CN112395617A - Method and device for protecting docker escape vulnerability, storage medium and computer equipment - Google Patents
Method and device for protecting docker escape vulnerability, storage medium and computer equipment Download PDFInfo
- Publication number
- CN112395617A CN112395617A CN201910755461.2A CN201910755461A CN112395617A CN 112395617 A CN112395617 A CN 112395617A CN 201910755461 A CN201910755461 A CN 201910755461A CN 112395617 A CN112395617 A CN 112395617A
- Authority
- CN
- China
- Prior art keywords
- call stack
- docker
- rule corresponding
- container
- docker process
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 277
- 230000008569 process Effects 0.000 claims abstract description 240
- 238000011112 process operation Methods 0.000 claims abstract description 20
- 230000006870 function Effects 0.000 claims description 49
- 238000004590 computer program Methods 0.000 claims description 8
- 238000002955 isolation Methods 0.000 abstract description 12
- 230000006399 behavior Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000006872 improvement Effects 0.000 description 1
- 230000007480 spreading Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/74—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/50—Allocation of resources, e.g. of the central processing unit [CPU]
- G06F9/5005—Allocation of resources, e.g. of the central processing unit [CPU] to service a request
- G06F9/5027—Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals
Abstract
The invention discloses a method, a device, a storage medium and computer equipment for protecting a docker escape vulnerability, relates to the technical field of information, and mainly aims to avoid attacking a container by utilizing the docker container escape vulnerability, so that the attack influence is expanded to a host, the isolation between the container and the host is ensured, and the safety of an operating system host is improved. The method comprises the following steps: acquiring call stack information corresponding to the docker process operation container object; judging whether a call stack rule corresponding to the call stack information is matched with a preset call stack rule corresponding to the docker process; if so, allowing the docker process to execute system call; and if not, intercepting the system call of the docker process. The method is suitable for protecting the docker escape vulnerability.
Description
Technical Field
The invention relates to the technical field of information, in particular to a method and a device for protecting a docker escape vulnerability, a storage medium and computer equipment.
Background
The container is a virtualization technology applied to an operating system, various applications running on the operating system can be isolated through the technology, each application has a running space and resources, the running space and the resources are not influenced, the docker is specific implementation and application of the virtualization technology, the docker isolation mainly utilizes a name space of the operating system, and different container name spaces are different.
At present, when the container is operated, the operation objects of the docker process are all in the namespace to which the container belongs, however, if the container has an escape vulnerability which can be exploited, when an attacker exploits the application vulnerability to attack the container, the operation objects of the container process will be expanded to the operating system space, so that the attack influence is spread to the host and even other containers, and therefore, the isolation between the container and the host is damaged, and the security of the operating system host is damaged.
Disclosure of Invention
The invention provides a method, a device, a storage medium and computer equipment for protecting a docker escape vulnerability, which are mainly used for avoiding attacking a container by utilizing the docker container escape vulnerability, thereby expanding the attack influence to a host, ensuring the isolation between the container and the host and improving the safety of an operating system host.
According to a first aspect of the present invention, a method for protecting a docker escape vulnerability is provided, which includes:
acquiring call stack information corresponding to the docker process operation container object;
judging whether a call stack rule corresponding to the call stack information is matched with a preset call stack rule corresponding to the docker process;
if so, allowing the docker process to execute system call;
and if not, intercepting the system call of the docker process.
According to a second aspect of the present invention, there is provided an apparatus for protecting a docker escape vulnerability, comprising:
the acquiring unit is used for acquiring call stack information corresponding to the docker process operation container object;
the matching unit is used for judging whether the call stack rule corresponding to the call stack information is matched with the preset call stack rule corresponding to the docker process;
the execution unit is used for allowing the docker process to execute system calling if a call stack rule corresponding to the call stack information is matched with a preset call stack rule corresponding to the docker process;
and the intercepting unit is used for intercepting the system call of the docker process if the call stack rule corresponding to the call stack information is not matched with the preset call stack rule corresponding to the docker process.
According to a third aspect of the present invention, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of:
acquiring call stack information corresponding to the docker process operation container object;
judging whether a call stack rule corresponding to the call stack information is matched with a preset call stack rule corresponding to the docker process;
if so, allowing the docker process to execute system call;
and if not, intercepting the system call of the docker process.
According to a fourth aspect of the present invention, there is provided a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the following steps when executing the program:
acquiring call stack information corresponding to the docker process operation container object;
judging whether a call stack rule corresponding to the call stack information is matched with a preset call stack rule corresponding to the docker process;
if so, allowing the docker process to execute system call;
and if not, intercepting the system call of the docker process.
Compared with the method, the device, the storage medium and the computer equipment for protecting the docker escape vulnerability, which are provided by the invention, when an attacker uses an application vulnerability to attack a container at present, the method can obtain call stack information corresponding to the docker process operation container object by expanding the operation object of the container process from the container to the space of an operation system; meanwhile, judging whether a call stack rule corresponding to the call stack information is matched with a preset call stack rule corresponding to the docker process; if so, allowing the docker process to execute system call; if not, intercepting the system call of the docker process, thereby avoiding attacking the container by using the application bug, preventing the attack influence from expanding to the host, ensuring the isolation between the container and the host, and improving the safety of the host of the operating system.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
fig. 1 shows a flowchart of a method for protecting a docker escape vulnerability, provided by an embodiment of the present invention;
fig. 2 shows a flowchart of another method for protecting a docker escape vulnerability, provided by the embodiment of the present invention;
fig. 3 is a schematic structural diagram illustrating a device for protecting a docker escape vulnerability according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram illustrating another apparatus for protecting a docker escape vulnerability according to an embodiment of the present invention;
fig. 5 shows a physical structure diagram of a computer device according to an embodiment of the present invention.
Detailed Description
The invention will be described in detail hereinafter with reference to the accompanying drawings in conjunction with embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
As background art, currently, when operating in a container, the operation objects of a docker process are all in the namespace to which the container belongs, however, if there is an escape vulnerability that can be exploited in the container, when an attacker attacks the container with an application vulnerability, the operation objects of the container process will extend to the operating system space, thereby spreading the attack impact to the host and even other containers, thereby destroying the isolation between the container and the host and thus compromising the security of the operating system host.
In order to solve the above problem, an embodiment of the present invention provides a method for protecting a docker escape vulnerability, where as shown in fig. 1, the method includes:
101. and acquiring call stack information corresponding to the docker process operation container object.
In order to enable each application to have independent running space and resource, and to enable the applications to be independent from each other, the application is isolated by using a docker container, the docker realizes the isolation of the container, mainly uses the naming space of the operating system, the naming spaces of different containers are different, and the naming spaces of the containers and the naming space of a host are different, under normal conditions, when the container is operated, the operation objects of the docker process are all in the naming space to which the container belongs, for example, when the container is used for creating a process or reading and writing a file, the operation of creating the process or reading and writing the file corresponding to the docker process is all in the naming space to which the container belongs, however, under the condition of using the container escape vulnerability to attack, the operation object of the docker process will be expanded to the operating system space, so that the call stack information corresponding to the docker process when the operation object of the docker process is in the container is different from the call stack information corresponding to the docker process when the operation object of the docker process is expanded to the operating system space. Further, a preset capture module is injected into a process of providing service for the container, the docker process is monitored, meanwhile, a preset hook function is used for intercepting the system call corresponding to the docker process, and finally, a preset stack information backtracking function is used for performing stack information backtracking on the system call to obtain call stack information corresponding to the docker process.
102. And judging whether the call stack rule corresponding to the call stack information is matched with the preset call stack rule corresponding to the docker process. If so, go to step 103; if not, go to step 104.
For example, the website service is provided in the container, when a user logs in, sees a post and posts at a client, the process behavior of the website provided by a back-end service container is in the container environment, once the container is attacked, the operation of the container process can escape to a host operating system, the isolation between the container and a host is damaged, and particularly, when the website service or other services are provided in the container, various operation requests can be received in the operation process, the operation requests can trigger a process providing services in the container to execute various operations, at the moment, the behavior of the container object operated by the docker process is monitored, call stack information corresponding to the docker process is obtained, further, a call rule of the call stack information corresponding to the docker process is matched with a preset call rule corresponding to the docker process, and if the call rule is matched, the docker process is allowed to execute system call; and if not, intercepting the system call corresponding to the docker process. For example, when an operation request triggers a process providing service in a container to execute read-write file operation, monitoring the behavior of a container object operated by a docker process, acquiring call stack information corresponding to the docker process at the moment, matching a call stack rule corresponding to the call stack information with a preset call stack rule corresponding to the docker process in a container space of the read-write file operation process, and if the call stack rule is matched with the preset call stack rule, indicating that the container read-write file operation process has no escape vulnerability phenomenon, and allowing the docker process to execute system call; if the container read-write file operation process is not matched with the container read-write file operation process, the escape vulnerability phenomenon exists in the container read-write file operation process, and the system call corresponding to the docker process is intercepted.
103. Allowing the docker process to execute a system call.
For example, when an operation request triggers a process providing service in a container to execute a creation process, monitoring the behavior of the docker process for operating a container object, acquiring call stack information corresponding to the docker process at the moment, matching a call stack rule corresponding to the call stack information with a preset call stack rule corresponding to the docker process in a container space of the creation process, and if the call stack rule is matched with the preset call stack rule, indicating that the container creation process has no escape vulnerability, allowing the docker process to execute system call; if the container creation process is not matched with the system call, the container creation process is indicated to have an escape vulnerability phenomenon, and the system call corresponding to the docker process is intercepted.
104. And intercepting the system call of the docker process.
Compared with the method for protecting the docker escape vulnerability, which is provided by the embodiment of the invention, when an attacker uses an application vulnerability to attack a container at present, the method can obtain the call stack information corresponding to the docker process operation container object by expanding the operation object of the container process from the container to the space of an operating system; meanwhile, judging whether a call stack rule corresponding to the call stack information is matched with a preset call stack rule corresponding to the docker process; if so, allowing the docker process to execute system call; if not, intercepting the system call of the docker process, thereby avoiding attacking the container by using the application bug, preventing the attack influence from expanding to the host, ensuring the isolation between the container and the host, and improving the safety of the host of the operating system.
Further, in order to better describe the protection of the docker process escape vulnerability, as a refinement and an extension of the above embodiment, an embodiment of the present invention provides another method for protecting the docker escape vulnerability, as shown in fig. 2, where the method includes:
201. and respectively acquiring call stack information of various operations executed by the docker process in the container.
For the embodiment of the invention, the service in the container receives various operation requests in the running process, the requests can trigger the process providing the service in the container to execute various operations, the docker provides a basic environment for the operations, the docker process limits the operation from the container in the name space of the container, if a certain operation enables the docker process to perform operations outside the name space, escape attack is considered to occur, the system call of the docker process is intercepted, specifically, the behavior of the docker process when the service process provided in the container executes various operations under normal conditions is monitored, the call stack information corresponding to the docker process when the service process provided in the container executes various operations is obtained, namely, the call stack information corresponding to various operations executed by the docker process when no escape vulnerability exists is collected, and the preset call stack rule for the docker process to execute various operations is set according to the call stack information, when the execution operation of the service providing process in the container is monitored, if the calling rule of the calling stack information of the docker process is inconsistent with the preset calling stack rule of the docker process, the container is determined to be attacked, and the docker process has an escape vulnerability.
202. And determining preset call stack rules corresponding to the execution of various operations by the docker process in the container according to the call stack information of the docker process in the container for executing various operations.
For the embodiment of the present invention, in order to determine the preset call stack rule corresponding to the docker process executing various operations in the container, step 202 specifically includes: determining a system function sequence corresponding to the execution of various operations of the docker process in the container according to call stack information of the docker process in the container for executing various operations; and determining a preset call stack rule corresponding to the execution of various operations by the docker process in the container according to the system function sequence corresponding to the execution of various operations by the docker process in the container. Further, determining, according to a system function sequence corresponding to the execution of various operations by the docker process in the container, a preset call stack rule corresponding to the execution of various operations by the docker process in the container includes: determining a calling sequence of system function when the docker process executes various operations in the container according to a system function sequence corresponding to the docker process executing various operations in the container; and determining a preset call stack rule corresponding to the execution of various operations by the docker process in the container according to the call sequence of the system function when the docker process executes various operations in the container. For example, monitoring the behavior of a docker operating container object when a process providing service in a container executes read-write file operation and process creation operation under normal conditions, and acquiring call stack information corresponding to the docker process read-write file operation and call stack information corresponding to the docker process creation process when no escape leak exists, wherein the call stack information corresponding to the docker process read-write file operation is a system function sequence called by the docker process read-write file operation in the container, the system function sequence comprises functions required to be called by the docker process when the document read-write operation is performed in the container and call sequences among the functions, so that according to the system function called by the docker process when the document read-write operation is performed in the container and the call sequences among the functions, when no escape leak exists, the docker process executes a preset call stack rule corresponding to the document read-write operation, similarly, the preset call stack rule corresponding to the execution of the creation process by the docker process can be determined, so that the preset call stack rule corresponding to the execution of various operations by the docker process under the condition that the escape vulnerability does not exist is determined, and the set call stack rule is utilized to detect whether the escape vulnerability occurs in the docker process during the subsequent execution of various operations, so as to ensure the isolation between the container and the operating system host.
203. And acquiring call stack information corresponding to the docker process operation container object.
For the embodiment of the invention, when the process providing service in the container executes various operations, such as reading and writing files and creating the process, the behavior of the container object operated by the docker process is monitored, and the call stack information of the docker for executing corresponding operations is obtained, so that the call stack information is matched with the preset call stack information of the docker process for executing corresponding operations.
204. And judging whether the call stack rule corresponding to the call stack information is matched with the preset call stack rule corresponding to the docker process. If so, go to step 205; if not, go to step 206.
For the embodiment of the present invention, in order to determine whether the docker process has an escape vulnerability, step 204 specifically includes: judging whether a system function called by a docker process executing a specific operation exists in the call stack information; if so, determining that the call stack rule corresponding to the call stack information is matched with a preset call stack rule corresponding to the docker process; and if the answer is not successful, determining that the call stack rule corresponding to the call stack information is not matched with the preset call stack rule corresponding to the docker process. Further, before the determining that the call stack rule corresponding to the call stack information matches the preset call stack rule corresponding to the docker process, the method further includes: judging whether the calling sequence of the system function in the calling stack information accords with a preset calling sequence or not; if not, determining that the call stack rule corresponding to the call stack information is not matched with the preset call stack rule corresponding to the docker process; and if so, determining that the call stack rule corresponding to the call stack information is matched with the preset call stack rule corresponding to the docker process. In addition, before it is determined that the call stack rule corresponding to the call stack information matches the preset call stack rule corresponding to the docker process, the method further includes: judging whether the stack position of the system function in the call stack information accords with a preset stack position or not; if not, determining that the call stack rule corresponding to the call stack information is not matched with the preset call stack rule corresponding to the docker process; and if so, determining that the call stack rule corresponding to the call stack information is matched with the preset call stack rule corresponding to the docker process. For example, when a process providing service in a container executes a process creating operation, monitoring a behavior of a container object operated by a docker process, acquiring call stack information corresponding to the docker process creating process, matching a call rule corresponding to the call stack information with a preset call rule of the docker process creating process, and if a function sequence of the call stack information has a system function corresponding to the docker process executing the process creating operation in a container space, determining that the monitored docker process conforms to the preset call stack rule; if the detected Docker process does not accord with the preset call stack rule, determining that the monitored Docker process does not accord with the preset call stack rule, considering that an escape leak occurs when the Docker process executes the creation process operation, further judging whether the sequence of the Docker process executing the creation process operation and calling the system function accords with the preset call sequence, and if so, determining that the monitored Docker process accords with the preset call stack rule; if not, determining that the monitored docker process does not accord with the preset call stack rule. Further, if call stack information corresponding to the operation of the docker process executing the creation process conforms to a preset call stack rule, allowing the docker process to execute system call; and if the call stack information corresponding to the operation of the docker process for executing the creation process does not accord with the preset call stack rule, intercepting the system call of the docker process.
205. Allowing the docker process to execute a system call.
206. And intercepting the system call of the docker process.
Compared with the method for protecting the docker escape vulnerability, which is provided by the embodiment of the invention, in which an attacker expands the operation object of the container process from the container to the operating system space when the container is attacked by the application vulnerability, the method can obtain the call stack information corresponding to the operation object of the docker process operation container; meanwhile, judging whether a call stack rule corresponding to the call stack information is matched with a preset call stack rule corresponding to the docker process; if so, allowing the docker process to execute system call; if not, intercepting the system call of the docker process, thereby avoiding attacking the container by using the application bug, preventing the attack influence from expanding to the host, ensuring the isolation between the container and the host, and improving the safety of the host of the operating system.
Further, as a specific implementation of fig. 1, an embodiment of the present invention provides a device for protecting a docker escape vulnerability, and as shown in fig. 3, the device includes: an acquisition unit 31, a matching unit 32, an execution unit 33 and an interception unit 34.
The obtaining unit 31 may be configured to obtain call stack information corresponding to the docker process operation container object. The obtaining unit 31 is a main function module in the device for obtaining call stack information corresponding to a docker process operation container object.
The matching unit 32 may be configured to determine whether a call stack rule corresponding to the call stack information matches a preset call stack rule corresponding to the docker process. The matching unit 32 is a main function module in the device that determines whether the call stack rule corresponding to the call stack information matches the preset call stack rule corresponding to the docker process, and is also a core module.
The execution unit 33 may be configured to allow the docker process to execute the system call if the call stack rule corresponding to the call stack information matches the preset call stack rule corresponding to the docker process. The execution unit 33 is a main function module that allows the docker process to execute a system call if the call stack rule corresponding to the call stack information matches the preset call stack rule corresponding to the docker process in the present device.
The intercepting unit 34 may be configured to intercept the system call of the docker process if the call stack rule corresponding to the call stack information is not matched with the preset call stack rule corresponding to the docker process. The intercepting unit 34 is a main function module that intercepts a system call of the docker process if a call stack rule corresponding to the call stack information is not matched with a preset call stack rule corresponding to the docker process in the present apparatus.
For the embodiment of the present invention, in order to determine whether the call stack rule corresponding to the call stack information matches the preset call stack rule corresponding to the docker process, the matching unit 32 includes a determining module 321 and a determining module 322.
The determining module 321 may be configured to determine whether a system function called by a docker process executing a specific operation exists in the call stack information.
The determining module 322 may be configured to determine that a call stack rule corresponding to the call stack information matches a preset call stack rule corresponding to the docker process, if a system function called by the docker process to execute a specific operation exists in the call stack information.
The determining module 322 may be further configured to determine that a call stack rule corresponding to the call stack information is not matched with a preset call stack rule corresponding to the docker process if the call stack information does not have a system function called by the docker process for executing a specific operation.
Further, in order to determine whether the calling sequence of the system function in the call stack information conforms to a preset calling sequence, the determining module 321 may be further configured to determine whether the calling sequence of the system function in the call stack information conforms to the preset calling sequence.
The determining module 322 may be further configured to determine that a call stack rule corresponding to the call stack information is not matched with a preset call stack rule corresponding to the docker process if a call sequence of the system function in the call stack information does not conform to a preset call sequence.
The determining module 322 is further configured to determine that a call stack rule corresponding to the call stack information matches a preset call stack rule corresponding to the docker process if a call sequence of the system function in the call stack information conforms to a preset call sequence.
In addition, in order to determine whether the stack position of the system function in the call stack information conforms to a preset stack position, the determining module 321 may be further configured to determine whether the stack position of the system function in the call stack information conforms to the preset stack position.
The determining module 322 may be further configured to determine that a call stack rule corresponding to the call stack information is not matched with a preset call stack rule corresponding to the docker process if a stack position of the system function in the call stack information does not conform to a preset stack position.
The determining module 322 may be further configured to determine that a call stack rule corresponding to the call stack information matches a preset call stack rule corresponding to the docker process if a stack position of the system function in the call stack information conforms to a preset stack position.
In a specific application scenario, in order to determine a preset call stack rule corresponding to various operations executed by the docker process in the container, the apparatus further includes a determining unit 35.
The obtaining unit 31 may be further configured to obtain call stack information of the docker process executing various operations in the container, respectively.
The determining unit 35 may be further configured to determine, according to call stack information of the docker process executing various operations in the container, a preset call stack rule corresponding to the docker process executing various operations in the container.
Further, the determining unit 35 includes a first determining module and a second determining module, where the first determining module may be configured to determine, according to call stack information of various operations executed by the docker process in the container, that the docker process executes a system function sequence corresponding to the various operations in the container.
The second determining module may be configured to determine, according to a system function sequence corresponding to the docker process executing various operations in the container, a preset call stack rule corresponding to the docker process executing various operations in the container.
In addition, the second determining module may be specifically configured to determine, according to a system function sequence corresponding to the docker process executing various operations in the container, a call sequence of the system function when the docker process executes various operations in the container; and determining a preset call stack rule corresponding to the execution of various operations by the docker process in the container according to the call sequence of the system function when the docker process executes various operations in the container.
It should be noted that other corresponding descriptions of the functional modules involved in the apparatus for protecting a docker escape vulnerability provided in the embodiment of the present invention may refer to the corresponding descriptions of the method shown in fig. 1, and are not described herein again.
Based on the method shown in fig. 1, correspondingly, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the following steps: acquiring call stack information corresponding to the docker process operation container object; judging whether a call stack rule corresponding to the call stack information is matched with a preset call stack rule corresponding to the docker process; if so, allowing the docker process to execute system call; and if not, intercepting the system call of the docker process.
Based on the above embodiments of the method shown in fig. 1 and the apparatus shown in fig. 3, an embodiment of the present invention further provides an entity structure diagram of a computer device, as shown in fig. 5, where the computer device includes: a processor 41, a memory 42, and a computer program stored on the memory 42 and executable on the processor, wherein the memory 42 and the processor 41 are both arranged on a bus 43 such that when the processor 41 executes the program, the following steps are performed: acquiring call stack information corresponding to the docker process operation container object; judging whether a call stack rule corresponding to the call stack information is matched with a preset call stack rule corresponding to the docker process; if so, allowing the docker process to execute system call; and if not, intercepting the system call of the docker process.
By the technical scheme, the call stack information corresponding to the docker process operation container object can be obtained; meanwhile, judging whether a call stack rule corresponding to the call stack information is matched with a preset call stack rule corresponding to the docker process; if so, allowing the docker process to execute system call; if not, intercepting the system call of the docker process, thereby avoiding attacking the container by using the application bug, preventing the attack influence from expanding to the host, ensuring the isolation between the container and the host, and improving the safety of the host of the operating system.
It will be apparent to those skilled in the art that the modules or steps of the present invention described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of multiple computing devices, and alternatively, they may be implemented by program code executable by a computing device, such that they may be stored in a storage device and executed by a computing device, and in some cases, the steps shown or described may be performed in an order different than that described herein, or they may be separately fabricated into individual integrated circuit modules, or multiple ones of them may be fabricated into a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A method for protecting a docker escape vulnerability is characterized by comprising the following steps:
acquiring call stack information corresponding to the docker process operation container object;
judging whether a call stack rule corresponding to the call stack information is matched with a preset call stack rule corresponding to the docker process;
if so, allowing the docker process to execute system call;
and if not, intercepting the system call of the docker process.
2. The method according to claim 1, wherein the determining whether the call stack rule corresponding to the call stack information matches the preset call stack rule corresponding to the docker process comprises:
judging whether a system function called by a docker process executing a specific operation exists in the call stack information;
if so, determining that the call stack rule corresponding to the call stack information is matched with a preset call stack rule corresponding to the docker process;
and if the answer is not successful, determining that the call stack rule corresponding to the call stack information is not matched with the preset call stack rule corresponding to the docker process.
3. The method according to claim 2, wherein before the determining that the call stack rule corresponding to the call stack information matches the preset call stack rule corresponding to the docker process, the method further comprises:
judging whether the calling sequence of the system function in the calling stack information accords with a preset calling sequence or not;
if not, determining that the call stack rule corresponding to the call stack information is not matched with the preset call stack rule corresponding to the docker process;
the determining that the call stack rule corresponding to the call stack information matches the preset call stack rule corresponding to the docker process includes:
and if so, determining that the call stack rule corresponding to the call stack information is matched with the preset call stack rule corresponding to the docker process.
4. The method according to claim 2, wherein before the determining that the call stack rule corresponding to the call stack information matches the preset call stack rule corresponding to the docker process, the method further comprises:
judging whether the stack position of the system function in the call stack information accords with a preset stack position or not;
if not, determining that the call stack rule corresponding to the call stack information is not matched with the preset call stack rule corresponding to the docker process;
the determining that the call stack rule corresponding to the call stack information matches the preset call stack rule corresponding to the docker process includes:
and if so, determining that the call stack rule corresponding to the call stack information is matched with the preset call stack rule corresponding to the docker process.
5. The method of claim 1, wherein before the obtaining call stack information corresponding to the docker process operation container object, the method further comprises:
respectively acquiring call stack information of executing various operations in the container by the docker process;
and determining preset call stack rules corresponding to the execution of various operations by the docker process in the container according to the call stack information of the docker process in the container for executing various operations.
6. The method according to claim 5, wherein the determining, according to the call stack information of the docker process executing various operations in the container, a preset call stack rule corresponding to the docker process executing various operations in the container includes:
determining a system function sequence corresponding to the execution of various operations of the docker process in the container according to call stack information of the docker process in the container for executing various operations;
and determining a preset call stack rule corresponding to the execution of various operations by the docker process in the container according to the system function sequence corresponding to the execution of various operations by the docker process in the container.
7. The method according to claim 6, wherein the determining, according to the system function sequence corresponding to the docker process executing various operations in the container, the preset call stack rule corresponding to the docker process executing various operations in the container includes:
determining a calling sequence of system function when the docker process executes various operations in the container according to a system function sequence corresponding to the docker process executing various operations in the container;
and determining a preset call stack rule corresponding to the execution of various operations by the docker process in the container according to the call sequence of the system function when the docker process executes various operations in the container.
8. A device for protecting docker escape loopholes, comprising:
the acquiring unit is used for acquiring call stack information corresponding to the docker process operation container object;
the matching unit is used for judging whether the call stack rule corresponding to the call stack information is matched with the preset call stack rule corresponding to the docker process;
the execution unit is used for allowing the docker process to execute system calling if a call stack rule corresponding to the call stack information is matched with a preset call stack rule corresponding to the docker process;
and the intercepting unit is used for intercepting the system call of the docker process if the call stack rule corresponding to the call stack information is not matched with the preset call stack rule corresponding to the docker process.
9. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 7.
10. A computer arrangement comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the computer program realizes the steps of the method of any one of claims 1 to 7 when executed by the processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910755461.2A CN112395617A (en) | 2019-08-15 | 2019-08-15 | Method and device for protecting docker escape vulnerability, storage medium and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910755461.2A CN112395617A (en) | 2019-08-15 | 2019-08-15 | Method and device for protecting docker escape vulnerability, storage medium and computer equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112395617A true CN112395617A (en) | 2021-02-23 |
Family
ID=74601759
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910755461.2A Pending CN112395617A (en) | 2019-08-15 | 2019-08-15 | Method and device for protecting docker escape vulnerability, storage medium and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112395617A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113221103A (en) * | 2021-05-08 | 2021-08-06 | 山东英信计算机技术有限公司 | Container safety protection method, system and medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104915285A (en) * | 2015-06-30 | 2015-09-16 | 北京奇虎科技有限公司 | Container process monitoring method, device and system |
| CN105678168A (en) * | 2015-12-29 | 2016-06-15 | 北京神州绿盟信息安全科技股份有限公司 | Method and apparatus for detecting Shellcode based on stack frame abnormity |
| CN107679399A (en) * | 2017-10-19 | 2018-02-09 | 郑州云海信息技术有限公司 | A kind of Malicious Code Detection sandbox system and detection method based on container |
| CN108241801A (en) * | 2016-12-26 | 2018-07-03 | 华为技术有限公司 | The method and apparatus that processing system is called |
| CN108846287A (en) * | 2018-06-26 | 2018-11-20 | 北京奇安信科技有限公司 | A kind of method and device of detection loophole attack |
| CN109614290A (en) * | 2018-12-10 | 2019-04-12 | 苏州思必驰信息科技有限公司 | Process exception information recording method and system in container |
| CN109858244A (en) * | 2019-01-16 | 2019-06-07 | 四川大学 | Process exception behavioral value method and system in a kind of container |
-
2019
- 2019-08-15 CN CN201910755461.2A patent/CN112395617A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104915285A (en) * | 2015-06-30 | 2015-09-16 | 北京奇虎科技有限公司 | Container process monitoring method, device and system |
| CN105678168A (en) * | 2015-12-29 | 2016-06-15 | 北京神州绿盟信息安全科技股份有限公司 | Method and apparatus for detecting Shellcode based on stack frame abnormity |
| CN108241801A (en) * | 2016-12-26 | 2018-07-03 | 华为技术有限公司 | The method and apparatus that processing system is called |
| CN107679399A (en) * | 2017-10-19 | 2018-02-09 | 郑州云海信息技术有限公司 | A kind of Malicious Code Detection sandbox system and detection method based on container |
| CN108846287A (en) * | 2018-06-26 | 2018-11-20 | 北京奇安信科技有限公司 | A kind of method and device of detection loophole attack |
| CN109614290A (en) * | 2018-12-10 | 2019-04-12 | 苏州思必驰信息科技有限公司 | Process exception information recording method and system in container |
| CN109858244A (en) * | 2019-01-16 | 2019-06-07 | 四川大学 | Process exception behavioral value method and system in a kind of container |
Non-Patent Citations (1)
| Title |
|---|
| 林学焦 等译: "《TURBOC用户手册 2.0版》", 中国科学院希望高级电脑技术公司, pages: 37 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113221103A (en) * | 2021-05-08 | 2021-08-06 | 山东英信计算机技术有限公司 | Container safety protection method, system and medium |
| CN113221103B (en) * | 2021-05-08 | 2022-09-20 | 山东英信计算机技术有限公司 | Container safety protection method, system and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10657251B1 (en) | Multistage system and method for analyzing obfuscated content for malware | |
| KR101122646B1 (en) | Method and device against intelligent bots by masquerading virtual machine information | |
| US10169585B1 (en) | System and methods for advanced malware detection through placement of transition events | |
| US10225280B2 (en) | System and method for verifying and detecting malware | |
| RU2698776C2 (en) | Method of maintaining database and corresponding server | |
| Parampalli et al. | A practical mimicry attack against powerful system-call monitors | |
| CN109586282B (en) | Power grid unknown threat detection system and method | |
| RU2617654C2 (en) | System and method of formation of anti-virus records used to detect malicious files on user's computer | |
| RU2726032C2 (en) | Systems and methods for detecting malicious programs with a domain generation algorithm (dga) | |
| US11252167B2 (en) | System and method for detecting and classifying malware | |
| US10885162B2 (en) | Automated determination of device identifiers for risk-based access control in a computer network | |
| CN105760787A (en) | System and method used for detecting malicious code of random access memory | |
| EP3079057B1 (en) | Method and device for realizing virtual machine introspection | |
| CN109117628A (en) | A kind of white list control method and system | |
| US10645107B2 (en) | System and method for detecting and classifying malware | |
| CN107908957B (en) | Safe operation management method and system of intelligent terminal | |
| CN109284590B (en) | Method, equipment, storage medium and device for access behavior security protection | |
| CN106682493B (en) | A kind of method, apparatus for preventing process from maliciously being terminated and electronic equipment | |
| CN112395617A (en) | Method and device for protecting docker escape vulnerability, storage medium and computer equipment | |
| CN110659478B (en) | Method for detecting malicious files preventing analysis in isolated environment | |
| CN102722678B (en) | A kind of virtual desktop executable program protection mechanism | |
| JP7104574B2 (en) | Computer asset management system and computer asset management method | |
| US9881155B2 (en) | System and method for automatic use-after-free exploit detection | |
| CN109495436B (en) | Trusted cloud platform measurement system and method | |
| CN112395603A (en) | Vulnerability attack identification method and device based on instruction execution sequence characteristics and computer equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |