CN115599503B - Container safety risk detection method and device, electronic equipment and storage medium - Google Patents
Container safety risk detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN115599503B CN115599503B CN202211497691.1A CN202211497691A CN115599503B CN 115599503 B CN115599503 B CN 115599503B CN 202211497691 A CN202211497691 A CN 202211497691A CN 115599503 B CN115599503 B CN 115599503B
- Authority
- CN
- China
- Prior art keywords
- file descriptor
- container
- file
- security risk
- running
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 106
- 238000000034 method Methods 0.000 claims abstract description 275
- 230000008569 process Effects 0.000 claims abstract description 206
- 238000012544 monitoring process Methods 0.000 claims abstract description 21
- 244000035744 Hura crepitans Species 0.000 claims description 7
- 238000007689 inspection Methods 0.000 claims description 5
- 238000012545 processing Methods 0.000 claims description 4
- 230000006399 behavior Effects 0.000 abstract description 30
- 238000004891 communication Methods 0.000 description 12
- 238000010586 diagram Methods 0.000 description 6
- 230000002159 abnormal effect Effects 0.000 description 5
- 238000004590 computer program Methods 0.000 description 5
- 230000008859 change Effects 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
Abstract
The invention provides a method and a device for detecting safety risks of a container, electronic equipment and a storage medium, wherein the method comprises the following steps: continuously acquiring an operating process and a file descriptor quoted by the operating process in a target container in a host machine by continuously monitoring a process management directory of the host machine; and performing security risk detection on the target container based on the reference relation of the running process to the file descriptor. According to the method and the device, the cross-process calling behavior of the file descriptor is monitored, the suspected escape operation risk behavior of the container during operation is monitored in real time, and the detection rate of malicious behaviors hidden intentionally by an attacker and 0day vulnerability exploitation behaviors for performing reading and writing operations on a host machine by using the file descriptor can be effectively improved.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a container safety risk detection method and device, electronic equipment and a storage medium.
Background
With the increasing scenes that the service appears in a micro-service form, the container technology as a bearing environment also appears in various information services more, and if the attack risk of container escape cannot be detected in time, the safety of infrastructure at the bottom layer of the service can be seriously threatened.
At present, the risk detection of container escape attack is mainly realized by statically scanning risk items such as start configuration information of a container, a component version of a container management service, or contents of a container image file.
However, the above-mentioned static scan detection method can only find some common vulnerability risks in configuration and components, and for a malicious backdoor which is intentionally hidden or an unknown 0day vulnerability attack, it is completely impossible to detect its behavior trace in advance.
Disclosure of Invention
The invention provides a method and a device for detecting container security risks, electronic equipment and a storage medium, which are used for solving the defects that the prior art cannot detect the malicious backdoor which is intentionally hidden or the unknown 0day bug attack and the like, and achieving the aim of effectively improving the detection rate of the malicious backdoor which is intentionally hidden or the unknown 0day bug attack.
The invention provides a container safety risk detection method, which comprises the following steps:
continuously acquiring an operating process and a file descriptor quoted by the operating process in a target container in a host machine by continuously monitoring a process management directory of the host machine;
and performing security risk detection on the target container based on the reference relation of the running process to the file descriptor.
The invention provides a container safety risk detection method, which further comprises the following steps:
acquiring related zone bit information of the file descriptor based on the running process and the file descriptor;
correspondingly, the performing security risk detection on the target container based on the reference relationship of the running process to the file descriptor includes:
and carrying out security risk detection on the target container based on the reference relationship and the related zone bit information.
According to the container security risk detection method provided by the invention, the security risk detection of the target container based on the reference relationship and the related flag bit information comprises the following steps:
based on the reference relation, if the situation that a plurality of different running processes reference the same file descriptor is determined to exist through judgment, determining that the different running processes are potential risk processes;
and judging the inheritance relationship between the potential risk process and the process which refers to the same file descriptor firstly, and carrying out security risk detection on the target container based on the inheritance relationship and the related zone bit information, wherein the related zone bit information comprises inheritance control bits.
According to the method for detecting the safety risk of the container provided by the invention, the safety risk detection is carried out on the target container based on the inheritance relationship and the related flag bit information, and the method comprises the following steps:
based on the inheritance relationship and the related zone bit information, if the potential risk process is determined to be a sub-process of the process which refers to the same file descriptor firstly through judgment, and the inheritance control bit allows the sub-process to be called, a specific file of the same file descriptor is addressed on the host machine;
and judging whether the specific file is a target type file with executable authority, and performing back door detection and sandbox trial operation analysis or data inspection on the specific file according to a judgment result to determine the security risk of the target container.
According to the container security risk detection method provided by the invention, the process management directory of the host is continuously monitored, and the running process in the target container in the host and the file descriptor quoted by the running process are continuously obtained, and the method comprises the following steps:
and acquiring the process number of the target container in the host, and continuously acquiring the running process and the file descriptor referenced by the running process in the target container by continuously monitoring the newly added process in each container in the process management directory and the corresponding file descriptor referenced by the newly added process based on the process number.
According to the container security risk detection method provided by the invention, the security risk detection of the target container is performed based on the reference relationship of the running process to the file descriptor, and the method comprises the following steps:
and determining the file descriptors pointed to by the running processes based on the reference relationship, judging whether a plurality of different running processes reference the same file descriptor by comparing the file descriptors pointed to by the running processes, and if so, determining the target container as a potential risk container.
The invention also provides a container safety risk detection device, comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for continuously acquiring an in-operation process in a target container in a host machine and a file descriptor quoted by the in-operation process by continuously monitoring a process management directory of the host machine;
and the detection module is used for carrying out security risk detection on the target container based on the reference relation of the running process to the file descriptor.
The invention also provides an electronic device, which comprises a memory, a processor and a program or an instruction which is stored on the memory and can be run on the processor, wherein when the processor executes the program or the instruction, the steps of the container safety risk detection method are realized.
The present invention also provides a non-transitory computer readable storage medium having stored thereon a program or instructions which, when executed by a computer, implement the steps of the container security risk detection method as described in any of the above.
According to the container security risk detection method, the container security risk detection device, the electronic equipment and the storage medium, the suspected escape operation risk behavior of the container during operation is monitored in real time by monitoring the cross-process calling behavior of the file descriptor, so that the detection rate of malicious behaviors which are hidden intentionally by an attacker and 0day vulnerability exploitation behaviors which utilize the file descriptor to perform host read-write operation can be effectively improved.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the following briefly introduces the drawings needed to be used in the embodiments of the present invention or the description of the prior art, and obviously, the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained according to these drawings by those skilled in the art without creative efforts.
Fig. 1 is a schematic flow chart of a method for detecting a safety risk of a container according to the present invention;
fig. 2 is a schematic flow chart illustrating detection based on inheritance relationship and related flag bit information in the container security risk detection method provided by the present invention;
FIG. 3 is a second schematic flow chart of the method for detecting a safety risk of a container according to the present invention;
FIG. 4 is a schematic structural diagram of a container safety risk detection device provided by the present invention;
fig. 5 is a schematic physical structure diagram of an electronic device provided in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Aiming at the problems that the malicious backdoor which is hidden intentionally or the unknown 0day vulnerability attack and the like can not be detected in the prior art, the suspected escape operation risk behavior during the operation of the container is monitored in real time by monitoring the cross-process calling behavior of the file descriptor, so that the detection rate of the malicious behavior which is hidden intentionally by an attacker and the 0day vulnerability utilization behavior for performing reading and writing operations on the host by using the file descriptor can be effectively improved. The present invention will now be described and explained with reference to the drawings, in particular, by means of embodiments.
Fig. 1 is a schematic flow diagram of a method for detecting a security risk of a container according to the present invention, and as shown in fig. 1, the method includes:
s101, continuously acquiring the running process in the target container in the host machine and the file descriptor quoted by the running process by continuously monitoring the process management directory of the host machine.
It can be understood that, in the present invention, an isolation mechanism of a container and an existing escape vulnerability principle are combined, that is, because an mnt file namespace of a host and a security mechanism for access control of a process by a root are used, a container often faces limitation of the file namespace when escaping is implemented, so that the container does not have permission to write some file programs controlled by the host, but a file descriptor opened in a running process is not limited by such a control function, so that the container becomes a utilization key point of the escape vulnerability. The target container, namely the container to be subjected to security risk detection in the host machine, is an object of the security risk detection.
Optionally, when continuously monitoring a process management directory of a host and continuously acquiring an running process and a file descriptor referenced by the running process in a target container in the host, the present invention may first acquire a process number of the target container in the host, and continuously acquire the running process and the file descriptor referenced by the running process in the target container by continuously monitoring a new process and a corresponding file descriptor referenced by the new process in each container in the process management directory based on the process number.
That is to say, when the present invention uses the process management directory to obtain the running process of the target container and the corresponding file descriptor, the process number of the target container may be obtained from the host first, and further in combination with the process number, the new processes in the running process of the target container and the file descriptors (i.e. corresponding file descriptors) respectively referenced by the new processes are continuously collected by addressing the process management directory of the host, the new processes may be used as the running process of the target container, and the corresponding file descriptors may be used as the file descriptors correspondingly referenced by the running process.
S102, based on the reference relation of the running process to the file descriptor, carrying out security risk detection on the target container.
It can be understood that, on the basis of obtaining the running processes and the file descriptors quoted by the running processes in the target container, the pointing relationship of each running process to the file descriptors, that is, the citation relationship of each running process to the file descriptors, can be respectively determined by combining with the process management directory of the host, and the effective detection of the security risk can be performed on the target container by comprehensively analyzing the citation relationship of each running process to the file descriptors.
Optionally, when the security risk detection is performed on the target container based on the reference relationship between the running processes and the file descriptors, the file descriptors pointed to by the running processes may be determined based on the reference relationship, and whether a plurality of different running processes refer to the same file descriptor is determined by comparing the file descriptors pointed to by the running processes, and if yes, the target container is determined to be a potential risk container.
That is to say, when security risk detection of the target container is performed based on the reference relationship, file descriptors respectively pointed to by each running process of the target container may be determined respectively by combining with a process management directory of the host, and by comparing file descriptors respectively pointed to by different running processes, it is determined whether a plurality of different running processes simultaneously reference the same file descriptor. Multiple different running processes may be referred to herein as multiple different running processes, and the same file descriptor may be referred to as the same file descriptor. If a plurality of different running processes refer to the same file descriptor at the same time, the potential safety risk in the running of the target container can be preliminarily judged, and the target container can be used as a potential risk container to report or alarm the safety risk so as to prompt the existence of the safety risk or indicate the further analysis and judgment of the safety risk.
Compared with the conventional static scanning detection mode, the suspected escape operation risk behavior of the container during operation can be effectively improved, and the detection rate of malicious behaviors which are intentionally hidden by an attacker and 0day vulnerability exploitation behaviors which utilize the file descriptor to perform read-write operation on a host can be effectively improved.
Further, optionally, the method for detecting a safety risk of a container according to the foregoing embodiments further includes: acquiring related zone bit information of the file descriptor based on the running process and the file descriptor; correspondingly, the performing security risk detection on the target container based on the reference relationship of the running process to the file descriptor includes: and carrying out security risk detection on the target container based on the reference relation and the related zone bit information.
It can be understood that, on the basis of obtaining the running process of the target container and the file descriptor referenced by the running process, the present invention may further combine the process management directory of the host to obtain flag bit information corresponding to each of these file descriptors, which is called related flag bit information, for example, including the inherited control bit FD _ cloxec or the access mode flag bit.
Therefore, when the reference relation of the file descriptor is detected according to the running process of the target container, the running process with the potential safety risk can be further analyzed and judged by combining the related zone bit information of the file descriptor on the basis of primary detection based on the reference relation, so that the misjudgment rate of the safety risk of the target container is reduced, and the accuracy is improved.
According to the method, the risk behavior is further judged and confirmed for the found calling behavior of the cross-process file descriptor according to the business calling experience logic, the false alarm rate of the suspected behavior is further reduced by judging the related zone bit information of the file descriptor, and the detection accuracy rate of the container escape or host data read-write behavior by using the file descriptor is improved.
Optionally, the method for detecting a container security risk according to each of the foregoing embodiments, where the detecting a security risk of the target container based on the reference relationship and the relevant flag bit information includes: based on the reference relation, if the situation that a plurality of different running processes reference the same file descriptor is determined to exist through judgment, determining that the different running processes are potential risk processes; and judging the inheritance relationship between the potential risk process and the process which refers to the same file descriptor firstly, and carrying out security risk detection on the target container based on the inheritance relationship and the related zone bit information, wherein the related zone bit information comprises inheritance control bits.
It can be understood that, when the present invention is combined with the relevant flag bit information of the file descriptor to perform detection, it may be determined whether there are multiple different running processes that refer to the same file descriptor simultaneously based on the reference relationship of the running process of the target container to the file descriptor, and if there are multiple different running processes that refer to the same file descriptor simultaneously, it may be determined that there is a potential risk, and the multiple different running processes may be reported or an alarm may be issued as potential risk processes.
Then, according to the common service calling experience, the case that the same file descriptor is called by multiple processes is mainly that a sub-process is created (fork) in the previous process and subsequent calling is performed, so that the inheritance relationship judgment is performed on a potential risk process (i.e., a process suspected of having a security risk) and the process which calls the same file descriptor at first, whether the inheritance control bit FD _ cloex c of the same file descriptor is allowed to be called by the sub-process is synchronously judged, and the security risk of the target container is further detected and judged according to the judgment result.
According to the invention, the false alarm rate of suspected security risk behaviors can be further reduced and the detection accuracy is improved by judging the inheritance flag bit (or the change of the access mode flag bit) of the file descriptor, the inheritance relation of the repeated calling process and the like.
Optionally, in the method for detecting a container security risk provided in each of the embodiments, the step of performing security risk detection on the target container based on the inheritance relationship and the related flag bit information is specifically as shown in fig. 2, and is a schematic flow diagram of detection based on the inheritance relationship and the related flag bit information in the method for detecting a container security risk provided in the present invention, and the method includes:
s201, based on the inheritance relationship and the related flag bit information, if the potential risk process is determined to be a sub-process of the process which refers to the same file descriptor at first through judgment, and the inheritance control bit allows the sub-process to be called, specific files of the same file descriptor are addressed on the host machine.
It can be understood that, when the security risk detection is performed on the inheritance relationship and the related flag bit information, the inheritance relationship between the potential risk process (i.e. the process suspected of having the security risk) and the process calling the same file descriptor at first can be judged, whether the inheritance control bit of the same file descriptor is allowed to be called by the sub-process or not can be synchronously judged, and if the judgment results are yes, that is, the determined potential risk process is the sub-process of the process calling the same file descriptor at first, and the inheritance control bit of the same file descriptor allows the sub-process to be called, the file corresponding to the same file descriptor (i.e. the file descriptor being called repeatedly) is addressed on the host to obtain the specific file.
S202, judging whether the specific file is a target type file with executable authority, and performing back door detection and sandbox trial operation analysis or data inspection on the specific file according to a judgment result to determine the safety risk of the target container.
It can be understood that, after a specific file corresponding to the same file descriptor is addressed, whether the specific file is an object type file with executable authority, such as a binary program or a script file, is determined by observing the file form of the specific file.
If the judgment result is yes, extracting a file sample in the specific file, and carrying out malicious code detection such as backdoor detection, sandbox test run analysis and the like on the file sample so as to further study, judge and confirm. If the judgment result is negative, namely the specific file is a common data file, data auditing is carried out, and whether dirty data pollute business logic or not is checked.
According to the method and the device, inheritable authority of the file descriptor and the file type are further judged for the monitored abnormal condition, so that the risk behavior of the abnormal access file descriptor is accurately found, the behavior detection capability of malicious writing of the host file during the operation of the container can be improved, and the accuracy is improved.
To further illustrate the technical solution of the present invention, the following is described in more detail with reference to fig. 3, but not to limit the scope of the claimed invention.
As shown in fig. 3, a second schematic flow chart of the method for detecting a safety risk of a container according to the present invention includes the following steps:
s301, detecting the process number pid of the running container on the host machine in the host machine, further running a container process information collection program on the host machine through the host machine to manage the catalog/proc/[ pid ], and collecting the running process pid of the target container and the called file descriptor fd;
s302, collecting related zone bit information of a file descriptor on a host machine through a target container running a process pid and a file descriptor FD called by the target container, wherein the related zone bit information comprises an inherited control bit FD _ CLOEXEC or an access mode zone bit and the like, and a relation table of the process-file descriptor zone bit information can be further formed;
s303, monitoring the change condition of the running process and the file descriptor by continuously monitoring the reference condition of a newly added process and the file descriptor in each container under the host process management directory/proc/[ pid ], judging that the potential risk of cross-process leakage calling of the file descriptor exists when a plurality of abnormal process pids point to the same file descriptor fd, and turning to S304, otherwise, ending the detection process;
s304, carrying out inheritance relation judgment on the process pid with the potential risk and the process pid which calls the same file descriptor at first, synchronously judging whether the inheritance control bit FD _ CLOEXEC of the file descriptor is allowed to be called by the sub-process, if so, turning to the step S305, otherwise, ending the detection process to prevent ignoring the attack behavior that an attacker creates (fork) the sub-process to call the file descriptor;
s305, addressing the repeatedly called file descriptor (namely the same file descriptor) to a specific file on a host, and observing whether the form of the specific file is a binary program or a script file with executable authority, if so, turning to step S306, otherwise, turning to step S307;
s306, extracting a file sample of the specific file, and performing malicious code detection such as backdoor detection, sandbox test operation analysis and the like to further study and judge and confirm;
s307, data auditing is carried out on the specific files, and whether dirty data pollute business logic or not is checked.
According to the method and the device, the processes, the file descriptors used correspondingly and the state flag information of the file descriptors are collected on the running container on the host machine, the condition that multiple processes access the same file descriptor is monitored, the condition that the file descriptors can inherit the authority or change of the access mode and the like is further judged on the monitored abnormal condition, the risk behavior of accurately finding the abnormal cross-process access file descriptor is realized, the behavior detection capability of maliciously writing in the file of the host machine when the container runs is improved, and the accuracy is higher.
Based on the same inventive concept, the present invention further provides a container safety risk detection device according to the above embodiments, which is used for realizing safety risk detection of the container in the above embodiments. Therefore, the description and definition in the container security risk detection method in each embodiment described above may be used for understanding each execution module in the present invention, and specific reference may be made to the method embodiment described above, which is not described herein again.
According to an embodiment of the present invention, a structure of a container security risk detection apparatus is shown in fig. 4, which is a schematic structural diagram of the container security risk detection apparatus provided in the present invention, and the apparatus may be used to implement container security risk detection in the above-mentioned method embodiments, and the apparatus includes: an acquisition module 401 and a detection module 402. Wherein:
the obtaining module 401 is configured to continuously obtain an in-operation process in a target container in a host and a file descriptor referenced by the in-operation process by continuously monitoring a process management directory of the host; the detection module 402 is configured to perform security risk detection on the target container based on the reference relationship of the running process to the file descriptor.
Compared with the conventional static scanning detection mode, the container safety risk detection device provided by the invention can effectively improve the detection rate of malicious behaviors which are intentionally hidden by an attacker and 0day vulnerability exploitation behaviors which utilize the file descriptor to perform read-write operation on a host.
Optionally, the obtaining module is further configured to:
acquiring related zone bit information of the file descriptor based on the running process and the file descriptor;
correspondingly, when the detection module is used for performing security risk detection on the target container based on the reference relationship of the running process to the file descriptor, the detection module is used for:
and carrying out security risk detection on the target container based on the reference relation and the related zone bit information.
Optionally, when the detection module is configured to perform security risk detection on the target container based on the reference relationship and the relevant flag bit information, the detection module is configured to:
based on the reference relation, if the situation that a plurality of different running processes reference the same file descriptor is determined to exist through judgment, determining that the different running processes are potential risk processes;
and judging the inheritance relationship between the potential risk process and the process which refers to the same file descriptor firstly, and carrying out security risk detection on the target container based on the inheritance relationship and the related zone bit information, wherein the related zone bit information comprises inheritance control bits.
Optionally, when the detection module is configured to perform security risk detection on the target container based on the inheritance relationship and the relevant flag bit information, the detection module is configured to:
based on the inheritance relationship and the related zone bit information, if the potential risk process is determined to be a sub-process of the process which refers to the same file descriptor firstly through judgment, and the inheritance control bit allows the sub-process to be called, a specific file of the same file descriptor is addressed on the host machine;
and judging whether the specific file is a target type file with executable authority, and performing back door detection and sandbox trial operation analysis or data inspection on the specific file according to a judgment result to determine the security risk of the target container.
Optionally, the obtaining module, when configured to continuously obtain the running process and the file descriptor referenced by the running process in the target container in the host by continuously monitoring the process management directory of the host, is configured to:
and acquiring the process number of the target container in the host, and continuously acquiring the running process and the file descriptor referenced by the running process in the target container by continuously monitoring the newly added process in each container in the process management directory and the corresponding file descriptor referenced by the newly added process based on the process number.
Optionally, when the detection module is configured to perform security risk detection on the target container based on the reference relationship of the running process to the file descriptor, the detection module is configured to:
and determining the file descriptors pointed to by the running processes based on the reference relationship, judging whether a plurality of different running processes reference the same file descriptor by comparing the file descriptors pointed to by the running processes, and if so, determining the target container as a potential risk container.
It is understood that, in the present invention, the relevant program modules in the apparatuses of the foregoing embodiments may be implemented by a hardware processor (hardware processor). Moreover, the container security risk detection apparatus of the present invention can implement the container security risk detection process of each method embodiment by using each program module, and when the apparatus is used to implement the container security risk detection of each method embodiment, the beneficial effects produced by the apparatus of the present invention are the same as those of each corresponding method embodiment, and reference may be made to each method embodiment, which is not described herein again.
As a further aspect of the present invention, the present invention further provides an electronic device according to the above embodiments, where the electronic device includes a memory, a processor, and a program or an instruction stored in the memory and executable on the processor, and when the processor executes the program or the instruction, the steps of the container security risk detection method according to the above embodiments are implemented.
Further, the electronic device of the present invention may further include a communication interface and a bus. Referring to fig. 5, a schematic structural diagram of an electronic device provided in the present invention includes: at least one memory 501, at least one processor 502, a communication interface 503, and a bus 504.
The memory 501, the processor 502 and the communication interface 503 complete mutual communication through the bus 504, and the communication interface 503 is used for information transmission between the electronic device and a host; the memory 501 stores a program or instructions that can be executed on the processor 502, and when the processor 502 executes the program or instructions, the steps of the container security risk detection method according to the above embodiments are implemented.
It is understood that the electronic device at least includes a memory 501, a processor 502, a communication interface 503 and a bus 504, and the memory 501, the processor 502 and the communication interface 503 form a communication connection with each other through the bus 504, and can complete communication with each other, for example, the processor 502 reads program instructions of the container security risk detection method from the memory 501. In addition, the communication interface 503 can also implement communication connection between the electronic device and the host, and can complete mutual information transmission, for example, the process number in the target container and the reading of the host process management directory are implemented through the communication interface 503.
When the electronic device is running, the processor 502 calls the program instructions in the memory 501 to perform the methods provided by the above-described method embodiments, including for example: continuously acquiring an operating process and a file descriptor quoted by the operating process in a target container in a host machine by continuously monitoring a process management directory of the host machine; and performing security risk detection and the like on the target container based on the reference relation of the running process to the file descriptor.
The program instructions in the memory 501 may be implemented in the form of software functional units and may be stored in a computer readable storage medium when sold or used as a stand-alone product. Alternatively, all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, where the program may be stored in a computer-readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The present invention also provides a non-transitory computer readable storage medium according to the above embodiments, on which a program or instructions are stored, and when the program or instructions are executed by a computer, the program or instructions implement the steps of the container security risk detection method according to the above embodiments, for example, the method includes: continuously acquiring an operating process and a file descriptor quoted by the operating process in a target container in a host machine by continuously monitoring a process management directory of the host machine; and performing security risk detection and the like on the target container based on the reference relation of the running process to the file descriptor.
As a further aspect of the present invention, the present embodiment further provides a computer program product according to the above embodiments, the computer program product comprising a computer program stored on a non-transitory computer-readable storage medium, the computer program comprising program instructions, when the program instructions are executed by a computer, the computer being capable of executing the container security risk detection method provided by the above method embodiments, the method for example comprising: continuously acquiring an in-operation process in a target container in a host machine and a file descriptor quoted by the in-operation process by continuously monitoring a process management directory of the host machine; and performing security risk detection and the like on the target container based on the reference relation of the running process to the file descriptor.
According to the electronic device, the non-transitory computer readable storage medium and the computer program product provided by the invention, by executing the steps of the container security risk detection method described in each embodiment, the cross-process calling behavior of the file descriptor is monitored, and then the suspected escape operation risk behavior during the operation of the container is monitored in real time.
It is to be understood that the above-described embodiments of the apparatus, the electronic device and the storage medium are merely illustrative, and that elements described as separate components may or may not be physically separate, may be located in one place, or may be distributed on different network elements. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. Based on the understanding, the above technical solutions or portions contributing to the prior art may be embodied in the form of software products, which may be stored in a computer readable storage medium, such as a usb disk, a removable hard disk, a ROM, a RAM, a magnetic disk or an optical disk, etc., and include several instructions for causing a computer device (such as a personal computer, a server, or a network device, etc.) to execute the methods described in the method embodiments or some parts of the method embodiments.
In addition, it should be understood by those skilled in the art that the terms "comprises," "comprising," or any other variation thereof, in the specification of the present invention, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising one of 8230; \8230;" 8230; "does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
In the description of the present invention, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description. Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (6)
1. A method of detecting a security risk of a container, comprising:
continuously acquiring an operating process and a file descriptor quoted by the operating process in a target container in a host machine by continuously monitoring a process management directory of the host machine;
acquiring related zone bit information of the file descriptor based on the running process and the file descriptor;
based on the reference relationship, if the situation that a plurality of different running processes reference the same file descriptor is determined to exist through judgment, determining that the different running processes are potential risk processes;
judging the inheritance relationship between the potential risk process and the process which refers to the same file descriptor firstly, and if the potential risk process is determined to be the sub-process of the process which refers to the same file descriptor firstly through judgment and the inheritance control bit allows the sub-process to be called based on the inheritance relationship and the related zone bit information, addressing the specific file of the same file descriptor on the host machine;
judging whether the specific file is a target type file with executable authority, and performing back door detection and sandbox commissioning analysis or data inspection on the specific file according to a judgment result to determine the security risk of the target container;
the associated flag bit information includes an inherited control bit.
2. The method for detecting container security risk according to claim 1, wherein the continuously acquiring the running process and the file descriptor referenced by the running process in the target container in the host by continuously monitoring the process management directory of the host comprises:
and acquiring the process number of the target container in the host, and continuously acquiring the running process and the file descriptor referenced by the running process in the target container by continuously monitoring the newly added process in each container in the process management directory and the corresponding file descriptor referenced by the newly added process based on the process number.
3. The method for detecting the security risk of the container according to claim 1, wherein performing the security risk detection on the target container based on the reference relationship of the running process to the file descriptor includes:
and determining the file descriptors pointed by the running processes based on the reference relationship, judging whether a plurality of different running processes refer to the same file descriptor or not by comparing the file descriptors pointed by the running processes, and if so, determining that the target container is a potential risk container.
4. A container security risk detection device, comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for continuously acquiring an in-operation process in a target container in a host machine and a file descriptor quoted by the in-operation process by continuously monitoring a process management directory of the host machine; acquiring related zone bit information of the file descriptor based on the running process and the file descriptor;
the detection module is used for determining that a plurality of different running processes are potential risk processes if the situation that the different running processes reference the same file descriptor is determined to exist based on the reference relation;
carrying out inheritance relation judgment on the potential risk process and the process which refers to the same file descriptor firstly, and carrying out inheritance relation judgment on the potential risk process and the process which refers to the same file descriptor firstly
Based on the inheritance relationship and the related zone bit information, if the potential risk process is determined to be a sub-process of the process which refers to the same file descriptor firstly through judgment, and the inheritance control bit allows the sub-process to be called, the specific file of the same file descriptor is addressed on the host machine;
judging whether the specific file is a target type file with executable authority, and performing back door detection and sandbox trial operation analysis or data inspection on the specific file according to a judgment result to determine the security risk of the target container;
the related flag bit information includes an inherited control bit.
5. An electronic device comprising a memory, a processor and a program or instructions stored on the memory and executable on the processor, wherein the processor implements the steps of the container security risk detection method according to any one of claims 1 to 3 when executing the program or instructions.
6. A non-transitory computer readable storage medium, on which a program or instructions are stored, wherein the program or instructions, when executed by a computer, implement the steps of the container security risk detection method according to any one of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211497691.1A CN115599503B (en) | 2022-11-28 | 2022-11-28 | Container safety risk detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211497691.1A CN115599503B (en) | 2022-11-28 | 2022-11-28 | Container safety risk detection method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115599503A CN115599503A (en) | 2023-01-13 |
| CN115599503B true CN115599503B (en) | 2023-03-21 |
Family
ID=84853712
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211497691.1A Active CN115599503B (en) | 2022-11-28 | 2022-11-28 | Container safety risk detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115599503B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2021174870A1 (en) * | 2020-09-02 | 2021-09-10 | 平安科技(深圳)有限公司 | Network security risk inspection method and system, computer device, and storage medium |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7779265B2 (en) * | 2005-12-13 | 2010-08-17 | Microsoft Corporation | Access control list inheritance thru object(s) |
| CN100530107C (en) * | 2007-03-02 | 2009-08-19 | 中国科学院声学研究所 | Single process contents server device and method based on IO event notification mechanism |
| US10592380B2 (en) * | 2018-04-20 | 2020-03-17 | Sysdig, Inc. | Programmatic container monitoring |
| US11176247B2 (en) * | 2020-04-02 | 2021-11-16 | Aqua Security Software, Ltd. | System and method for container assessment using sandboxing |
| CN114896021A (en) * | 2022-03-29 | 2022-08-12 | 浪潮云信息技术股份公司 | Malicious container detection method, system, device and host |
-
2022
- 2022-11-28 CN CN202211497691.1A patent/CN115599503B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2021174870A1 (en) * | 2020-09-02 | 2021-09-10 | 平安科技(深圳)有限公司 | Network security risk inspection method and system, computer device, and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115599503A (en) | 2023-01-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11625485B2 (en) | Method of malware detection and system thereof | |
| US11455400B2 (en) | Method, system, and storage medium for security of software components | |
| US9424426B2 (en) | Detection of malicious code insertion in trusted environments | |
| CN106991324B (en) | Malicious code tracking and identifying method based on memory protection type monitoring | |
| KR101265173B1 (en) | Apparatus and method for inspecting non-portable executable files | |
| US8196178B2 (en) | Expert system analysis and graphical display of privilege elevation pathways in a computing environment | |
| CN107004088B (en) | Determining device, determining method and recording medium | |
| CN109101815B (en) | Malicious software detection method and related equipment | |
| CN111460445A (en) | Method and device for automatically identifying malicious degree of sample program | |
| CN113761519B (en) | Method and device for detecting Web application program and storage medium | |
| US20070083912A1 (en) | Analyzing cross-machine privilege elevation pathways in a networked computing environment | |
| CN103279707A (en) | Method, device and system for actively defending against malicious programs | |
| CN113886814A (en) | Attack detection method and related device | |
| CN112738094A (en) | Expandable network security vulnerability monitoring method, system, terminal and storage medium | |
| CN116257848A (en) | Memory horse detection method | |
| US20070079372A1 (en) | Method for collecting and reporting privilege elevation pathways in a computing environment | |
| CN113544676A (en) | Attack estimation device, attack control method, and attack estimation program | |
| CN115599503B (en) | Container safety risk detection method and device, electronic equipment and storage medium | |
| CN111104670B (en) | APT attack identification and protection method | |
| US20170270297A1 (en) | Analysis device, analysis method and computer-readable recording medium | |
| CN112632538A (en) | Android malicious software detection method and system based on mixed features | |
| CN116361807A (en) | Risk management and control method and device, storage medium and electronic equipment | |
| CN108509796B (en) | Method for detecting risk and server | |
| Jurn et al. | A survey of automated root cause analysis of software vulnerability | |
| CN111027052A (en) | Application program version-based virtual machine document discrimination method and device and storage equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |