with higher permissions. The process may access all namespaces except the mount file system fs, and to ensure the security of the namespaces, the embodiment of the present application may execute step S102 to continue to detect the process.
S102: the host detects whether the address of the buffer to which the process belongs is equal to the address in the namespace to which the process belongs.
In one implementation, the host may obtain the address space pid_cache of the process; further, based on the pid_cache, determining an address slab_cache of a cache region corresponding to the process; when the slab_cache is equal to the address pid_cache in the namespace where the process is located, determining that the address of the cache region where the process belongs is equal to the address in the namespace where the process is located.
In some embodiments, the host executes step S104 when the address of the buffer to which the process belongs is equal to the address in the namespace to which the process belongs; when the address of the buffer area to which the process belongs is not equal to the address in the namespace to which the process belongs, step S103 is executed.
It should be noted that, for the problem of container escape realized by modifying the napepaace related data structure by using the kernel vulnerability, a detection mechanism based on a slab_cache is added in the kernel code, so that the behavior of detecting the container escape can be enhanced.
S103: the host machine prompts alarm information which is used for prompting the process to generate container escape.
In some embodiments, the host may display on the screen alert information indicating that container escape occurred with the current process. The alert information may include information of the current process.
It should be noted that, the host may also use other methods for prompting the alert information, for example, recording the escape behavior of the current process through the kernel dmesg, and restarting the host. The embodiment of the application does not limit the mode of prompting the warning information by the host.
S104: the host ends the detection.
In one implementation, the host ends the detection upon determining that the namespace in which the process resides is not the initial namespace. It should be noted that, if the nsproxy of the process is init_nsproxy, the process may access all namespaces except the fs of the file system to be mounted, and in order to ensure the security of the namespaces, in this embodiment of the present application, the process needs to be detected; if the process 'nsproxy is not init_nsproxy, the host may end the process' detection.
In another implementation, the host ends the detection when it determines that the address in the cache to which the process belongs is equal to the address in the namespace in which the process belongs. It should be noted that, the reliability of the address of the buffer area to which the process belongs is high, and the address of the buffer area to which the process belongs is equal to the address in the namespace to which the process belongs, it can be proved that the process actually has the right to access the namespace to which the process belongs, so that the detection of the process can be ended.
The method embodiment shown in fig. 6 includes many possible implementations, and a part of the implementations are described below with reference to fig. 7, where it should be noted that related concepts, operations or logical relationships not explained in fig. 7 may be described with reference to the corresponding descriptions in the embodiment shown in fig. 6.
Referring to fig. 7, fig. 7 is a flowchart of another method for detecting container escape according to an embodiment of the present disclosure. The method may comprise some or all of the following steps:
s201: the host obtains the data structure of the process.
The data structure (task_struct) may include an identifier nsproxy of a namespace where the process is located, a user identifier UID or GID, and a hierarchy (level) of the namespace where the process is located.
In some embodiments, the host may start to detect whether the current process has escape behavior when the current process is invoked by the system, or when the current process performs a process scheduling, process exit, or a namespace copy related operation, i.e. start to execute step S201. It should be noted that the present application may be applied to a scene with high real-time performance for escape detection.
The task_struct is a process control block PCB under Linux, and all information of a process is contained in the PCB, including UIDs of the process and the like.
It should be noted that, the process control blocks (process control block, PCBs) of different operating systems are different, and the PCBs are data structures for describing and controlling the running of the processes, are part of the process entities, and are the most important record-type data structures in the operating systems; the process control block of Linux is a data structure defined by a structure task_struct, which includes various information required for managing a process, such as nsproxy, etc.
S202: the host detects whether the namespace in which the process resides is an initial namespace.
In one implementation, the host may detect whether the namespace in which the process is located is an initial namespace (task- > nsproxy= initnsproxy), i.e. check whether the process task- > nsproxy is equal to init_proxy; when the identifier nsproxy of the namespace where the process is located is determined to be equal to the identifier init_nsproxy of the initial namespace, determining that the namespace where the process is located is the initial namespace; when determining that the namespace where the process is located is the initial namespace, executing step S203; otherwise, step S207 is performed.
S203: the host detects whether the user identity is the identity of the root user.
Wherein the user identification may be at least one of a user identifier UID and a user group identification GID; the identity of the root user may be zero.
In some embodiments, the host performs step S204 when at least one of the user identifier UID and the user group identification GID is zero; when it is determined that the user identification is not the identification of the root user, step S207 is performed.
S204: the host detects whether the hierarchy of the namespace where the process resides is zero.
In some embodiments, the host detects whether the process level is zero; when the level of the namespace where the process is located is zero, step S205 is executed; when it is determined that the hierarchy of the namespace in which the process is located is not zero, step S206 is performed.
Wherein, the level of the nacespace where the process is located: representing the level of the current namespace, the initial namespace has a level of 0, its child namespaces have a level of 1, which are incremented in turn, and the child namespaces are visible to the parent namespaces. From a given level setting, the kernel can infer how many IDs a process will be associated with.
S205: the host detects whether the address of the buffer to which the process belongs is equal to the address in the namespace to which the process belongs.
In one implementation, the host may obtain the address space pid_cache of the process; further, based on the pid_cache, determining an address of a cache region corresponding to the process, for example, finding a head address (virt_to_head_page) of the cache of the nacespace according to the pid_cache of the process, that is, finding a head address of the page according to the pid of the process; judging whether the detected value is identical to the pid_cache of the current nacespace, namely checking the SLab_cache of the process to be more than the pid cache of the process to be detected, namely detecting whether the detected value is identical to the SLab_cache of the nacespace where the process is located; when the slab_cache is equal to the address pid_cache in the namespace where the process is located, determining that the address of the cache region where the process belongs is equal to the address in the namespace where the process is located.
Wherein a page is a virtual address space of an object; the slab-cache refers to a slab manager pointed to by the current page, and the memory allocation is based on the cache; pid_cache is an address pointing to the sleb to which the pid is assigned.
In some embodiments, the host executes step S207 when the address of the buffer to which the process belongs is equal to the address in the namespace to which the process belongs; when the address of the buffer area to which the process belongs is not equal to the address in the namespace to which the process belongs, step S206 is performed.
It should be noted that, S205 is detection for a slice_cache, and the principle is that (1) a no merge attribute is created by a slice_cache of a nano space, and a merge operation is not allowed to be performed by a cache of a similar size; (2) When the pid_cache of the process is allocated, directly creating a new sleb cache; (the pid_cache of each process is different), that is, based on the no merge attribute, the process directly creates new memory at the time of creation, so there is no multiplexed scenario, i.e., the sleb address of each process must be different. When the memory is allocated when the attribute of the merge is designated, if the cache blocks which can be multiplexed and have similar sizes are found, the reference is directly made in an alias way, and the recreating is not performed.
S206: the host machine prompts alarm information which is used for prompting the process to generate container escape.
In some embodiments, the host may display on the screen alert information indicating that container escape occurred with the current process. The alert information may include information of the current process.
In one implementation, when determining that the address of the buffer area to which the process belongs is not equal to the address in the namespace to which the process belongs, the host determines that the escape behavior of the process is detected; further, the warning information is prompted.
It should be noted that, the host may also use other methods for prompting the alert information, for example, recording the escape behavior of the current process through the kernel dmesg, and restarting the host. The embodiment of the application does not limit the mode of prompting the warning information by the host.
S207: the host ends the detection.
In one implementation, the host ends the detection upon determining that the namespace in which the process resides is not the initial namespace. It should be noted that, if the nsproxy of the process is init_nsproxy, the process may access all namespaces except the fs of the file system to be mounted, and in order to ensure the security of the namespaces, in this embodiment of the present application, the process needs to be detected; if the process 'nsproxy is not init_nsproxy, the host may end the process' detection.
In another implementation, the host ends the detection upon determining that the user identification of the process is not the identification of the root user. It should be noted that, when the user identifier of the process is not the identifier of the root user, the process has lower authority, and the container has lower possibility of escaping, so that the detection is ended.
In yet another implementation, the host ends the detection when it determines that the address in the cache to which the process belongs is equal to the address in the namespace in which the process belongs. It should be noted that, the reliability of the address of the buffer area to which the process belongs is high, and the address of the buffer area to which the process belongs is equal to the address in the namespace to which the process belongs, it can be proved that the process actually has the right to access the namespace to which the process belongs, so that the detection of the process can be ended.
Referring to fig. 8A, fig. 8A is a flowchart of a method for detecting container escape according to an embodiment of the present disclosure. The method may comprise some or all of the following steps:
s301: the host detects whether the mount point of the process is a root directory.
In one implementation, the host may obtain a data structure (task_struct) of the process, where the task_struct includes a mount point identifier fs of the process; the host can detect whether the mount point identifier of the process is a root directory identifier (task- > fs= init task. Fs), namely, check whether the task- > fs of the process is equal to the init_task- > fs; when the mounting point identification of the process is equal to the root directory identification, determining that the mounting point of the process is the root directory; when the mount point of the process is determined to be the root directory, executing step S302; otherwise, step S304 is performed.
In some embodiments, the host may start to detect whether the current process has escape behavior when the current process is invoked by the system, or when the current process performs a process scheduling, process exit, or a namespace copy related operation, that is, start to execute step S301. It should be noted that the present application may be applied to a scene with high real-time performance for escape detection.
Wherein the mounting point is an operation catalog. It should be noted that, the mount operation may hide the file in the original Linux directory, so that the Linux directory is selected, preferably a new empty operation directory is used for mounting, and after mounting, this operation directory is called a mount point.
The mount point identifies a file system fs for indicating that the process can operate, including reading and writing files, etc.
It should be noted that S301 is bypass detection for init_fs, that is, adding a fs-based detection mechanism to the kernel code, the escape behavior escaping to the root directory may be detected.
S302: the host detects whether the address of the buffer to which the process belongs is equal to the address in the namespace to which the process belongs.
In one implementation, the host may obtain the address space pid_cache of the process; further, based on the pid_cache, determining an address slab_cache of a cache region corresponding to the process; when the slab_cache is equal to the address pid_cache in the namespace where the process is located, determining that the address of the cache region where the process belongs is equal to the address in the namespace where the process is located.
In some embodiments, the host executes step S304 when the address of the buffer to which the process belongs is equal to the address in the namespace to which the process belongs; when the address of the buffer area to which the process belongs is not equal to the address in the namespace to which the process belongs, step S303 is executed.
S303: the host machine prompts alarm information which is used for prompting the process to generate container escape.
In some embodiments, the host may display on the screen alert information indicating that container escape occurred with the current process. The alert information may include information of the current process.
It should be noted that, the host may also use other methods for prompting the alert information, for example, recording the escape behavior of the current process through the kernel dmesg, and restarting the host. The embodiment of the application does not limit the mode of prompting the warning information by the host.
S304: the host ends the detection.
In one implementation, the host ends the detection upon determining that the mount point of the process is not the root directory. It should be noted that, if the mount point of the process is a root directory, the process may access all files except the file system fs, and in order to ensure security of all files of the file system fs, in this embodiment, the process needs to be detected; if the mount point of the process is the root directory, the host may end the detection of the process.
In another implementation, the host ends the detection when it determines that the address in the cache to which the process belongs is equal to the address in the namespace in which the process belongs. It should be noted that, the reliability of the address of the buffer area to which the process belongs is high, and the address of the buffer area to which the process belongs is equal to the address in the namespace to which the process belongs, it can be proved that the process actually has the right to access the namespace to which the process belongs, so that the detection of the process can be ended.
The method embodiment shown in fig. 8A includes many possible implementations, and a part of the implementations are illustrated in the following description with reference to fig. 8B, where relevant concepts, operations, or logical relationships not explained in fig. 8B may be described with reference to the corresponding descriptions in the embodiment shown in fig. 8A.
Referring to fig. 8B, fig. 8B is a flowchart of another method for detecting container escape according to an embodiment of the present disclosure. The method may comprise some or all of the following steps:
s401: the host obtains the data structure of the process.
The data structure (task_struct) may include a mount point identifier of the process, a user identifier UID or GID, and a level of a namespace where the process is located.
In some embodiments, the host may start to detect whether the current process has escape behavior when the current process is invoked by the system, or when the current process performs a process scheduling, process exit, or a namespace copy related operation, that is, start to execute step S401. It should be noted that the present application may be applied to a scene with high real-time performance for escape detection.
S402: the host detects whether the mount point of the process is a root directory.
In one implementation, the host may obtain a data structure (task_struct) of the process, where the task_struct includes a mount point identifier fs of the process; the host can detect whether the mount point identifier of the process is a root directory identifier (task- > fs= init task.fs); when the mounting point identification of the process is equal to the root directory identification, determining that the mounting point of the process is the root directory; when the mount point of the process is determined to be the root directory, executing step S403; otherwise, step S407 is performed.
S403: the host detects whether the user identity is the identity of the root user.
In one implementation, the host checks if the user identity is that of the ROOT user, i.e., checks if the UID/GID of the process is the current process is the ROOT process.
Wherein the user identification may be at least one of a user identifier UID and a user group identification GID; the identity of the root user may be zero.
In some embodiments, the host performs step S404 when at least one of the user identifier UID and the user group identification GID is zero; when it is determined that the user identification is not the identification of the root user, step S407 is performed.
S404: the host detects whether the hierarchy of the namespace where the process resides is zero.
In some embodiments, the host detects whether the level of the process is zero, i.e., checks whether the level of the nsproxy of the process is the level of init_proxy (0); when the level of the namespace where the process is located is zero, step S405 is executed; when it is determined that the hierarchy of the namespace in which the process is located is not zero, step S406 is performed.
S405: the host detects whether the address of the buffer to which the process belongs is equal to the address in the namespace to which the process belongs.
In one implementation, the host may obtain the address space pid_cache of the process; further, determining an address slice_cache of a cache region corresponding to the process based on the pid_cache, for example, finding a first address (virt_to_head_page) of the slice_cache of the nacespace according to the pid_cache of the process; judging whether the detected value is the same as the pid_cache of the current nacispace, namely checking the slab_cache of the process to be the same as the pid_cache of the current nacispace; when the slab_cache is equal to the address pid_cache in the namespace where the process is located, determining that the address of the cache region where the process belongs is equal to the address in the namespace where the process is located.
Wherein a page is a virtual address space of an object; the slab-cache refers to a slab manager pointed to by the current page, and the memory allocation is based on the cache; pid_cache is an address pointing to the sleb to which the pid is assigned.
In some embodiments, the host executes step S407 when the address of the buffer area to which the process belongs is equal to the address in the namespace to which the process belongs; when the address of the buffer area to which the process belongs is not equal to the address in the namespace to which the process belongs, step S406 is performed.
It should be noted that, S405 is detection for a slice_cache, and the principle is that (1) a no merge attribute is created by a slice_cache of a nano space, and a merge operation is not allowed to be performed by a cache of a similar size; (2) When the pid_cache of the process is allocated, directly creating a new sleb cache; (the pid_cache of each process is different), that is, based on the no merge attribute, the process directly creates new memory at the time of creation, so there is no multiplexed scenario, i.e., the sleb address of each process must be different. When the memory is allocated when the attribute of the merge is designated, if the cache blocks which can be multiplexed and have similar sizes are found, the reference is directly made in an alias way, and the recreating is not performed.
S406: the host machine prompts alarm information which is used for prompting the process to generate container escape.
In some embodiments, the host may display on the screen alert information indicating that container escape occurred with the current process. The alert information may include information of the current process.
It should be noted that, the host may also use other methods for prompting the alert information, for example, recording the escape behavior of the current process through the kernel dmesg, and restarting the host. The embodiment of the application does not limit the mode of prompting the warning information by the host.
S407: the host ends the detection.
In one implementation, the host ends the detection upon determining that the mount point of the process is not the root directory. It should be noted that, if the mount point of the process is a root directory, the process may access all files except the file system fs, and in order to ensure security of all files of the file system fs, in this embodiment, the process needs to be detected; if the mount point of the process is the root directory, the host may end the detection of the process.
In another implementation, the host ends the detection upon determining that the user identification of the process is not the identification of the root user. It should be noted that, when the user identifier of the process is not the identifier of the root user, the process has lower authority, and the container has lower possibility of escaping, so that the detection is ended.
In yet another implementation, the host ends the detection when it determines that the address in the cache to which the process belongs is equal to the address in the namespace in which the process belongs. It should be noted that, the reliability of the address of the buffer area to which the process belongs is high, and the address of the buffer area to which the process belongs is equal to the address in the namespace to which the process belongs, it can be proved that the process actually has the right to access the namespace to which the process belongs, so that the detection of the process can be ended.
In other embodiments, the host may perform the methods of fig. 7 and fig. 8A at the same time, that is, after acquiring the data structure of the process, the host may perform steps S202 and S402, and perform steps S203 to S207 or S403 to S407 when the process satisfies that the namespace in which the process is located is the initial namespace and the mount point of the process is any one of the root directories, where the method includes detecting the nas_cache that escapes to fs and detecting a detection mechanism that detects the slab_cache, and may detect the behavior of acquiring all the nas_cache because of modifying the nas_cache escape.
Referring to fig. 9A, fig. 9A is a flowchart of a method for detecting container escape according to an embodiment of the present disclosure. The method may comprise some or all of the following steps:
S501: the host detects whether the mount point of the process is a root directory.
In one implementation, the host may obtain a data structure (task_struct) of the process, where the task_struct includes a mount point identifier fs of the process; the host can detect whether the mount point identifier of the process is a root directory identifier (task- > fs= init task.fs); when the mounting point identification of the process is equal to the root directory identification, determining that the mounting point of the process is the root directory; when the mount point of the process is determined to be the root directory, executing step S502; otherwise, step S504 is performed.
In some embodiments, the host may start to detect whether the current process has escape behavior when the current process is invoked by the system, or when the current process performs a process scheduling, process exit, or a namespace copy related operation, that is, start to execute step S501. It should be noted that the present application may be applied to a scene with high real-time performance for escape detection.
Wherein the mounting point is an operation catalog. It should be noted that, the mount operation may hide the file in the original Linux directory, so that the Linux directory is selected, preferably a new empty operation directory is used for mounting, and after mounting, this operation directory is called a mount point.
The mount point identifies a file system fs for indicating that the process can operate, including reading and writing files, etc.
It should be noted that S501 is bypass detection for init_fs, that is, an fs-based detection mechanism is added to the kernel code, so that escape behavior from escaping to the root directory can be detected.
S502: the host machine detects whether target data in a data structure of the process accords with preset conditions.
In some embodiments, the host may obtain the target data from the data structure of the process; further, whether the target data meets preset conditions is detected.
In one implementation, the target data is a hierarchy of namespaces where; the host determines whether the hierarchy of the namespace where the process is located is zero; when it is determined that the hierarchy of the namespace where the process is located is zero, it is determined that the target data in the data structure of the process meets the preset condition, and step S503 is executed. It should be noted that, since the level of the namespace where the process is located is zero, the process is proved to have higher authority, so that an alarm is given.
In another implementation, the target data is a user identification of the process; the host can detect whether the user identification of the process is the identification of the root user; when it is determined that the user identifier of the process is the identifier of the root user, it is determined that the target data in the data structure of the process meets the preset condition, and step S503 is executed. It should be noted that, because the user identifier of the process is the identifier of the root user, the process is proved to have higher authority, so that an alarm is given.
Wherein the user identification may be at least one of a user identifier UID and a user group identification GID; the identity of the root user may be zero.
In some embodiments, when determining that the target data in the data structure of the process meets the preset condition, the host machine executes step S504; otherwise, step S503 is performed.
S503: the host machine prompts alarm information which is used for prompting the process to generate container escape.
In some embodiments, the host may display on the screen alert information indicating that container escape occurred with the current process. The alert information may include information of the current process.
It should be noted that, the host may also use other methods for prompting the alert information, for example, recording the escape behavior of the current process through the kernel dmesg, and restarting the host. The embodiment of the application does not limit the mode of prompting the warning information by the host.
S504: the host ends the detection.
In one implementation, the host ends the detection upon determining that the mount point of the process is not the root directory. It should be noted that, if the mount point of the process is a root directory, the process may access all files except the file system fs, and in order to ensure security of all files of the file system fs, in this embodiment, the process needs to be detected; if the mount point of the process is the root directory, the host may end the detection of the process.
In another implementation, the host ends the detection upon determining that the user identification of the process is not the identification of the root user. It should be noted that, when the user identifier of the process is not the identifier of the root user, the process has lower authority, and the container has lower possibility of escaping, so that the detection is ended.
The method embodiment shown in fig. 9A includes many possible implementations, and a part of the implementations are illustrated in the following description with reference to fig. 9B, where relevant concepts, operations, or logical relationships not explained in fig. 9B may be described with reference to the corresponding descriptions in the embodiment shown in fig. 9A.
Referring to fig. 9B, fig. 9B is a flowchart of another method for detecting container escape according to an embodiment of the present disclosure. The method may comprise some or all of the following steps:
s601: the host obtains the data structure of the process.
The data structure (task_struct) may include a mount point identifier of the process, a user identifier UID or GID, and a level of a namespace where the process is located.
In some embodiments, the host may start to detect whether the current process has escape behavior when the current process is invoked by the system, or when the current process performs a process scheduling, process exit, or a namespace copy related operation, that is, start to execute step S601. It should be noted that the present application may be applied to a scene with high real-time performance for escape detection.
S602: the host detects whether the mount point of the process is a root directory.
In one implementation, the host may obtain a data structure (task_struct) of the process, where the task_struct includes a mount point identifier fs of the process; the host can detect whether the mount point identifier of the process is a root directory identifier (task- > fs= init task.fs); when the mounting point identification of the process is equal to the root directory identification, determining that the mounting point of the process is the root directory; when it is determined that the mount point of the process is the root directory, step S603 is executed; otherwise, step S606 is performed.
S603: the host detects whether the user identity is the identity of the root user.
Wherein the user identification may be at least one of a user identifier UID and a user group identification GID; the identity of the root user may be zero.
In some embodiments, the host performs step S604 when at least one of the user identifier UID and the user group identification GID is zero; upon determining that the user identification is not the identification of the root user, step S606 is performed.
S604: the host detects whether the hierarchy of the namespace where the process resides is zero.
In some embodiments, the host detects whether the process level is zero; when the level of the namespace where the process is located is not zero, step S605 is executed; when it is determined that the hierarchy of the namespace where the process is located is zero, step S606 is performed.
S605: the host machine prompts alarm information which is used for prompting the process to generate container escape.
In some embodiments, the host may display on the screen alert information indicating that container escape occurred with the current process. The alert information may include information of the current process.
It should be noted that, the host may also use other methods for prompting the alert information, for example, recording the escape behavior of the current process through the kernel dmesg, and restarting the host. The embodiment of the application does not limit the mode of prompting the warning information by the host.
S606: the host ends the detection.
In one implementation, the host ends the detection upon determining that the mount point of the process is not the root directory. It should be noted that, if the mount point of the process is a root directory, the process may access all files except the file system fs, and in order to ensure security of all files of the file system fs, in this embodiment, the process needs to be detected; if the mount point of the process is the root directory, the host may end the detection of the process.
In another implementation, the host ends the detection upon determining that the user identification of the process is not the identification of the root user. It should be noted that, when the user identifier of the process is not the identifier of the root user, the process has lower authority, and the container has lower possibility of escaping, so that the detection is ended.
The foregoing details the method of embodiments of the present application, and the apparatus of embodiments of the present application is provided below.
Referring to fig. 10, fig. 10 is a schematic structural diagram of a device 100 for detecting container escape according to an embodiment of the present disclosure. The apparatus 100 may comprise an acquisition unit 1001 and a presentation unit 1002, and may further comprise a determination unit 1003. The container escape detection device 100 is used to implement the container escape detection method described above, for example, the container escape detection method according to any one of the embodiments shown in fig. 6 or 7.
The container escape detection device 100 includes:
an obtaining unit 1001, configured to obtain an address of a cache region to which a process belongs when determining that a namespace to which the process belongs is an initial namespace;
the prompting unit 1002 is configured to prompt, when it is determined that the address of the buffer area to which the process belongs is not equal to the address in the namespace to which the process belongs, alarm information, where the alarm information is used to prompt the process to generate container escape.
In the embodiment of the application, the namespace where the process is located is an initial namespace, that is, a namespace which represents that the process can be indicated by init_nsproxy, so as to ensure the safety of the namespace; therefore, the host can detect the process based on the address sleb_cache of the buffer area to which the process belongs; because the reliability of the slab-cache is higher, the slab-cache is compared with the address pid-cache in the name space where the process is located; when the two are different, it can be determined that the process does not have permission to access the namespace indicated by init_nsproxy, that is, the process is maliciously tampered with, and the container escapes. The method has high accuracy and can effectively detect the escape of the container.
It should be noted that, in the embodiment of the present application, a detection mechanism based on a mount point is added in the kernel code, so that a behavior of escaping into the root directory can be detected, and a container escaping behavior of utilizing the occurrence of kernel holes is effectively monitored, thereby improving system security.
In one possible implementation, the obtaining unit 1001 is configured to:
and acquiring the address of the buffer area corresponding to the process based on the address space of the process.
In the embodiment of the application, the address space pid_cache of the process is not easy to tamper, so that the reliability is high, and the reliability of the address slab_cache of the cache area corresponding to the process is high, which is determined based on the address space pid_cache of the process.
In one possible implementation of the present invention,
an obtaining unit 1001, configured to obtain a user identifier of a process when determining that a namespace where the process is located is an initial namespace;
an obtaining unit 1001 is configured to obtain, when determining that the user identifier is the identifier of the root user, an address of a cache area to which the process belongs.
In one possible implementation, the user identification is at least one of a user identifier UID and a user group identification GID; the identity of the root user is zero.
In one possible implementation, the obtaining unit 1001 is configured to:
When the namespace where the process is located is determined to be the initial namespace, acquiring a hierarchy level of the namespace where the process is located;
and when the hierarchy is determined to be zero, acquiring the address of the cache region to which the process belongs.
In a possible implementation, the apparatus further comprises a determining unit 1003,
an obtaining unit 1001, configured to obtain a data structure of a process; the data structure includes an identification of a namespace in which the process is located;
a determining unit 1003, configured to determine that the namespace where the process is located is an initial namespace when an identifier nsproxy of the namespace where the process is located is equal to an identifier init_nsproxy of the initial namespace.
It should be noted that the implementation of each unit may also correspond to the corresponding description of the embodiment shown in fig. 6 or fig. 7.
It should be understood that in the embodiments of the present application, the division of a plurality of units or modules is only a logic division according to functions, and is not limited to a specific structure of the apparatus. In a specific implementation, some of the functional modules may be subdivided into more tiny functional modules, and some of the functional modules may be combined into one functional module, where the general flow performed by the apparatus 100 during pairing is the same whether the functional modules are subdivided or combined. Typically, each unit corresponds to a respective program code (or program instruction), which when run on a processor causes the corresponding flow of the unit to carry out the corresponding function.
Referring to fig. 11, fig. 11 is a schematic structural diagram of a device 110 for detecting container escape according to an embodiment of the present disclosure. The apparatus 110 may include an acquisition unit 1101 and a presentation unit 1102, and may further include a determination unit 1103. The container escape detection device 110 is used to implement the container escape detection method described above, for example, the container escape detection method according to any one of the embodiments shown in fig. 8A or 8B.
The container escape detection device 110 includes:
an obtaining unit 1101, configured to obtain an address of a cache area to which a process belongs when it is determined that a mount point of the process is a root directory;
and the prompting unit 1102 is configured to prompt an alarm message when it is determined that the address of the buffer area to which the process belongs is not equal to the address in the namespace to which the process belongs, where the alarm message is used to prompt the process to generate container escape.
In the embodiment of the application, the mount point of the process is a root directory, that is, the process can access all files under the root directory, and in order to ensure the security of the files under the root directory, the process needs to be detected; therefore, the host can detect the process based on the address sleb_cache of the buffer area to which the process belongs; because the reliability of the address of the buffer area to which the process belongs is higher, the address of the buffer area to which the process belongs is compared with the address pid_cache in the name space to which the process belongs, and when the address pid_cache is unequal, the process is considered to have no authority to access all files under the root directory, the process is tampered maliciously, and the container escape condition occurs.
It should be noted that, in the embodiment of the present application, a detection mechanism based on a mount point is added in the kernel code, so that a behavior of escaping into the root directory can be detected, and a container escaping behavior of utilizing the occurrence of kernel holes is effectively monitored, thereby improving system security.
In one possible implementation, the obtaining unit 1101 is configured to:
and acquiring the address of the buffer area corresponding to the process based on the address space of the process.
In one possible implementation, the obtaining unit 1101 is configured to:
when determining that the name space of the process is the initial name space, acquiring a user identifier of the process;
and when the user identification of the process is determined to be the identification of the root user, acquiring the address of the cache region to which the process belongs.
In one possible implementation, the user identification is at least one of a user identifier UID and a user group identification GID; the identity of the root user is zero.
In one possible implementation, the obtaining unit 1101 is configured to:
acquiring a hierarchy of a namespace where a process is located when determining that the namespace where the process is located is an initial namespace;
and when the hierarchy is determined to be zero, acquiring the address of the cache region to which the process belongs.
In one possible implementation, the apparatus further includes a determining unit 1103,
An obtaining unit 1101, configured to obtain a data structure of a process; the data structure comprises a mounting point identifier of the process;
the determining unit 1103 is configured to determine that the mount point of the process is a root directory when the mount point identifier is a root directory identifier.
It should be noted that the implementation of each unit may also correspond to the corresponding description of the embodiment shown in fig. 8A or fig. 8B.
It should be understood that in the embodiments of the present application, the division of a plurality of units or modules is only a logic division according to functions, and is not limited to a specific structure of the apparatus. In a specific implementation, some of the functional modules may be subdivided into more tiny functional modules, and some of the functional modules may be combined into one functional module, where the general flow performed by the apparatus 100 during pairing is the same whether the functional modules are subdivided or combined. Typically, each unit corresponds to a respective program code (or program instruction), which when run on a processor causes the corresponding flow of the unit to carry out the corresponding function.
Referring to fig. 12, fig. 12 is a schematic structural diagram of another device 120 for detecting container escape according to an embodiment of the present disclosure. The apparatus 120 includes at least one processor 1201, at least one memory 1202, and at least one communication interface 1203. The processor 1201, the memory 1202 and the communication interface 1203 are connected via the communication bus and perform communication with each other.
The processor 1201 may be a general purpose Central Processing Unit (CPU), microprocessor, application Specific Integrated Circuit (ASIC), or one or more integrated circuits for controlling the execution of the above program.
A communication interface 1203 for communicating with other devices or communication networks, such as ethernet, radio Access Network (RAN), wireless local area network (Wireless Local Area Networks, WLAN), etc.
The Memory 1202 may be, but is not limited to, read-Only Memory (ROM) or other type of static storage device that can store static information and instructions, random access Memory (random access Memory, RAM) or other type of dynamic storage device that can store information and instructions, but may also be electrically erasable programmable read-Only Memory (EEPROM), compact disc read-Only Memory (Compact Disc Read-Only Memory) or other optical disk storage, optical disk storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory may be stand alone and coupled to the processor via a bus. The memory may also be integrated with the processor.
Wherein the memory 1202 is used for storing application program codes for executing the above schemes and is controlled to be executed by the processor 1201. The processor 1201 is configured to execute application code stored in the memory 1202.
The code stored by memory 1202 may perform any of the methods of detecting container escape provided above, such as:
when the name space of the process is determined to be the initial name space, the address of the buffer area of the process is acquired; when the address of the buffer area to which the process belongs is determined to be unequal to the address in the name space to which the process belongs, prompting alarm information, wherein the alarm information is used for prompting the process to generate container escape.
The embodiment of the application also provides electronic equipment, which comprises one or more processors and one or more memories; wherein the one or more memories are coupled to the one or more processors, the one or more memories being operable to store computer program code comprising computer instructions that, when executed by the one or more processors, cause the electronic device to perform the methods described in the above embodiments.
Embodiments of the present application also provide a computer program product comprising instructions which, when run on an electronic device, cause the electronic device to perform the method described in the above embodiments.
The embodiment of the application also provides a computer storage medium, wherein the computer storage medium can store a program, and the program can include part or all of the steps of any container escape detection device described in the embodiment of the method when being executed.
It should be noted that, for simplicity of description, the foregoing method embodiments are all expressed as a series of action combinations, but it should be understood by those skilled in the art that the present application is not limited by the order of actions described, as some steps may be performed in other order or simultaneously in accordance with the present application. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily required in the present application.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and for parts of one embodiment that are not described in detail, reference may be made to related descriptions of other embodiments.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus may be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative, such as the division of the units, merely a logical function division, and there may be additional manners of dividing the actual implementation, such as multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, or may be in electrical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable memory. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a memory, including several instructions for causing a computer device (which may be a personal computer, a server or a network device, etc.) to perform all or part of the steps of the method described in the embodiments of the present application. And the aforementioned memory includes: a U-disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Those of ordinary skill in the art will appreciate that all or a portion of the steps in the various methods of the above embodiments may be implemented by a program that instructs associated hardware, and the program may be stored in a computer readable memory, which may include: flash disk, read-Only Memory (ROM), random access Memory (Random Access Memory, RAM), magnetic disk or optical disk.
The foregoing has outlined rather broadly the more detailed description of embodiments of the present application, wherein specific examples are provided herein to illustrate the principles and embodiments of the present application, the above examples being provided solely to assist in the understanding of the methods of the present application and the core ideas thereof; meanwhile, as those skilled in the art will have modifications in the specific embodiments and application scope in light of the ideas of the present application, the present disclosure should not be construed as being limited to the above description.
Claims (15)
1. A method of detecting container escape, the method comprising:
when the host determines that the name space of the process is the initial name space, the host acquires the address of a cache region to which the process belongs;
and when the host determines that the address of the buffer area to which the process belongs is not equal to the address in the naming space to which the process belongs, prompting alarm information, wherein the alarm information is used for prompting the process to generate container escape.
2. The method of claim 1, wherein the obtaining the address of the cache region to which the process belongs comprises:
and the host acquires the address of the buffer area corresponding to the process based on the address space of the process.
3. The method according to claim 1 or 2, wherein when the host determines that the namespace in which the process is located is an initial namespace, the obtaining the address of the cache region to which the process belongs includes:
when the host determines that the name space where the process is located is an initial name space, acquiring a user identifier of the process;
and when the host determines that the user identifier is the identifier of the root user, acquiring the address of the cache region to which the process belongs.
4. A method according to claim 3, characterized in that the user identification is at least one of a user identifier UID and a user group identification GID; the identity of the root user is zero.
5. The method according to any one of claims 1-4, wherein when the host determines that the namespace in which the process is located is an initial namespace, obtaining the address of the cache region to which the process belongs includes:
When the host determines that the namespace where the process is located is an initial namespace, acquiring a hierarchy of the namespace where the process is located;
and when the level is determined to be zero, the host acquires the address of the cache region to which the process belongs.
6. The method of any of claims 1-5, wherein prior to the obtaining the address of the cache region to which the process belongs, the method further comprises:
the host acquires a data structure of the process; the data structure includes an identification of a namespace in which the process is located;
and when the identification of the name space where the process is located is equal to the identification of the initial name space, the host determines that the name space where the process is located is the initial name space.
7. A method of detecting container escape, the method comprising:
when the host determines that the mounting point of the process is a root directory, acquiring an address of a cache region to which the process belongs;
and when the host determines that the address of the buffer area to which the process belongs is not equal to the address in the naming space to which the process belongs, prompting alarm information, wherein the alarm information is used for prompting the process to generate container escape.
8. The method according to claim 7, characterized in that the method comprises:
and the host acquires the address of the buffer area corresponding to the process based on the address space of the process.
9. The method according to claim 7 or 8, wherein when the host determines that the namespace in which the process is located is an initial namespace, the obtaining the address of the cache region to which the process belongs includes:
when the host determines that the name space where the process is located is an initial name space, acquiring a user identifier of the process;
and the host acquires the address of the cache region to which the process belongs when determining that the user identifier of the process is the identifier of the root user.
10. The method of claim 9, wherein the user identification is at least one of a user identifier UID and a user group identification GID; the identity of the root user is zero.
11. The method according to any one of claims 7-10, wherein when the host determines that the namespace in which the process is located is an initial namespace, obtaining the address of the cache region to which the process belongs includes:
when the host determines that the namespace where the process is located is an initial namespace, acquiring a hierarchy of the namespace where the process is located;
And when the level is determined to be zero, the host acquires the address of the cache region to which the process belongs.
12. The method according to any of claims 7-11, wherein prior to said obtaining the address of the cache region to which the process belongs, the method further comprises:
the host acquires a data structure of a process; the data structure comprises a mounting point identifier of the process;
and when the mounting point identifier is the root directory identifier, the host determines that the mounting point of the process is the root directory.
13. A method of detecting container escape, the method comprising:
when the host determines that the mounting point of the process is a root directory, acquiring target data from a data structure of the process;
and when the target data accords with preset conditions, the host machine prompts alarm information, wherein the alarm information is used for prompting the process to generate container escape.
14. An electronic device comprising one or more processors and one or more memories; wherein the one or more memories are coupled to the one or more processors, the one or more memories for storing computer program code comprising computer instructions that, when executed by the one or more processors, cause the electronic device to perform the method of any of claims 1-13.
15. A computer readable storage medium comprising instructions which, when run on an electronic device, cause the electronic device to perform the method of any one of claims 1-14.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211200843.7A CN117827362A (en) | 2022-09-29 | 2022-09-29 | Container escape detection method, electronic equipment and system |
| PCT/CN2023/121088 WO2024067479A1 (en) | 2022-09-29 | 2023-09-25 | Container escape detection method, electronic device, and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211200843.7A CN117827362A (en) | 2022-09-29 | 2022-09-29 | Container escape detection method, electronic equipment and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117827362A true CN117827362A (en) | 2024-04-05 |
Family
ID=90476266
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211200843.7A Pending CN117827362A (en) | 2022-09-29 | 2022-09-29 | Container escape detection method, electronic equipment and system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN117827362A (en) |
| WO (1) | WO2024067479A1 (en) |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11222123B2 (en) * | 2019-04-22 | 2022-01-11 | Cyberark Software Ltd. | Securing privileged virtualized execution instances from penetrating a virtual host environment |
| CN111881453A (en) * | 2020-07-20 | 2020-11-03 | 北京百度网讯科技有限公司 | Container escape detection method and device and electronic equipment |
| CN114547594A (en) * | 2022-01-24 | 2022-05-27 | 华北电力大学 | Penetration attack detection method for intelligent Internet of things terminal container |
| CN114676424B (en) * | 2022-05-25 | 2022-09-06 | 杭州默安科技有限公司 | Container escape detection and blocking method, device, equipment and storage medium |
| CN114968494A (en) * | 2022-06-23 | 2022-08-30 | 杭州默安科技有限公司 | Container escape detection method and system |
-
2022
- 2022-09-29 CN CN202211200843.7A patent/CN117827362A/en active Pending
-
2023
- 2023-09-25 WO PCT/CN2023/121088 patent/WO2024067479A1/en unknown
Also Published As
| Publication number | Publication date |
|---|---|
| WO2024067479A1 (en) | 2024-04-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110612512B (en) | Protecting virtual execution environments | |
| US10445498B2 (en) | Systems and methods of application control in virtualized environments | |
| US9547346B2 (en) | Context agent injection using virtual machine introspection | |
| AU2014219466B2 (en) | Memory introspection engine for integrity protection of virtual machines | |
| EP3070604B1 (en) | Method and apparatus for accessing physical resources | |
| US8220029B2 (en) | Method and system for enforcing trusted computing policies in a hypervisor security module architecture | |
| EP2940615B1 (en) | Method and apparatus for isolating management virtual machine | |
| RU2723668C1 (en) | Event filtering for security applications of virtual machines | |
| US20190190845A1 (en) | Dynamic management of computing platform resources | |
| CN108241801B (en) | Method and device for processing system call | |
| CN117827362A (en) | Container escape detection method, electronic equipment and system | |
| US11301282B2 (en) | Information protection method and apparatus | |
| US20230401081A1 (en) | Software isolation of virtual machine resources | |
| US20220300314A1 (en) | Hypervisor-assisted secured memory sharing among host and guest operating system | |
| US11934857B2 (en) | Supporting execution of a computer program by using a memory page of another computer program | |
| CN112363796B (en) | Virtual machine shared memory allocation method and device and electronic equipment | |
| US11886900B1 (en) | Unikernel hypervisor for managing multi-process applications using unikernel virtual machines | |
| Johnson et al. | Extending the ITRON2 specification for MMU equipped processors |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |