CN114020411A - Mirror image system security analysis method and system - Google Patents
Mirror image system security analysis method and system Download PDFInfo
- Publication number
- CN114020411A CN114020411A CN202111293938.3A CN202111293938A CN114020411A CN 114020411 A CN114020411 A CN 114020411A CN 202111293938 A CN202111293938 A CN 202111293938A CN 114020411 A CN114020411 A CN 114020411A
- Authority
- CN
- China
- Prior art keywords
- information
- mirror image
- operating system
- vulnerability
- specific operating
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention relates to a security analysis method and a system of a mirror image system, comprising the following steps: extracting mirror image system information and generating a mirror image system file directory; analyzing the files in the mirror image system according to the file directory of the mirror image system, and extracting characteristic information; comparing the characteristic information with characteristic rules in an operating system characteristic library to obtain specific operating system information contained in the mirror image system; scanning and analyzing files contained in the file directory of the mirror image system according to the specific operating system information and a specific operating system scanning strategy; and generating a formatted analysis report according to the format rule. In practical application, when a large-scale container mirror image security inspection scanning needs to be automatically executed regularly after a container mirror image warehouse is deployed, the method can provide high-efficiency and accurate analyzable data. And finally, generating a formatted analysis report for a developer or a user to refer to, and facilitating the targeted optimization of the mirroring system.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a security analysis method and system for a mirror image system.
Background
A container is a lightweight, portable, self-contained software packaging technique that allows an application to be run in the same manner almost anywhere. The container is also a lightweight operating system, and contains all code required for running a certain software, and runtime dependencies and configuration files. The mirror image is the basis of container operation, and is essentially a file system consisting of a file system packaged by a security layer and metadata describing the mirror image. The mirror image is composed of a plurality of file system layers, each pair of basic mirror images is added with a plurality of files or configurations, a read-write layer is added on the original mirror image layer, all modifications to the original mirror images are based on the read-write layer, and the basic layers below the read-write layers can be used for creating other mirror images and can be used repeatedly.
With the evolution of software development architecture, the container technology becomes an important support technology in the fields of DevOps, micro services and the like at present by virtue of the characteristics of light weight, agility and easy expansion and strong community support. The container comprises all the required running environments and configuration files of the application program, the packaged container can run in different environments, and different services cannot be influenced mutually. For these reasons, containerized deployment has become the most popular mode of production at this time. The images used by the developers are partly from the official organizations of the corresponding software in the images and partly from third parties or even individuals. When the mirror images are introduced, potential security risks are brought, and a security inspection means for container mirror images becomes a problem to be researched and solved urgently.
Disclosure of Invention
In view of the above, the present invention provides a method and a system for analyzing security of a mirror image system, which extract and analyze a mirror image system file to obtain data such as operating system information, configuration files, system component information, and the like in a mirror image, and provide a version number comparison rule basis, so as to analyze security of the mirror image system, and finally generate a formatted analysis report for a developer or a user to refer to, thereby at least partially solving the problems in the prior art.
The specific invention content is as follows:
a security analysis method of a mirroring system comprises the following steps:
extracting mirror image system information and generating a mirror image system file directory;
analyzing the files in the mirror image system according to the file directory of the mirror image system, and extracting characteristic information;
comparing the characteristic information with characteristic rules in an operating system characteristic library to obtain specific operating system information contained in the mirror image system; the process checks whether a characteristic file exists in a file directory of the image system and whether the content meets the characteristic rule according to the characteristic rule of the operating system, integrates the checking result, and analyzes the specific operating system release version (such as Debian system, RedHat system, apline, photon and the like) which can support scanning and is contained in the image system;
scanning and analyzing files contained in the file directory of the mirror image system according to the specific operating system information and a specific operating system scanning strategy;
and generating a formatted analysis report according to the format rule.
In practical application, when a large-scale container mirror image security inspection scanning needs to be automatically executed regularly after a container mirror image warehouse is deployed, the method and the system can provide high-efficiency and accurate analyzable data. And collecting and analyzing data information by using a mirror image system file directory, namely decompressing a mirror image to a temporary working directory, and collecting and analyzing the data in the working directory by a scanning program according to a corresponding feature library and a scanning rule. The mirror image is a complete operating system and comprises all software operating environments and configuration files, so that the aim of constructing a mirror image system file directory is to directly inquire specified path files according to rules without traversing the files after constructing a complete file path, and the working efficiency is improved. Identifying the operating system is by checking for the presence and integrity of operating system feature profiles, and for developers or users who do not have a specifically customized operating system who do not have to make and do not have to expressly modify these operating system base dependent configuration features, so the specific operating system information contained within the image can be identified in this manner.
