CN108171050A - The fine granularity sandbox strategy method for digging of linux container - Google Patents

The fine granularity sandbox strategy method for digging of linux container Download PDF

Info

Publication number
CN108171050A
CN108171050A CN201711483790.3A CN201711483790A CN108171050A CN 108171050 A CN108171050 A CN 108171050A CN 201711483790 A CN201711483790 A CN 201711483790A CN 108171050 A CN108171050 A CN 108171050A
Authority
CN
China
Prior art keywords
container
target container
sandbox
behavior
monitoring
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711483790.3A
Other languages
Chinese (zh)
Inventor
蔡亮
万志远
王新宇
夏鑫
杨小虎
李善平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University ZJU
Original Assignee
Zhejiang University ZJU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University ZJU filed Critical Zhejiang University ZJU
Priority to CN201711483790.3A priority Critical patent/CN108171050A/en
Publication of CN108171050A publication Critical patent/CN108171050A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45591Monitoring or debugging support

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The present invention provides a kind of fine granularity sandbox strategy method for digging of linux container, the sandbox strategy of automatic mining generation target container customization, which meets principle of least privilege, passes through the system call type and parameter of limited target container, reduces attack face.The method includes:Container behavior monitoring control module starts linux system monitoring tools, and the system for monitoring in real time and recording target container calls behavior;The test case of container automatic test module operational objective container traverses the function of performance objective container;For sandbox policy generation module from the monitoring data of record, the system for extracting target container calls behavioural characteristic, and be converted into sandbox strategy.

Description

The fine granularity sandbox strategy method for digging of linux container
Technical field
Patent of the present invention belongs to field of computer technology, is related to the safe direction of cloud computing.More specifically, patent of the present invention It is related to a kind of fine granularity sandbox strategy method for digging of linux container.
Background technology
Linux container technology will be isolated using NameSpace into, resources such as file, equipment, be provided to the user almost Primary performance experience greatly reduces the overhead of virtualization.Docker containers are most representative linux container skills One of art.
The safety problem of linux container is had become to limit its widely used important factor in order.Safety problem is mainly come It is derived from, system call interfaces are not implemented the isolation of NameSpace, and the container shared system calling on same host operating system connects Mouthful.Attacker can carry out privilege-escalation, arbitrary code performs, is controlled around access by system call interfaces using kernel loophole System, the escape for realizing isolation mech isolation test.
How the safety of container is improvedA kind of intuitive method is that container is placed in sandbox, and limitation container accesses system The behavior of system calling interface.After credible container is captured by attacker, the presence of sandbox can limit attacker to a certain extent Influence to underlying operating system.It is the effective technology that a kind of limiting program system calls behavior that system, which calls Interception Technology, base The Sandboxing for calling Interception Technology in system obtains the extensive concern of research circle and industrial quarters.Sandboxing is paid close attention in correlative study Concrete methods of realizing and safeguards system call the safety intercepted, however, accurate efficient for the generation of each linux container Sandbox strategy is challenging.
Invention content
In view of the above-mentioned problems, the present invention proposes a kind of fine granularity sandbox strategy method for digging of linux container, automatic mining The sandbox strategy that target container customizes is generated, which meets principle of least privilege, pass through the system tune of limited target container With type and parameter, attack face is reduced.
The method includes including:Container behavior monitoring control module, container automatic test module and the life of sandbox strategy Into module, as shown in Figure 1.Container behavior monitoring control module starts linux system monitoring tools, monitors in real time and records target The system of container calls behavior;The test case of container automatic test module operational objective container traverses performance objective container Function;For sandbox policy generation module from the monitoring data of record, the system for extracting target container calls behavioural characteristic, and turn Turn to sandbox strategy.
The fine granularity sandbox strategy method for digging of linux container, specifically includes following steps:
Step 1:Start target container, container behavior monitoring control module starts linux system monitoring tools, real time monitoring And the system of complete documentation target container calls behavior;
Step 2:Container automatic test module chooses test case according to the function of target container;Then testing results Use-case traverses the function of performance objective container;
Meanwhile the system of system monitoring tool real time monitoring and complete documentation target container when performing any function is called Behavior;Every subsystem of target container is called and is accessed, record system calls the timestamp, process number, system of access entrance Call type and parameter list and system call timestamp, process number, system call type and the return value for accessing outlet.
Step 3:Sandbox policy generation module calls behavior to extract target as input using the system of target container recorded The system of container calls behavioural characteristic;Specially:
Step 3.1:From the system calling behavior of the target container of record, the system that extraction target container is accessed is called Type and parameter filter out clock rate and are called for the system of pathname or discrete values;
Step 3.2:It is called for the system that step 3.1 filters out, each system of same system call type is called Parameter is modeled respectively, respectively obtains parameter model;
Step 3.3:Extract the variable of each parameter model;System is called according to variable and carries out cluster operation, is obtained every All systems call shared feature, i.e. behavioural characteristic in a set.
Step 4:All behavioural characteristics that the system of target container is called are converted into sandbox strategy.
The lower advantageous effect of the present invention is:
(1) it does not need to carry out model training in the production phase:This method is in the normal row of test phase traversal target container To extract corresponding system and behavioural characteristic being called to be converted to sandbox strategy;Production phase can be by directly performing the sandbox of generation Strategy, the system of limited target container call behavior;Compared with method for detecting abnormality, this method is more efficient;
(2) attack face is reduced:It, can automatic mining generation foundation target container function, customization metaplasia by performing this method Into sandbox strategy, which meets principle of least privilege, passes through the system call type and parameter of limited target container, reduces Attack face may cause other containers in underlying operating system and same host operating system so as to limit limitation attacker Harm;
(3) safety assurance of sandbox strategy:Perform the sandbox strategy that this method excavates generation, it is ensured that test phase mesh The system that mark container had not occurred calls behavior, is not present in the production phase;This method traverses the survey of target container normal behaviour Example on probation, possibly can not coverage goal container all behaviors, i.e., there are imperfections.However just because of the imperfection, It can ensure that test case only coverage goal containment system calls the safe subset of behavior, except the system in the safe subset calls row To be forbidden by sandbox strategy.
Description of the drawings
Fig. 1 shows the architecture principle figure of various embodiments of the present invention;
Fig. 2 shows the fine granularity sandbox strategy method for digging flow charts of an embodiment of the present invention;
Fig. 3 shows the sandbox policy configuration file code sample of an embodiment of the present invention;
Fig. 4 shows the system call parameter being modeled in an embodiment of the present invention and relevant parameter model;
Fig. 5 shows fine granularity sandbox strategy example code.
Specific implementation method
Understand for ease of those of ordinary skill in the art and implement the present invention, below in conjunction with the accompanying drawings and implement example to this hair It is bright to be described in further detail.It should be appreciated that the implementation example is merely to illustrate and explain the present invention, should not limit The scope of the present invention processed.
The present invention proposes a kind of fine granularity sandbox strategy method for digging of linux container.Specifically, sandbox strategy is dug Pick method traverses the behavior of target container by automatic test, and the system for monitoring and recording target container calls behavior, extraction The system of target container calls behavioural characteristic, and generation limited target containment system calls the fine granularity sandbox strategy accessed.Particulate The system call type and parameter of sandbox strategy limitation linux container are spent, realizes the security hardening of linux container.
This method includes container behavior monitoring control module, container automatic test module and sandbox policy generation module, As shown in Figure 1.Container behavior monitoring control module, container automatic test module and sandbox policy generation module;Container behavior It monitors control module and starts linux system monitoring tools, the system for monitoring in real time and recording target container calls behavior;Container is certainly The test case of dynamicization test module operational objective container traverses the function of performance objective container;Sandbox policy generation module from In the monitoring data of record, the system for extracting target container calls behavioural characteristic, and be converted into sandbox strategy.
As shown in Fig. 2, the method for the present invention includes the following steps:
Step 1:Start target container, container behavior monitoring control module can start linux system monitoring tools Sysdig, monitors in real time and the system of complete documentation target container calls behavior;
Step 2:Container automatic test module chooses test case, for example, for Web according to the function of target container The target container (such as Nginx and Apache) of type of server, test case can choose wget and httperf and be sent out to target container Send request;For the target container (such as Redis and Postgres) of type of database, test case is optional to take what database carried Benchmark test tool redis-benchmark and pgbench.
Then, container automatic test module testing results use-case traverses the function of performance objective container;
Meanwhile the system of system monitoring tool real time monitoring and complete documentation target container when performing any function is called Behavior;Every subsystem of target container is called and is accessed, record system calls the timestamp, process number, system of access entrance Call type and parameter list and system call timestamp, process number, system call type and the return value for accessing outlet.
Step 3:Sandbox policy generation module calls behavior to extract target as input using the system of target container recorded The system of container calls behavioural characteristic;Specially:
Step 3.1:From the system calling behavior of the target container of record, the system that extraction target container is accessed is called Type and parameter filter out clock rate and are called for the system of pathname or discrete values;
Step 3.2:It is called for the system that step 3.1 filters out, each system of same system call type is called Parameter is modeled respectively, respectively obtains parameter model.The system call parameter and relevant parameter model being modeled, such as Fig. 4 It is shown.It is as preferred modeling pattern:For the parameter of " pathname " classification, when the particular path name frequency of occurrences is higher than the overall situation Threshold value is put into using complete path name as characteristic value in model, conversely, when the frequency of occurrences is less than global threshold, using corresponding Directory name be put into model as characteristic value;For the parameter of " discrete values " classification, such as flag bit (flag) and opening The discrete values occurred in automatic test can be collected to form finite aggregate by pattern (mode).
Step 3.3:Extract the variable of each parameter model;System is called according to variable and carries out cluster operation, is obtained every All systems call shared feature, i.e. behavioural characteristic in a set.
Step 4:All behavioural characteristics that the system of target container is called are converted into sandbox strategy.Sandbox strategy can be with It is described by the sandbox policy configuration file of JSON forms, as shown in Figure 3.It, can be with as in preferred sandbox policy configuration file The default action (defaultAction) for defining sandbox strategy is " SCMP_ACT_ERRNO ", i.e., when the system tune of target container When not meeting the strictly all rules in sandbox strategy with access, this subsystem is forbidden to call and is accessed, and return to error value.Then, may be used With the set for generating step 3.3, it is converted into the Rule section (syscalls) of sandbox strategy;Each of which rule includes Call type of uniting (name), operation (action) and parameter list (args);Optional operation (action) is including " SCMP_ ACT_ALLOW " and " SCMP_ACT_TRACE ", " SCMP_ACT_ALLOW " represent that permission system calls access, " SCMP_ACT_ TRACE " represents that tracing system is called and accesses;Index (index), numerical value of the parameter list (args) including system call parameter (value) and compare operation (op).
To verify the validity of above-mentioned fine granularity sandbox strategy method for digging, this method is used for Docker containers Nginx 1.4.0 sandbox strategy excavates.As a result, it has been found that excavating the fine granularity sandbox strategy of generation, can effectively defend to utilize CVE-2013- The security attack that 2028 security breaches carry out.The reason is that, recvfrom sandboxs rule is to recvfrom systems in sandbox strategy The third parameter accessed is called to be limited, refusal target container third parameter values are not equal to 1024 all system tune With access, as shown in Figure 5.

Claims (2)

1. a kind of fine granularity sandbox strategy method for digging of linux container;Including:Container behavior monitoring control module, container are certainly Dynamicization test module and sandbox policy generation module;Container behavior monitoring control module starts linux system monitoring tools, in real time The system for monitoring and recording target container calls behavior;The test case of container automatic test module operational objective container, time Go through the function of performance objective container;Sandbox policy generation module extracts the system tune of target container from the monitoring data of record With behavioural characteristic, and it is converted into sandbox strategy.
2. according to the method described in claim 1, it is characterized by comprising the following steps:
Step 1:Start target container, container behavior monitoring control module starts linux system monitoring tools, monitors in real time and complete The system of complete record target container calls behavior;
Step 2:Container automatic test module chooses test case according to the function of target container;Then testing results use-case, Traverse the function of performance objective container;
Meanwhile the system of system monitoring tool real time monitoring and complete documentation target container when performing any function calls row For;Every subsystem of target container is called and is accessed, record system calls timestamp, process number, the system tune of access entrance Timestamp, process number, system call type and the return value for accessing outlet are called with type and parameter list and system.
Step 3:Sandbox policy generation module calls behavior to extract target container as input using the system of target container recorded System call behavioural characteristic;Specially:
Step 3.1:From the system calling behavior of the target container of record, the system call type that target container is accessed is extracted And parameter, it filters out clock rate and is called for the system of pathname or discrete values;
Step 3.2:It is called for the system that step 3.1 filters out, to each system call parameter of same system call type It is modeled respectively, respectively obtains parameter model;
Step 3.3:Extract the variable of each parameter model;System is called according to variable and carries out cluster operation, obtains each collection All systems call shared feature, i.e. behavioural characteristic in conjunction.
Step 4:All behavioural characteristics that the system of target container is called are converted into sandbox strategy.
CN201711483790.3A 2017-12-29 2017-12-29 The fine granularity sandbox strategy method for digging of linux container Pending CN108171050A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711483790.3A CN108171050A (en) 2017-12-29 2017-12-29 The fine granularity sandbox strategy method for digging of linux container

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711483790.3A CN108171050A (en) 2017-12-29 2017-12-29 The fine granularity sandbox strategy method for digging of linux container

Publications (1)

Publication Number Publication Date
CN108171050A true CN108171050A (en) 2018-06-15

Family

ID=62516192

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711483790.3A Pending CN108171050A (en) 2017-12-29 2017-12-29 The fine granularity sandbox strategy method for digging of linux container

Country Status (1)

Country Link
CN (1) CN108171050A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109241730A (en) * 2018-09-03 2019-01-18 杭州安恒信息技术股份有限公司 A kind of defence method, device, equipment and the readable storage medium storing program for executing of container risk
CN109828824A (en) * 2018-12-29 2019-05-31 东软集团股份有限公司 Safety detecting method, device, storage medium and the electronic equipment of mirror image
CN110311901A (en) * 2019-06-21 2019-10-08 南京尓嘉网络科技有限公司 A kind of lightweight network sandbox setting method based on container technique
CN110765026A (en) * 2019-10-31 2020-02-07 北京东软望海科技有限公司 Automatic testing method and device, storage medium and equipment
CN111045920A (en) * 2019-10-12 2020-04-21 浙江大学 Workload-aware multi-branch software change-level defect prediction method
CN111090460A (en) * 2019-10-12 2020-05-01 浙江大学 Code change log automatic generation method based on nearest neighbor algorithm
CN111124487A (en) * 2018-11-01 2020-05-08 浙江大学 Code clone detection method and device and electronic equipment
CN111597089A (en) * 2020-05-18 2020-08-28 广州锦行网络科技有限公司 Linux system call event acquisition and caching device and method
CN113221103A (en) * 2021-05-08 2021-08-06 山东英信计算机技术有限公司 Container safety protection method, system and medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120180039A1 (en) * 2011-01-11 2012-07-12 International Business Machines Corporation Automated Deployment of Applications with Tenant-Isolation Requirements
CN106030601A (en) * 2014-02-21 2016-10-12 三星电子株式会社 Method and apparatus to sandbox run-time android applications with lightweight container
CN106650446A (en) * 2016-12-26 2017-05-10 北京邮电大学 Identification method and system of malicious program behavior, based on system call
CN106681800A (en) * 2017-01-13 2017-05-17 济南浪潮高新科技投资发展有限公司 Docker-based resource monitoring implementation method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120180039A1 (en) * 2011-01-11 2012-07-12 International Business Machines Corporation Automated Deployment of Applications with Tenant-Isolation Requirements
CN106030601A (en) * 2014-02-21 2016-10-12 三星电子株式会社 Method and apparatus to sandbox run-time android applications with lightweight container
CN106650446A (en) * 2016-12-26 2017-05-10 北京邮电大学 Identification method and system of malicious program behavior, based on system call
CN106681800A (en) * 2017-01-13 2017-05-17 济南浪潮高新科技投资发展有限公司 Docker-based resource monitoring implementation method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ZHIYUAN WAN,DAVID LO,XIN XIA,LIANG CAI,SHANPING LI: ""Mining Sandboxes for Linux Containers"", 《2017 IEEE INTERNATIONAL CONFERENCE ON SOFTWARE TESTING, VERIFICATION AND VALIDATION》 *

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109241730A (en) * 2018-09-03 2019-01-18 杭州安恒信息技术股份有限公司 A kind of defence method, device, equipment and the readable storage medium storing program for executing of container risk
CN109241730B (en) * 2018-09-03 2020-09-29 杭州安恒信息技术股份有限公司 Container risk defense method, device, equipment and readable storage medium
CN111124487A (en) * 2018-11-01 2020-05-08 浙江大学 Code clone detection method and device and electronic equipment
CN109828824A (en) * 2018-12-29 2019-05-31 东软集团股份有限公司 Safety detecting method, device, storage medium and the electronic equipment of mirror image
CN110311901A (en) * 2019-06-21 2019-10-08 南京尓嘉网络科技有限公司 A kind of lightweight network sandbox setting method based on container technique
CN110311901B (en) * 2019-06-21 2022-03-08 北京雅客云安全科技有限公司 Lightweight network sandbox setting method based on container technology
CN111045920B (en) * 2019-10-12 2021-05-04 浙江大学 Workload-aware multi-branch software change-level defect prediction method
CN111090460A (en) * 2019-10-12 2020-05-01 浙江大学 Code change log automatic generation method based on nearest neighbor algorithm
CN111045920A (en) * 2019-10-12 2020-04-21 浙江大学 Workload-aware multi-branch software change-level defect prediction method
CN111090460B (en) * 2019-10-12 2021-05-04 浙江大学 Code change log automatic generation method based on nearest neighbor algorithm
CN110765026A (en) * 2019-10-31 2020-02-07 北京东软望海科技有限公司 Automatic testing method and device, storage medium and equipment
CN111597089A (en) * 2020-05-18 2020-08-28 广州锦行网络科技有限公司 Linux system call event acquisition and caching device and method
CN113221103A (en) * 2021-05-08 2021-08-06 山东英信计算机技术有限公司 Container safety protection method, system and medium
CN113221103B (en) * 2021-05-08 2022-09-20 山东英信计算机技术有限公司 Container safety protection method, system and medium

Similar Documents

Publication Publication Date Title
CN108171050A (en) The fine granularity sandbox strategy method for digging of linux container
US10977370B2 (en) Method of remediating operations performed by a program and system thereof
CN103593608B (en) For detection by the system and method for the malicious code performed by virtual machine
CN102667712B (en) System, method and apparatus for simultaneous definition and enforcement of access-control and integrity policies
US9736182B1 (en) Context-aware compromise assessment
CN103065088B (en) Based on the system and method for the ruling detection computations machine security threat of computer user
EP3885951B1 (en) Method of remediating operations performed by a program and system thereof
CN112685737A (en) APP detection method, device, equipment and storage medium
CN104283889A (en) Electric power system interior APT attack detection and pre-warning system based on network architecture
CN112632135A (en) Big data platform
CN107004086A (en) Security information and incident management
KR100853721B1 (en) Method for real-time integrity check and audit trail connected with the security kernel
CN110033174A (en) A kind of industrial information efficient public security system building method
CN117592989B (en) Payment information security management method and system based on blockchain
CN101873318A (en) Application and data security method aiming at application system on application basis supporting platform
CN111489166A (en) Risk prevention and control method, device, processing equipment and system
CN109388949B (en) Data security centralized management and control method and system
CN111262875B (en) Server safety monitoring method, device, system and storage medium
JP2019219898A (en) Security countermeasures investigation tool
CN105825130B (en) A kind of information security method for early warning and device
CN113886814A (en) Attack detection method and related device
Zegzhda et al. Detecting Android application malicious behaviors based on the analysis of control flows and data flows
CN113591096A (en) Vulnerability scanning system for comprehensively detecting big data bugs and unsafe configurations
Ghorbanian et al. Signature-based hybrid Intrusion detection system (HIDS) for android devices
Macak et al. Scenarios for process-aware insider attack detection in manufacturing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20180615

RJ01 Rejection of invention patent application after publication