Further, the extracting the mirror image system information and generating the mirror image system file directory specifically includes:
extracting mirror image system information, judging whether a storage drive exists or not, and if so, constructing a mirror image system file directory according to the storage drive; otherwise, the files of each layer in the mirror image system are written into the file directory of the mirror image system in sequence according to the addition, deletion and modification marks. The process comprises two steps:
firstly, a scanning algorithm is based on a Docker bottom layer, firstly, a server Docker execution authority is obtained, then a Docker daemon API is called to inquire the instect information of a target image, and the hash, storage driver, layers and other information of the target image, namely the image system information, are obtained;
and secondly, judging whether a storage drive exists or not, and if so, constructing a mirror image system file directory according to the storage drive. For example: if the overlay2 exists and the overlay2 directory exists, the mount of the target image can be given a file directory which is identical to the file directory when the image runs by LowerDir, UpperDir and WorkDir (an example of checking whether the overlay directory exists is that when Docker for Windows is installed under Windows, although the storage driver in the information of the ghost container image install is overlay2, the Docker data exists in a volume and does not really exist in the host directory); otherwise, sequentially merging the files of each layer in the image file into the working directory according to the addition, deletion, modification marks.
Further, the scanning and analyzing the files contained in the file directory of the image system according to the specific operating system information and the specific operating system scanning policy specifically includes:
scanning files contained in the file directory of the mirror image system by utilizing a package manager characteristic rule used by a corresponding operating system according to the specific operating system information, and judging whether the specific operating system contained in the mirror image system uses a package manager which is default by the corresponding operating system and whether package managers of other versions are installed by self; merging and analyzing the scanning results to obtain the directory address and configuration information of the system component;
analyzing the system component information according to the directory address of the system component and by combining with corresponding rules of filing and storing the system component by a corresponding package manager, wherein the analysis result comprises a component name, a manufacturer, a version number and a file-containing list;
the specific operating system information contained in the mirror image system comprises a specific operating system release name, a version number and related configuration information.
The conventional automated scanning procedure is: the developer uploads a container image, creating a task for automated scanning. After scanning starts, a work directory of the mirror image is constructed under the temp directory, the rule of the operating system feature library is inquired and compared with the file feature of the work directory, the checking item comprises path comparison and file format, the information of the operating system is extracted according to the rule when a certain operating system feature is found to be matched, once the operating system is known, the configuration rule of the corresponding package management can be known, the configuration of the package manager is further searched, and the corresponding inquiry rule is further selected according to the found configuration to obtain the information of the system dependent package and the version number of the system dependent package. For example:
the system description file of the Ubuntu system is placed under/etc/lsb-release, and as long as the file is found, the container image can be determined to be constructed based on the Ubuntu system, and at this time, the/var/lib/dpkg directory can be further checked to determine whether the container image is the dpkg used or not as the package manager. When the operating system software package is managed by the dpkg, the dependent configuration is recorded in a/var/lib/dpkg/info/directory, and the system components installed in the current operating system and the versions corresponding to the system components can be known by sequentially traversing the directory.
Further, while performing scanning analysis on the files contained in the file directory of the image system according to the specific operating system scanning policy, the method further includes:
and selecting a comparison rule which accords with the system component by combining the relevant configuration information of the specific operating system contained in the mirror image system and the scanned package manager information, comparing the system component information with the characteristic data in an external vulnerability database, and judging whether the system component has a vulnerability or not.
Further, the determining whether the system component has a bug specifically includes:
judging whether the system component information contains patch information or not, if so, judging whether the version of the corresponding patch is lower than that of the corresponding patch in the external vulnerability database or not, if so, judging that the system component has a vulnerability, and if not, judging that the system component does not have the vulnerability;
if the system component information does not contain patch information, judging whether the system component information contains a universal vulnerability disclosure entry, if so, judging whether the version number of the system component is in a range interval (corresponding to cpe) disclosed in the universal vulnerability disclosure (CVE) entry, and if so, judging that the system component has a vulnerability; and if the system component information does not contain the universal vulnerability disclosure entry or the version number of the system component is not in the range interval disclosed in the universal vulnerability disclosure entry, judging that the system component does not have the vulnerability.
The naming rules of system components between different releases do not all follow the semver standard, but each operating system has its own system security patches in service, and the release manufacturers have published the open source code of their package managers. The version management module is extracted as a part of the version comparison rule. Compared with the vulnerability database by using the own version comparison rule of the official, the result has higher accuracy and reliability than the result obtained by using other comparison modules.
A mirroring system security analysis system comprising:
the mirror image data extraction module is used for extracting mirror image system information and generating a mirror image system file directory;
the configuration analysis module is used for analyzing the files in the mirror image system according to the mirror image system file directory and extracting characteristic information; comparing the characteristic information with characteristic rules in an operating system characteristic library to obtain specific operating system information contained in the mirror image system; scanning and analyzing files contained in the file directory of the mirror image system according to the specific operating system information and a specific operating system scanning strategy;
and the information formatting module is used for generating a formatted analysis report according to the format rule.
In practical application, when a large-scale container mirror image security inspection scanning needs to be automatically executed regularly after a container mirror image warehouse is deployed, the method and the system can provide high-efficiency and accurate analyzable data. And collecting and analyzing data information by using a mirror image system file directory, namely decompressing a mirror image to a temporary working directory, and collecting and analyzing the data in the working directory by a scanning program according to a corresponding feature library and a scanning rule. The mirror image is a complete operating system and comprises all software operating environments and configuration files, so that the aim of constructing a mirror image system file directory is to directly inquire specified path files according to rules without traversing the files after constructing a complete file path, and the working efficiency is improved. Identifying the operating system is by checking for the presence and integrity of operating system feature profiles, and for developers or users who do not have a specifically customized operating system who do not have to make and do not have to expressly modify these operating system base dependent configuration features, so the specific operating system information contained within the image can be identified in this manner.
Further, the mirror image data extraction module is specifically configured to:
extracting mirror image system information, judging whether a storage drive exists or not, and if so, constructing a mirror image system file directory according to the storage drive; otherwise, the files of each layer in the mirror image system are written into the file directory of the mirror image system in sequence according to the addition, deletion and modification marks. The process comprises two steps:
firstly, a scanning algorithm is based on a Docker bottom layer, firstly, a server Docker execution authority is obtained, then a Docker daemon API is called to inquire the instect information of a target image, and the hash, storage driver, layers and other information of the target image, namely the image system information, are obtained;
and secondly, judging whether a storage drive exists or not, and if so, constructing a mirror image system file directory according to the storage drive. For example: if the overlay2 exists and the overlay2 directory exists, the mount of the target image can be given a file directory which is identical to the file directory when the image runs by LowerDir, UpperDir and WorkDir (an example of checking whether the overlay directory exists is that when Docker for Windows is installed under Windows, although the storage driver in the information of the ghost container image install is overlay2, the Docker data exists in a volume and does not really exist in the host directory); otherwise, sequentially merging the files of each layer in the image file into the working directory according to the addition, deletion, modification marks.
Further, the scanning and analyzing the files contained in the file directory of the image system according to the specific operating system information and the specific operating system scanning policy specifically includes:
scanning files contained in the file directory of the mirror image system by utilizing a package manager characteristic rule used by a corresponding operating system according to the specific operating system information, and judging whether the specific operating system contained in the mirror image system uses a package manager which is default by the corresponding operating system and whether package managers of other versions are installed by self; merging and analyzing the scanning results to obtain the directory address and configuration information of the system component;
analyzing the system component information according to the directory address of the system component and by combining with corresponding rules of filing and storing the system component by a corresponding package manager, wherein the analysis result comprises a component name, a manufacturer, a version number and a file-containing list;
the specific operating system information contained in the mirror image system comprises a specific operating system release name, a version number and related configuration information.
The conventional automated scanning procedure is: the developer uploads a container image, creating a task for automated scanning. After scanning starts, a work directory of the mirror image is constructed under the temp directory, the rule of the operating system feature library is inquired and compared with the file feature of the work directory, the checking item comprises path comparison and file format, the information of the operating system is extracted according to the rule when a certain operating system feature is found to be matched, once the operating system is known, the configuration rule of the corresponding package management can be known, the configuration of the package manager is further searched, and the corresponding inquiry rule is further selected according to the found configuration to obtain the information of the system dependent package and the version number of the system dependent package. For example:
the system description file of the Ubuntu system is placed under/etc/lsb-release, and as long as the file is found, the container image can be determined to be constructed based on the Ubuntu system, and at this time, the/var/lib/dpkg directory can be further checked to determine whether the container image is the dpkg used or not as the package manager. When the operating system software package is managed by the dpkg, the dependent configuration is recorded in a/var/lib/dpkg/info/directory, and the system components installed in the current operating system and the versions corresponding to the system components can be known by sequentially traversing the directory.
Further, while the files contained in the file directory of the mirror image system are scanned and analyzed according to the specific operating system scanning policy, the configuration analysis module is further configured to:
and selecting a comparison rule which accords with the system component by combining the relevant configuration information of the specific operating system contained in the mirror image system and the scanned package manager information, comparing the system component information with the characteristic data in an external vulnerability database, and judging whether the system component has a vulnerability or not.
Further, the determining whether the system component has a bug specifically includes:
judging whether the system component information contains patch information or not, if so, judging whether the version of the corresponding patch is lower than that of the corresponding patch in the external vulnerability database or not, if so, judging that the system component has a vulnerability, and if not, judging that the system component does not have the vulnerability;
if the system component information does not contain patch information, judging whether the system component information contains a universal vulnerability disclosure entry, if so, judging whether the version number of the system component is in a range interval (corresponding to cpe) disclosed in the universal vulnerability disclosure (CVE) entry, and if so, judging that the system component has a vulnerability; and if the system component information does not contain the universal vulnerability disclosure entry or the version number of the system component is not in the range interval disclosed in the universal vulnerability disclosure entry, judging that the system component does not have the vulnerability.
The naming rules of system components between different releases do not all follow the semver standard, but each operating system has its own system security patches in service, and the release manufacturers have published the open source code of their package managers. The version management module is extracted as a part of the version comparison rule. Compared with the vulnerability database by using the own version comparison rule of the official, the result has higher accuracy and reliability than the result obtained by using other comparison modules.
The invention has the beneficial effects that:
in practical application, when a large-scale container mirror image security inspection scanning needs to be automatically executed regularly after a container mirror image warehouse is deployed, the method can provide high-efficiency and accurate analyzable data. The invention analyzes according to the specific operating system information contained in the mirror image system, has higher accuracy of the analysis result and enriches the application environment of the security detection analysis of the mirror image system. The invention constructs the file directory of the mirror image system, and can directly inquire the specified path files according to the rules without traversing the files when the data information is collected and analyzed, thereby improving the working efficiency. The invention finally generates a formatted analysis report for a developer or a user to refer to, and is convenient for carrying out targeted optimization on the mirror image system.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a flow chart of a method for security analysis of a mirror system according to an embodiment of the present invention;
FIG. 2 is a flow chart of another method for security analysis of a mirroring system according to an embodiment of the present invention;
fig. 3 is a structural diagram of a security analysis system of a mirror system according to an embodiment of the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be noted that, in the case of no conflict, the features in the following embodiments and examples may be combined with each other; moreover, all other embodiments that can be derived by one of ordinary skill in the art from the embodiments disclosed herein without making any creative effort fall within the scope of the present disclosure.
It is noted that various aspects of the embodiments are described below within the scope of the appended claims. It should be apparent that the aspects described herein may be embodied in a wide variety of forms and that any specific structure and/or function described herein is merely illustrative. Based on the disclosure, one skilled in the art should appreciate that one aspect described herein may be implemented independently of any other aspects and that two or more of these aspects may be combined in various ways. For example, an apparatus may be implemented and/or a method practiced using any number of the aspects set forth herein. Additionally, such an apparatus may be implemented and/or such a method may be practiced using other structure and/or functionality in addition to one or more of the aspects set forth herein.
The invention provides an embodiment of a security analysis method of a mirror image system, as shown in fig. 1, comprising:
s11: extracting mirror image system information and generating a mirror image system file directory;
s12: analyzing the files in the mirror image system according to the file directory of the mirror image system, and extracting characteristic information;
s13: comparing the characteristic information with characteristic rules in an operating system characteristic library to obtain specific operating system information contained in the mirror image system; the process checks whether a characteristic file exists in a file directory of the image system and whether the content meets the characteristic rule according to the characteristic rule of the operating system, integrates the checking result, and analyzes the specific operating system release version (such as Debian system, RedHat system, apline, photon and the like) which can support scanning and is contained in the image system;
s14: scanning and analyzing files contained in the file directory of the mirror image system according to the specific operating system information and a specific operating system scanning strategy;
s15: and generating a formatted analysis report according to the format rule.
In practical application, when a large-scale container mirror image security inspection scanning needs to be automatically executed regularly after a container mirror image warehouse is deployed, the method and the system can provide high-efficiency and accurate analyzable data. And collecting and analyzing data information by using a mirror image system file directory, namely decompressing a mirror image to a temporary working directory, and collecting and analyzing the data in the working directory by a scanning program according to a corresponding feature library and a scanning rule. The mirror image is a complete operating system and comprises all software operating environments and configuration files, so that the aim of constructing a mirror image system file directory is to directly inquire specified path files according to rules without traversing the files after constructing a complete file path, and the working efficiency is improved. Identifying the operating system is by checking for the presence and integrity of operating system feature profiles, and for developers or users who do not have a specifically customized operating system who do not have to make and do not have to expressly modify these operating system base dependent configuration features, so the specific operating system information contained within the image can be identified in this manner.
Preferably, the extracting the mirror image system information and generating the mirror image system file directory specifically include:
extracting mirror image system information, judging whether a storage drive exists or not, and if so, constructing a mirror image system file directory according to the storage drive; otherwise, the files of each layer in the mirror image system are written into the file directory of the mirror image system in sequence according to the addition, deletion and modification marks. The process comprises two steps:
firstly, a scanning algorithm is based on a Docker bottom layer, firstly, a server Docker execution authority is obtained, then a Docker daemon API is called to inquire the instect information of a target image, and the hash, storage driver, layers and other information of the target image, namely the image system information, are obtained;
and secondly, judging whether a storage drive exists or not, and if so, constructing a mirror image system file directory according to the storage drive. For example: if the overlay2 exists and the overlay2 directory exists, the mount of the target image can be given a file directory which is identical to the file directory when the image runs by LowerDir, UpperDir and WorkDir (an example of checking whether the overlay directory exists is that when Docker for Windows is installed under Windows, although the storage driver in the information of the ghost container image install is overlay2, the Docker data exists in a volume and does not really exist in the host directory); otherwise, sequentially merging the files of each layer in the image file into the working directory according to the addition, deletion, modification marks.
Preferably, the scanning and analyzing the files contained in the file directory of the image system according to the specific operating system information and the specific operating system scanning policy specifically includes:
scanning files contained in the file directory of the mirror image system by utilizing a package manager characteristic rule used by a corresponding operating system according to the specific operating system information, and judging whether the specific operating system contained in the mirror image system uses a package manager which is default by the corresponding operating system and whether package managers of other versions are installed by self; merging and analyzing the scanning results to obtain the directory address and configuration information of the system component;
analyzing the system component information according to the directory address of the system component and by combining with corresponding rules of filing and storing the system component by a corresponding package manager, wherein the analysis result comprises a component name, a manufacturer, a version number and a file-containing list;
the specific operating system information contained in the mirror image system comprises a specific operating system release name, a version number and related configuration information.
The conventional automated scanning procedure is: the developer uploads a container image, creating a task for automated scanning. After scanning starts, a work directory of the mirror image is constructed under the temp directory, the rule of the operating system feature library is inquired and compared with the file feature of the work directory, the checking item comprises path comparison and file format, the information of the operating system is extracted according to the rule when a certain operating system feature is found to be matched, once the operating system is known, the configuration rule of the corresponding package management can be known, the configuration of the package manager is further searched, and the corresponding inquiry rule is further selected according to the found configuration to obtain the information of the system dependent package and the version number of the system dependent package. For example:
the system description file of the Ubuntu system is placed under/etc/lsb-release, and as long as the file is found, the container image can be determined to be constructed based on the Ubuntu system, and at this time, the/var/lib/dpkg directory can be further checked to determine whether the container image is the dpkg used or not as the package manager. When the operating system software package is managed by the dpkg, the dependent configuration is recorded in a/var/lib/dpkg/info/directory, and the system components installed in the current operating system and the versions corresponding to the system components can be known by sequentially traversing the directory.
Preferably, while performing scan analysis on the files contained in the file directory of the image system according to the specific operating system scan policy, the method further includes:
and selecting a comparison rule which accords with the system component by combining the relevant configuration information of the specific operating system contained in the mirror image system and the scanned package manager information, comparing the system component information with the characteristic data in an external vulnerability database, and judging whether the system component has a vulnerability or not.
Preferably, the determining whether the system component has a vulnerability specifically includes:
judging whether the system component information contains patch information or not, if so, judging whether the version of the corresponding patch is lower than that of the corresponding patch in the external vulnerability database or not, if so, judging that the system component has a vulnerability, and if not, judging that the system component does not have the vulnerability;
if the system component information does not contain patch information, judging whether the system component information contains a universal vulnerability disclosure entry, if so, judging whether the version number of the system component is in a range interval (corresponding to cpe) disclosed in the universal vulnerability disclosure (CVE) entry, and if so, judging that the system component has a vulnerability; and if the system component information does not contain the universal vulnerability disclosure entry or the version number of the system component is not in the range interval disclosed in the universal vulnerability disclosure entry, judging that the system component does not have the vulnerability.
The naming rules of system components between different releases do not all follow the semver standard, but each operating system has its own system security patches in service, and the release manufacturers have published the open source code of their package managers. The version management module is extracted as a part of the version comparison rule. Compared with the vulnerability database by using the own version comparison rule of the official, the result has higher accuracy and reliability than the result obtained by using other comparison modules.
For further explanation of the method of the present invention, in combination with the above preferred solution, another embodiment of a method for security analysis of a mirroring system is provided, as shown in fig. 2, including:
s21: extracting mirror image system information;
s22: judging whether a storage drive exists or not, if so, constructing a mirror image system file directory according to the storage drive; otherwise, sequentially writing the files of each layer in the mirror image system into the file directory of the mirror image system according to the addition, deletion and modification marks;
s23: analyzing the files in the mirror image system according to the file directory of the mirror image system, and extracting characteristic information;
s24: comparing the characteristic information with characteristic rules in an operating system characteristic library to obtain specific operating system information contained in the mirror image system;
s25: scanning files contained in the file directory of the mirror image system by utilizing a package manager characteristic rule used by a corresponding operating system according to the specific operating system information, and judging whether the specific operating system contained in the mirror image system uses a package manager which is default by the corresponding operating system and whether package managers of other versions are installed by self; subsequently, S26-S27, S28-S210 are respectively executed, and finally S211 is executed;
s26: merging and analyzing the scanning results to obtain the directory address and configuration information of the system component;
s27: analyzing the system component information according to the directory address of the system component and by combining with corresponding rules of filing and storing the system component by a corresponding packet manager; the analysis result comprises a component name, a manufacturer, a version number and a file list;
s28: selecting a comparison rule which accords with the system component by combining the related configuration information of a specific operating system contained in the mirror image system and the scanned package manager information, and comparing the system component information with the characteristic data in an external vulnerability database;
s29: judging whether the system component information contains patch information or not, if so, judging whether the version of the corresponding patch is lower than that of the corresponding patch in the external vulnerability database or not, if so, judging that the system component has a vulnerability, and if not, judging that the system component does not have the vulnerability; if the system component information does not contain patch information, entering S210;
s210: judging whether the system component information contains a general vulnerability disclosure item, if so, judging whether the version number of the system component is in a range interval disclosed in the general vulnerability disclosure item, and if so, judging that the system component has a vulnerability; if the system component information does not contain a general vulnerability disclosure entry or the version number of the system component is not in the range interval disclosed in the general vulnerability disclosure entry, judging that the system component does not have a vulnerability;
s211: and summarizing all scanning analysis and judgment results, and outputting a formatted readable report to be fed back to a developer or a user.
The embodiment can effectively reduce the time and labor required by collecting and scanning data, and improve the analysis efficiency. Meanwhile, the method is adapted to the version number identification resolution algorithm of various scenes, so that the scanning accuracy can be improved, and the false alarm can be reduced. Compared with the vulnerability database by using the own version comparison rule of the official, the result has higher accuracy and reliability than the result obtained by using other comparison modules.
The present invention provides an embodiment of a security analysis system of a mirror system, as shown in fig. 3, including:
the mirror image data extraction module 31 is used for extracting mirror image system information and generating a mirror image system file directory;
the configuration analysis module 32 is used for analyzing the files in the mirror image system according to the mirror image system file directory and extracting characteristic information; comparing the characteristic information with characteristic rules in an operating system characteristic library to obtain specific operating system information contained in the mirror image system; scanning and analyzing files contained in the file directory of the mirror image system according to the specific operating system information and a specific operating system scanning strategy;
and an information formatting module 33, configured to generate a formatted analysis report according to the format rule.
In practical application, when a large-scale container mirror image security inspection scanning needs to be automatically executed regularly after a container mirror image warehouse is deployed, the method and the system can provide high-efficiency and accurate analyzable data. And collecting and analyzing data information by using a mirror image system file directory, namely decompressing a mirror image to a temporary working directory, and collecting and analyzing the data in the working directory by a scanning program according to a corresponding feature library and a scanning rule. The mirror image is a complete operating system and comprises all software operating environments and configuration files, so that the aim of constructing a mirror image system file directory is to directly inquire specified path files according to rules without traversing the files after constructing a complete file path, and the working efficiency is improved. Identifying the operating system is by checking for the presence and integrity of operating system feature profiles, and for developers or users who do not have a specifically customized operating system who do not have to make and do not have to expressly modify these operating system base dependent configuration features, so the specific operating system information contained within the image can be identified in this manner.
Preferably, the mirror data extraction module 32 is specifically configured to:
extracting mirror image system information, judging whether a storage drive exists or not, and if so, constructing a mirror image system file directory according to the storage drive; otherwise, the files of each layer in the mirror image system are written into the file directory of the mirror image system in sequence according to the addition, deletion and modification marks. The process comprises two steps:
firstly, a scanning algorithm is based on a Docker bottom layer, firstly, a server Docker execution authority is obtained, then a Docker daemon API is called to inquire the instect information of a target image, and the hash, storage driver, layers and other information of the target image, namely the image system information, are obtained;
and secondly, judging whether a storage drive exists or not, and if so, constructing a mirror image system file directory according to the storage drive. For example: if the overlay2 exists and the overlay2 directory exists, the mount of the target image can be given a file directory which is identical to the file directory when the image runs by LowerDir, UpperDir and WorkDir (an example of checking whether the overlay directory exists is that when Docker for Windows is installed under Windows, although the storage driver in the information of the ghost container image install is overlay2, the Docker data exists in a volume and does not really exist in the host directory); otherwise, sequentially merging the files of each layer in the image file into the working directory according to the addition, deletion, modification marks.
Preferably, the scanning and analyzing the files contained in the file directory of the image system according to the specific operating system information and the specific operating system scanning policy specifically includes:
scanning files contained in the file directory of the mirror image system by utilizing a package manager characteristic rule used by a corresponding operating system according to the specific operating system information, and judging whether the specific operating system contained in the mirror image system uses a package manager which is default by the corresponding operating system and whether package managers of other versions are installed by self; merging and analyzing the scanning results to obtain the directory address and configuration information of the system component;
analyzing the system component information according to the directory address of the system component and by combining with corresponding rules of filing and storing the system component by a corresponding package manager, wherein the analysis result comprises a component name, a manufacturer, a version number and a file-containing list;
the specific operating system information contained in the mirror image system comprises a specific operating system release name, a version number and related configuration information.
The conventional automated scanning procedure is: the developer uploads a container image, creating a task for automated scanning. After scanning starts, a work directory of the mirror image is constructed under the temp directory, the rule of the operating system feature library is inquired and compared with the file feature of the work directory, the checking item comprises path comparison and file format, the information of the operating system is extracted according to the rule when a certain operating system feature is found to be matched, once the operating system is known, the configuration rule of the corresponding package management can be known, the configuration of the package manager is further searched, and the corresponding inquiry rule is further selected according to the found configuration to obtain the information of the system dependent package and the version number of the system dependent package. For example:
the system description file of the Ubuntu system is placed under/etc/lsb-release, and as long as the file is found, the container image can be determined to be constructed based on the Ubuntu system, and at this time, the/var/lib/dpkg directory can be further checked to determine whether the container image is the dpkg used or not as the package manager. When the operating system software package is managed by the dpkg, the dependent configuration is recorded in a/var/lib/dpkg/info/directory, and the system components installed in the current operating system and the versions corresponding to the system components can be known by sequentially traversing the directory.
Preferably, while performing scan analysis on the files contained in the file directory of the image system according to the specific operating system scan policy, the configuration analysis module 32 is further configured to:
and selecting a comparison rule which accords with the system component by combining the relevant configuration information of the specific operating system contained in the mirror image system and the scanned package manager information, comparing the system component information with the characteristic data in an external vulnerability database, and judging whether the system component has a vulnerability or not.
Preferably, the determining whether the system component has a vulnerability specifically includes:
judging whether the system component information contains patch information or not, if so, judging whether the version of the corresponding patch is lower than that of the corresponding patch in the external vulnerability database or not, if so, judging that the system component has a vulnerability, and if not, judging that the system component does not have the vulnerability;
if the system component information does not contain patch information, judging whether the system component information contains a universal vulnerability disclosure entry, if so, judging whether the version number of the system component is in a range interval (corresponding to cpe) disclosed in the universal vulnerability disclosure (CVE) entry, and if so, judging that the system component has a vulnerability; and if the system component information does not contain the universal vulnerability disclosure entry or the version number of the system component is not in the range interval disclosed in the universal vulnerability disclosure entry, judging that the system component does not have the vulnerability.
The naming rules of system components between different releases do not all follow the semver standard, but each operating system has its own system security patches in service, and the release manufacturers have published the open source code of their package managers. The version management module is extracted as a part of the version comparison rule. Compared with the vulnerability database by using the own version comparison rule of the official, the result has higher accuracy and reliability than the result obtained by using other comparison modules.
The partial process of the system embodiment of the invention is similar to that of the method embodiment, the description of the system embodiment is simpler, and the method embodiment is referred to for the corresponding part.
In practical application, when a large-scale container mirror image security inspection scanning needs to be automatically executed regularly after a container mirror image warehouse is deployed, the method can provide high-efficiency and accurate analyzable data. The invention analyzes according to the specific operating system information contained in the mirror image system, has higher accuracy of the analysis result and enriches the application environment of the security detection analysis of the mirror image system. The invention constructs the file directory of the mirror image system, and can directly inquire the specified path files according to the rules without traversing the files when the data information is collected and analyzed, thereby improving the working efficiency. The invention finally generates a formatted analysis report for a developer or a user to refer to, and is convenient for carrying out targeted optimization on the mirror image system.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A security analysis method for a mirroring system is characterized by comprising the following steps:
extracting mirror image system information and generating a mirror image system file directory;
analyzing the files in the mirror image system according to the file directory of the mirror image system, and extracting characteristic information;
comparing the characteristic information with characteristic rules in an operating system characteristic library to obtain specific operating system information contained in the mirror image system;
scanning and analyzing files contained in the file directory of the mirror image system according to the specific operating system information and a specific operating system scanning strategy;
and generating a formatted analysis report according to the format rule.
2. The method according to claim 1, wherein the extracting of the mirror system information and the generating of the mirror system file directory specifically include:
extracting mirror image system information, judging whether a storage drive exists or not, and if so, constructing a mirror image system file directory according to the storage drive; otherwise, the files of each layer in the mirror image system are written into the file directory of the mirror image system in sequence according to the addition, deletion and modification marks.
3. The method according to claim 2, wherein the scanning and analyzing the files contained in the file directory of the image system according to the specific operating system information and the specific operating system scanning policy specifically includes:
scanning files contained in the file directory of the mirror image system by utilizing a package manager characteristic rule used by a corresponding operating system according to the specific operating system information, and judging whether the specific operating system contained in the mirror image system uses a package manager which is default by the corresponding operating system and whether package managers of other versions are installed by self; merging and analyzing the scanning results to obtain the directory address and configuration information of the system component;
analyzing the system component information according to the directory address of the system component and by combining with corresponding rules of filing and storing the system component by a corresponding package manager, wherein the analysis result comprises a component name, a manufacturer, a version number and a file-containing list;
the specific operating system information contained in the mirror image system comprises a specific operating system release name, a version number and related configuration information.
4. The method of claim 3, wherein while the scan analysis of the files contained in the file directory of the mirror system is performed according to the specific operating system scan policy, the method further comprises:
and selecting a comparison rule which accords with the system component by combining the relevant configuration information of the specific operating system contained in the mirror image system and the scanned package manager information, comparing the system component information with the characteristic data in an external vulnerability database, and judging whether the system component has a vulnerability or not.
5. The method according to claim 4, wherein the determining whether the system component has a vulnerability specifically includes:
judging whether the system component information contains patch information or not, if so, judging whether the version of the corresponding patch is lower than that of the corresponding patch in the external vulnerability database or not, if so, judging that the system component has a vulnerability, and if not, judging that the system component does not have the vulnerability;
if the system component information does not contain patch information, judging whether the system component information contains a universal vulnerability disclosure entry, if so, judging whether the version number of the system component is in a range interval disclosed in the universal vulnerability disclosure entry, and if so, judging that the system component has a vulnerability; and if the system component information does not contain the universal vulnerability disclosure entry or the version number of the system component is not in the range interval disclosed in the universal vulnerability disclosure entry, judging that the system component does not have the vulnerability.
6. A mirroring system security analysis system, comprising:
the mirror image data extraction module is used for extracting mirror image system information and generating a mirror image system file directory;
the configuration analysis module is used for analyzing the files in the mirror image system according to the mirror image system file directory and extracting characteristic information; comparing the characteristic information with characteristic rules in an operating system characteristic library to obtain specific operating system information contained in the mirror image system; scanning and analyzing files contained in the file directory of the mirror image system according to the specific operating system information and a specific operating system scanning strategy;
and the information formatting module is used for generating a formatted analysis report according to the format rule.
7. The system of claim 6, wherein the mirrored data extraction module is specifically configured to:
extracting mirror image system information, judging whether a storage drive exists or not, and if so, constructing a mirror image system file directory according to the storage drive; otherwise, the files of each layer in the mirror image system are written into the file directory of the mirror image system in sequence according to the addition, deletion and modification marks.
8. The system according to claim 7, wherein the scanning and analyzing the files contained in the file directory of the image system according to the specific operating system information and the specific operating system scanning policy specifically includes:
scanning files contained in the file directory of the mirror image system by utilizing a package manager characteristic rule used by a corresponding operating system according to the specific operating system information, and judging whether the specific operating system contained in the mirror image system uses a package manager which is default by the corresponding operating system and whether package managers of other versions are installed by self; merging and analyzing the scanning results to obtain the directory address and configuration information of the system component;
analyzing the system component information according to the directory address of the system component and by combining with corresponding rules of filing and storing the system component by a corresponding package manager, wherein the analysis result comprises a component name, a manufacturer, a version number and a file-containing list;
the specific operating system information contained in the mirror image system comprises a specific operating system release name, a version number and related configuration information.
9. The system of claim 8, wherein while the scan analysis of the files contained in the file directory of the mirroring system is performed according to the specific operating system scan policy, the configuration analysis module is further configured to:
and selecting a comparison rule which accords with the system component by combining the relevant configuration information of the specific operating system contained in the mirror image system and the scanned package manager information, comparing the system component information with the characteristic data in an external vulnerability database, and judging whether the system component has a vulnerability or not.
10. The system according to claim 9, wherein the determining whether the system component has a vulnerability specifically includes:
judging whether the system component information contains patch information or not, if so, judging whether the version of the corresponding patch is lower than that of the corresponding patch in the external vulnerability database or not, if so, judging that the system component has a vulnerability, and if not, judging that the system component does not have the vulnerability;
if the system component information does not contain patch information, judging whether the system component information contains a universal vulnerability disclosure entry, if so, judging whether the version number of the system component is in a range interval disclosed in the universal vulnerability disclosure entry, and if so, judging that the system component has a vulnerability; and if the system component information does not contain the universal vulnerability disclosure entry or the version number of the system component is not in the range interval disclosed in the universal vulnerability disclosure entry, judging that the system component does not have the vulnerability.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111293938.3A CN114020411A (en) | 2021-11-03 | 2021-11-03 | Mirror image system security analysis method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111293938.3A CN114020411A (en) | 2021-11-03 | 2021-11-03 | Mirror image system security analysis method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114020411A true CN114020411A (en) | 2022-02-08 |
Family
ID=80060142
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111293938.3A Pending CN114020411A (en) | 2021-11-03 | 2021-11-03 | Mirror image system security analysis method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114020411A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117311905A (en) * | 2023-10-11 | 2023-12-29 | 上海安势信息技术有限公司 | Container mirror image software composition analysis system and method based on layered detection |
-
2021
- 2021-11-03 CN CN202111293938.3A patent/CN114020411A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117311905A (en) * | 2023-10-11 | 2023-12-29 | 上海安势信息技术有限公司 | Container mirror image software composition analysis system and method based on layered detection |
| CN117311905B (en) * | 2023-10-11 | 2024-06-07 | 上海安势信息技术有限公司 | Container mirror image software composition analysis system and method based on layered detection |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8108456B2 (en) | Method and apparatus for migrating the system environment on which the applications depend | |
| US8291405B2 (en) | Automatic dependency resolution by identifying similar machine profiles | |
| US9864793B2 (en) | Language tag management on international data storage | |
| KR102044046B1 (en) | Telemetry file hash and conflict detection | |
| EP3779702B1 (en) | Electronic device detecting software vulnerability and method for operating same | |
| US10043012B2 (en) | Method of correlating static and dynamic application security testing results for a web application | |
| CN104520871A (en) | Vulnerability vector information analysis | |
| US20110035729A1 (en) | Generating and resolving component names in an integrated development environment | |
| KR20130134790A (en) | Method and system for storing the integrity information of application, method and system for checking the integrity of application | |
| US20060106590A1 (en) | Computing services discovery system and method therefor | |
| US20160124795A1 (en) | Evaluation method and apparatus | |
| US20150213272A1 (en) | Conjoint vulnerability identifiers | |
| CN112395042A (en) | Method and device for carrying out security scanning facing to business container mirror image | |
| CN111258614A (en) | Method, system, equipment and storage medium for detecting upgrade exception of project third-party library | |
| CN113642004A (en) | Container mirror image security scanning and repairing method, device and equipment | |
| CN115033894A (en) | Software component supply chain safety detection method and device based on knowledge graph | |
| CN115576600A (en) | Code change-based difference processing method and device, terminal and storage medium | |
| CN114020411A (en) | Mirror image system security analysis method and system | |
| KR101228902B1 (en) | Cloud Computing-Based System for Supporting Analysis of Malicious Code | |
| CN110990055A (en) | Pull Request function classification method based on program analysis | |
| CN116795486A (en) | Analysis method and device for container mirror image file purification, storage medium and terminal | |
| CN112148545A (en) | Security baseline detection method and security baseline detection system of embedded system | |
| EP1710698A2 (en) | Generic software requirements analyser | |
| CN115719126A (en) | File retrieval method and device based on service chain and electronic equipment | |
| CN115544518A (en) | Vulnerability scanning engine implementation method and device, vulnerability scanning method and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |