CN117608765B - Safety reinforcement method, device and medium of Docker container - Google Patents
Safety reinforcement method, device and medium of Docker container Download PDFInfo
- Publication number
- CN117608765B CN117608765B CN202410095044.0A CN202410095044A CN117608765B CN 117608765 B CN117608765 B CN 117608765B CN 202410095044 A CN202410095044 A CN 202410095044A CN 117608765 B CN117608765 B CN 117608765B
- Authority
- CN
- China
- Prior art keywords
- mirror image
- detected
- system call
- docker container
- white list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 51
- 230000002787 reinforcement Effects 0.000 title claims abstract description 37
- 238000004458 analytical method Methods 0.000 claims abstract description 82
- 230000003068 static effect Effects 0.000 claims abstract description 68
- 230000002159 abnormal effect Effects 0.000 claims abstract description 37
- 230000000903 blocking effect Effects 0.000 claims abstract description 21
- 238000012544 monitoring process Methods 0.000 claims abstract description 20
- 238000004590 computer program Methods 0.000 claims description 15
- 238000005728 strengthening Methods 0.000 abstract description 4
- 238000010586 diagram Methods 0.000 description 12
- 230000008569 process Effects 0.000 description 8
- 230000006870 function Effects 0.000 description 7
- 239000003795 chemical substances by application Substances 0.000 description 4
- 238000004891 communication Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000002360 explosive Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000003014 reinforcing effect Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 230000001502 supplementing effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the application provides a safety reinforcement method, a safety reinforcement device and a safety reinforcement medium for a Docker container. The safety reinforcement method of the Docker container comprises the following steps: carrying out static analysis based on the mirror image to be detected, and acquiring the existing vulnerability characteristics in the mirror image layer; storing the vulnerability characteristics into a self-built knowledge base; the static scanning of the mirror image to be detected is assisted based on the vulnerability characteristics of the self-built knowledge base, so that the security vulnerability of the mirror image to be detected is determined; carrying out dynamic analysis based on the mirror image to be detected, and acquiring a white list corresponding to the dynamic analysis tool; monitoring the operation of the Docker container, determining that the system call is abnormal call and blocking the system call when the system call outside the white list is found, at the moment, determining the security hole of the image to be detected based on static analysis and static analysis compatible with the image to be detected, and determining the abnormal system call based on dynamic analysis so as to comprehensively and safely strengthen the Docker container, improving the safety strengthening force of the Docker container and ensuring the normal operation of the Docker container.
Description
Technical Field
The application relates to the technical field of Docker containers, in particular to a security reinforcement method, a security reinforcement device and a security reinforcement medium for a Docker container.
Background
In recent years, the temperature of a Docker container technology is rapidly increased in a developer community, and the Docker container has high mobility and expandability, so that the consistency of the running environment is ensured in a simple manner. The development and use of virtualization technology are in explosive growth, the mirror images in the Hub mirror image warehouse of the Docker container are up to more than 800 tens of thousands and grow rapidly, in the prior art, security reinforcement is carried out on the Docker container, corresponding vulnerability characteristics at the screening positions are mainly screened in a static scanning mode, and the vulnerability characteristics are checked one by one to ensure the security reinforcement of the mirror images to be detected, however, in the static scanning, abnormal system call in the Docker container still exists and is not found by the static scanning, so that the security reinforcement strength of the Docker container is still insufficient.
Disclosure of Invention
The embodiment of the application provides a safety reinforcement method, a device and a medium of a Docker container, which are used for at least carrying out static analysis and dynamic analysis on images to be detected to a certain extent, determining the safety loopholes of the images to be detected based on the static analysis, and determining abnormal system call based on the dynamic analysis, so that comprehensive safety reinforcement is carried out on the Docker container, the safety reinforcement strength of the Docker container is improved, and the normal operation of the Docker container is ensured.
Other features and advantages of the present application will be apparent from the following detailed description, or may be learned in part by the practice of the application.
According to one aspect of the embodiment of the application, a safety reinforcement method of a Docker container is provided, and the safety reinforcement method is applied to the Docker container;
the safety reinforcement method of the Docker container comprises the following steps:
carrying out static analysis based on the mirror image to be detected, and acquiring the existing vulnerability characteristics in the mirror image layer;
storing the vulnerability characteristics into a self-built knowledge base;
the static scanning of the mirror image to be detected is assisted based on the vulnerability characteristics of the self-built knowledge base, so that the security vulnerability of the mirror image to be detected is determined;
carrying out dynamic analysis based on the mirror image to be detected, and acquiring a white list corresponding to the dynamic analysis tool;
monitoring the operation of the Docker container, and when a system call outside the white list is found, determining the system call to be an abnormal call and blocking the system call.
Optionally, the performing static analysis based on the image to be detected and obtaining the existing vulnerability characteristics in the image layer includes:
when static analysis is carried out on the mirror image to be detected, the mirror image to be detected is analyzed;
scanning a binary file in the mirror image to be detected to acquire the name and version number information of the software package;
the name and version number information of the software package is compared with a known vulnerability database to determine the existing vulnerability characteristics in the image layer.
Optionally, the static analysis is performed based on the image to be detected, and existing vulnerability characteristics in the image layer are obtained, and the method further includes:
acquiring layer structure information of the mirror image based on the mirror image binary file;
determining a mirror image layer file according to mirror image layer structure information;
existing vulnerability characteristics of the corresponding image layer are determined based on the image layer files and the static analysis tool.
Optionally, the storing the vulnerability characteristics in the self-built knowledge base includes:
acquiring a self-built knowledge base;
and storing the vulnerability characteristics into a self-built knowledge base to enrich the self-built knowledge base.
Optionally, the vulnerability feature based on the self-built knowledge base assists static scanning of the image to be detected to determine a security vulnerability of the image to be detected, including:
recording vulnerability characteristics of a public father image and tracking the vulnerability characteristics of a child image constructed by the public father image;
obtaining vulnerability characteristics of a self-built knowledge base;
taking the vulnerability characteristics of the self-built knowledge base as a reference, and assisting in static scanning of the mirror image to be detected;
and under the static scanning of the image to be detected, determining the security hole of the image to be detected.
Optionally, the dynamically analyzing based on the image to be detected and acquiring the white list corresponding to the dynamic analysis tool includes:
when static analysis is carried out on the mirror image to be detected, a dynamic analysis tool is obtained;
and determining a corresponding white list based on the dynamic analysis tool, wherein the white list is a safe system call.
Optionally, the monitoring the operation of the Docker container, when finding a system call outside the white list, determining the system call as an abnormal call, and blocking the system call, including:
monitoring the operation of the Docker container, and comparing the current system call with a white list;
determining system calls outside the white list based on the comparison of the current system call and the white list;
when a system call outside the white list is found, the system call is determined to be an abnormal call.
Optionally, the monitoring the operation of the Docker container determines that the system call is an abnormal call and blocks the system call when the system call outside the white list is found, and further includes:
when the system call is an abnormal call, triggering the control of the abnormal call and blocking the system call.
According to an aspect of the embodiments of the present application, there is provided a safety reinforcement device for a Docker container, including:
the acquisition module is used for carrying out static analysis based on the mirror image to be detected and acquiring the existing vulnerability characteristics in the mirror image layer;
the storing module is used for storing the vulnerability characteristics into a self-built knowledge base;
the security vulnerability module is used for assisting static scanning of the mirror image to be detected based on vulnerability characteristics of the self-built knowledge base so as to determine security vulnerabilities of the mirror image to be detected;
the white list module is used for carrying out dynamic analysis based on the mirror image to be detected and acquiring a white list corresponding to the dynamic analysis tool;
and the blocking module is used for monitoring the operation of the Docker container, determining the system call to be abnormal call when the system call outside the white list is found, and blocking the system call.
According to an aspect of the embodiments of the present application, there is provided a computer readable medium having stored thereon a computer program which, when executed by a processor, implements a security reinforcement method of a Docker container as described in the above embodiments.
According to an aspect of an embodiment of the present application, there is provided an electronic device including: one or more processors; and a storage device for storing one or more programs, which when executed by the one or more processors, cause the one or more processors to implement the method for security reinforcement of a Docker container as described in the above embodiments.
According to an aspect of embodiments of the present application, there is provided a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device performs the security reinforcement method of the Docker container provided in the above embodiment.
In the technical schemes provided by some embodiments of the present application, static analysis is performed based on the mirror image to be detected, and existing vulnerability characteristics in the mirror image layer are obtained; storing the vulnerability characteristics into a self-built knowledge base; the static scanning of the mirror image to be detected is assisted based on the vulnerability characteristics of the self-built knowledge base, so that the security vulnerability of the mirror image to be detected is determined; carrying out dynamic analysis based on the mirror image to be detected, and acquiring a white list corresponding to the dynamic analysis tool; monitoring the operation of the Docker container, determining that the system call is abnormal call and blocking the system call when the system call outside the white list is found, at the moment, determining the security hole of the image to be detected based on static analysis and static analysis compatible with the image to be detected, and determining the abnormal system call based on dynamic analysis so as to comprehensively and safely strengthen the Docker container, improving the safety strengthening force of the Docker container and ensuring the normal operation of the Docker container.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application. It is apparent that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained from these drawings without inventive effort for a person of ordinary skill in the art. In the drawings:
FIG. 1 illustrates a flow diagram of a method of security reinforcement for a Docker container according to one embodiment of the present application;
FIG. 2 shows a schematic flow chart of S120 in FIG. 1;
FIG. 3 shows a schematic flow chart of S130 in FIG. 1;
fig. 4 shows a schematic flow chart of S140 in fig. 1;
FIG. 5 shows a schematic flow chart of S150 in FIG. 1;
FIG. 6 illustrates a practical schematic of a method of security reinforcement for a Docker container according to one embodiment of the present application;
FIG. 7 illustrates a block diagram of a security reinforcement device of a Docker container according to one embodiment of the present application;
fig. 8 shows a schematic diagram of a computer system suitable for use in implementing the electronic device of the embodiments of the present application.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. However, the exemplary embodiments may be embodied in many forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the example embodiments to those skilled in the art.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the present application. One skilled in the relevant art will recognize, however, that the aspects of the application can be practiced without one or more of the specific details, or with other methods, components, devices, steps, etc. In other instances, well-known methods, devices, implementations, or operations are not shown or described in detail to avoid obscuring aspects of the application.
The block diagrams depicted in the figures are merely functional entities and do not necessarily correspond to physically separate entities. That is, the functional entities may be implemented in software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
The flow diagrams depicted in the figures are exemplary only, and do not necessarily include all of the elements and operations/steps, nor must they be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be synthesized or partially synthesized, so that the order of actual execution may be changed according to actual situations.
Fig. 1 shows a flow diagram of a method of security reinforcement of a Docker container according to one embodiment of the present application. The method can be applied to a Docker container.
Referring to fig. 1 to 8, the method for reinforcing the security of the Docker container at least includes steps S110 to S150, and is described in detail below (the following description uses the method for the Docker container as an example):
step S110, carrying out static analysis based on the mirror image to be detected, and acquiring the existing vulnerability characteristics in the mirror image layer;
step S120, storing the vulnerability characteristics into a self-built knowledge base;
step S130, auxiliary static scanning of the mirror image to be detected based on vulnerability characteristics of a self-built knowledge base so as to determine security vulnerabilities of the mirror image to be detected;
step S140, carrying out dynamic analysis based on the mirror image to be detected, and acquiring a white list corresponding to the dynamic analysis tool;
and step S150, monitoring the operation of the Docker container, and determining the system call to be an abnormal call and blocking the system call when the system call outside the white list is found.
In the technical schemes provided by some embodiments of the present application, static analysis is performed based on the mirror image to be detected, and existing vulnerability characteristics in the mirror image layer are obtained; storing the vulnerability characteristics into a self-built knowledge base; the static scanning of the mirror image to be detected is assisted based on the vulnerability characteristics of the self-built knowledge base, so that the security vulnerability of the mirror image to be detected is determined; carrying out dynamic analysis based on the mirror image to be detected, and acquiring a white list corresponding to the dynamic analysis tool; monitoring the operation of the Docker container, determining that the system call is abnormal call and blocking the system call when the system call outside the white list is found, at the moment, determining the security hole of the image to be detected based on static analysis and static analysis compatible with the image to be detected, and determining the abnormal system call based on dynamic analysis so as to comprehensively and safely strengthen the Docker container, improving the safety strengthening force of the Docker container and ensuring the normal operation of the Docker container.
In the embodiment of the present application, in step S110, static analysis is performed based on the image to be tested, and the existing vulnerability characteristics in the image layer are obtained.
In the embodiment of the application, when the static analysis is performed on the image to be detected, the image to be detected is analyzed; scanning a binary file in the mirror image to be detected to acquire the name and version number information of the software package; the name and version number information of the software package is compared with a known vulnerability database to determine the existing vulnerability characteristics in the image layer.
The method comprises the steps of carrying out first layer analysis on a mirror image to be detected, adopting static analysis so as to expose vulnerability characteristics of the mirror image to be detected in the static analysis, at the moment, scanning executable files, system environment, configuration and the like in the mirror image layer by using a static analysis method, and scanning binary files in the mirror image to be detected to obtain name and version number information of a software package; the name and version number information of the software package is compared with a known vulnerability database to determine the existing vulnerability characteristics in the image layer. Optionally, acquiring layer structure information of the mirror image based on the mirror image binary file; determining a mirror image layer file according to mirror image layer structure information; existing vulnerability characteristics of the corresponding image layer are determined based on the image layer files and the static analysis tool.
In an embodiment of the present application,
in step S120, the vulnerability characteristics are stored in a self-built knowledge base.
Step S121, obtaining a self-built knowledge base;
step S122, storing the vulnerability characteristics into the self-built knowledge base to enrich the self-built knowledge base.
In the embodiment of the application, the self-built knowledge base is obtained, the known vulnerability characteristics are stored in the self-built knowledge base and stored in the self-built knowledge base as the vulnerability characteristic base, and the self-built knowledge base is conveniently enriched by supplementing the vulnerability characteristics, so that the expansion of the self-built knowledge base is realized, and meanwhile, the follow-up further comparison of the known vulnerability characteristics based on the self-built knowledge base is ensured.
Referring to fig. 3, in step S130, static scanning of the image to be detected is assisted based on vulnerability characteristics of the self-built knowledge base to determine security vulnerabilities of the image to be detected.
In the embodiment of the application, the self-built knowledge base is traversed, auxiliary scanning is conducted on the vulnerability characteristics of the self-built knowledge base, at this time, static scanning of the image to be detected is assisted based on the vulnerability characteristics of the self-built knowledge base, so that the security vulnerability of the image to be detected is determined, and the security vulnerability of the image to be detected is compared with the vulnerability characteristics of the self-built knowledge base, so that the security vulnerability of the image to be detected can be rapidly identified.
Optionally, comparing the vulnerability characteristics of the corresponding layer with the CVE vulnerability database to obtain the vulnerability characteristics of the corresponding layer, extracting the ID of the mirror image layer and the vulnerability list of the mirror image layer as the vulnerability characteristics of the mirror image layer, and storing the vulnerability characteristics of the mirror image layer and the ID of the vulnerability list of the mirror image layer into the self-built knowledge base, thereby enriching the vulnerability self-built knowledge base of the mirror image layer. And accelerating the static scanning process of the mirror image to be detected through the vulnerability characteristics recorded by the self-built knowledge base by utilizing the multiplexing relation of the public layers between the associated mirror images.
Step S131, recording vulnerability characteristics of the public parent image and tracking the vulnerability characteristics of the child image constructed by the public parent image.
Step S132, obtaining the vulnerability characteristics of the self-built knowledge base.
Step S133, taking the vulnerability characteristics of the self-built knowledge base as a reference, and assisting in static scanning of the mirror image to be detected;
step S134, under the static scanning of the image to be detected, determining the security hole of the image to be detected.
In an embodiment of the present application, the vulnerability characteristics of the common parent image are recorded and tracked to the vulnerability characteristics of the child image constructed by the common parent image. The self-built knowledge base is characterized in that a multiplexing relation of a public layer between associated images is utilized, vulnerability characteristics of a public father image are recorded and tracked to vulnerability characteristics of child images constructed by the public father image, repeated scanning of multiplexing image layers between different images is avoided, a static analysis process is accelerated, and optionally, information of the vulnerability characteristics comprises two parts, wherein the first part is an ID of the image layer; the second part is the vulnerability list of the mirror layer.
And secondly, obtaining the vulnerability characteristics of the self-built knowledge base. Taking the vulnerability characteristics of the self-built knowledge base as a reference, and assisting in static scanning of the mirror image to be detected; under the static scanning of the mirror image to be detected, the security hole of the mirror image to be detected is determined, so that the static scanning of the mirror image to be detected is assisted based on the hole features of the self-built knowledge base to determine the security hole of the mirror image to be detected, the security hole of the mirror image to be detected is compared with the hole features of the self-built knowledge base so as to quickly identify the security hole of the mirror image to be detected, meanwhile, in the static scanning process, the method combines a mirror image scanning tool to conduct the static scanning of the security hole of the mirror image, the feature information of the security hole of the mirror image is extracted and stored in the self-built knowledge base, and a mirror image inheritance relation model is established, so that the mirror image scanning efficiency is improved.
Referring to fig. 4, in step S140, dynamic analysis is performed based on the image to be tested, and a white list corresponding to the dynamic analysis tool is obtained.
In the embodiment of the application, dynamic analysis is performed on the mirror image to be detected, and the white list corresponding to the dynamic analysis tool is acquired in the dynamic analysis so as to make full use of the white list, and further, the white list is obviously distinguished from a system outside the white list through a system of the white list, wherein the white list is a safe system call.
Step S141, acquiring a dynamic analysis tool when the mirror image to be detected is subjected to static analysis.
Step S142, determining a corresponding white list based on a dynamic analysis tool, wherein the white list is a safe system call;
in the embodiment of the application, when static analysis is performed on the image to be detected, a dynamic analysis tool is obtained, the dynamic analysis tool can be a Sysdig tool, the Docker container is dynamically analyzed by using the Sysdig tool, executable files in the Docker container are analyzed, all system calls required by the Docker container in initializing and running are obtained, and a system call white list is added. Optionally, by analyzing the executable file in the Docker container, a system call list required by the Docker container in initialization and running is obtained, and all the system calls required by the Docker container are added into the system call white list. The white list is a system call list required by the Docker container generated after the Docker container executable file is analyzed before the Docker container runs, and the list contains all system call information required by the Docker container during initialization and running.
Referring to fig. 5, in step S150, the operation of the Docker container is monitored, and when a system call outside the whitelist is found, the system call is determined to be an abnormal call, and blocked.
And step S151, monitoring the operation of the Docker container, and comparing the current system call with a white list.
Step S152, determining the system call outside the white list based on the comparison between the current system call and the white list;
step 153, when a system call outside the white list is found, determining that the system call is an abnormal call;
and step 154, triggering control of the abnormal call and blocking the system call when the system call is the abnormal call.
In the embodiment of the application, aiming at the use of the white list, comparing the current system call with the white list, and determining the system call outside the white list based on the comparison of the current system call and the white list, so as to perform quick scanning aiming at the current system call and simultaneously consider dynamic scanning, and simultaneously, determining the system call as an abnormal call when the system call outside the white list is found; when the system call is an abnormal call, triggering the control of the abnormal call and blocking the system call. Optionally, the blocking of the system call is to monitor the system call generated when the Docker container runs by arranging an agent in each Docker container, prohibit the execution of the abnormal system call when the monitoring agent finds the abnormal system call by comparing the white list, and generate alarm information.
In dynamic scanning, a system call white list of a Docker container is firstly generated, the system call generated during the running of the Docker container is monitored, abnormal system call is forbidden, and alarm information is generated. The method can effectively detect the loophole information and the abnormal system call information of the Docker container, and the defects that the traditional static scanning mode is low in efficiency and cannot find zero-day loopholes are overcome. Practice proves that the method can effectively strengthen the Docker container, meanwhile, the knowledge base constructed based on the inheritance relationship can avoid repeated mirror image scanning, and can rapidly detect and discover the safety problem in the mirror image.
Secondly, the invention limits the executable system calling range of the Docker container based on dynamic analysis, thereby reducing the attack risk of the Docker container. In the dynamic analysis process, firstly, an executable file in a Docker container is analyzed to obtain a system call list required by the Docker container in the initialization and operation processes, all system calls required by the Docker container are added into a system call white list, and when the system call outside the white list is found, abnormal system call is blocked in time and alarm information is generated in the process of the Docker container operation by a monitoring agent in the Docker container.
The method comprises the following specific steps:
step one: and pulling the mirror image, analyzing the mirror image, and obtaining contents such as a manifest file, a mirror image layer id, a mirror image layer file and the like of the mirror image.
Step two: carrying out static analysis on the mirror image, comparing the extracted mirror image layer id with the id in the self-built knowledge base, if the mirror image layer id is matched with the id in the self-built knowledge base, skipping scanning of the mirror image file of the layer, and directly outputting vulnerability characteristics recorded in the knowledge base; if the knowledge base does not have the vulnerability characteristics of the corresponding mirror image layer id, binary files in the mirror image are scanned, the name and version number information of the software package is obtained, a vulnerability list of the mirror image is output by comparing the software package with a known vulnerability base (such as a CVE vulnerability base), the vulnerability characteristics of the mirror image layer are extracted, and the vulnerability characteristics are stored in a self-built knowledge base.
Step three: and generating a mirrored vulnerability list by combining the static analysis result, and giving reinforcement suggestions.
Step four: and dynamically analyzing the Docker container by using a Sysdig tool, analyzing executable files in the Docker container, obtaining all system calls required by the initialization and the operation of the Docker container, and adding a system call white list.
Step five: a monitoring agent is arranged in each Docker container, and system calls generated when the Docker containers run are captured and compared with a white list.
Step six: when finding out the system call outside the white list, using the seccomp tool to block the abnormal system call and generating alarm information.
In the embodiment of the application, static analysis is performed based on the mirror image to be detected, and the existing vulnerability characteristics in the mirror image layer are obtained; storing the vulnerability characteristics into a self-built knowledge base; the static scanning of the mirror image to be detected is assisted based on the vulnerability characteristics of the self-built knowledge base, so that the security vulnerability of the mirror image to be detected is determined; carrying out dynamic analysis based on the mirror image to be detected, and acquiring a white list corresponding to the dynamic analysis tool; monitoring the operation of the Docker container, determining that the system call is abnormal call and blocking the system call when the system call outside the white list is found, at the moment, determining the security hole of the image to be detected based on static analysis and static analysis compatible with the image to be detected, and determining the abnormal system call based on dynamic analysis so as to comprehensively and safely strengthen the Docker container, improving the safety strengthening force of the Docker container and ensuring the normal operation of the Docker container.
The following describes embodiments of the apparatus of the present application that may be used to perform the method of security reinforcement of the Docker container in the above-described embodiments of the present application. For details not disclosed in the device embodiments of the present application, please refer to the embodiment of the safety reinforcement method of the Docker container described in the present application.
Fig. 7 shows a block diagram of a security reinforcement device for a Docker container according to one embodiment of the present application.
Referring to fig. 7, a safety reinforcement device of a Docker container according to an embodiment of the present application includes:
the obtaining module 210 is configured to perform static analysis based on the image to be detected, and obtain existing vulnerability characteristics in the image layer;
a storing module 220, configured to store the vulnerability characteristics into a self-built knowledge base;
the security vulnerability module 230 is configured to assist static scanning of the image to be detected based on vulnerability characteristics of the self-built knowledge base, so as to determine a security vulnerability of the image to be detected;
the white list module 240 is configured to dynamically analyze based on the image to be detected, and obtain a white list corresponding to the dynamic analysis tool;
and the blocking module 250 is used for monitoring the operation of the Docker container, determining the system call to be an abnormal call when the system call outside the white list is found, and blocking the system call.
According to an aspect of the embodiments of the present application, there is provided a computer readable medium having stored thereon a computer program which, when executed by a processor, implements a security reinforcement method of a Docker container as described in the above embodiments.
In one embodiment of the present application, there is also provided an electronic device including:
one or more processors;
and the storage device is used for storing one or more programs, and when the one or more programs are executed by the one or more processors, the one or more processors are enabled to realize the security reinforcement method of the Docker container according to the previous embodiment.
In one example, FIG. 8 illustrates a schematic diagram of a computer system suitable for use in implementing the electronic device of the embodiments of the present application.
It should be noted that, the computer system of the electronic device shown in fig. 8 is only an example, and should not impose any limitation on the functions and the application scope of the embodiments of the present application.
As shown in fig. 8, the computer system includes a central processing unit (Central Processing Unit, CPU) 301 (i.e., a processor as described above) that can perform various appropriate actions and processes, such as performing the methods described in the above embodiments, according to a program stored in a Read-Only Memory (ROM) 302 or a program loaded from a storage section 308 into a random access Memory (Random Access Memory, RAM) 303. It should be understood that RAM303 and ROM302 are just described as storage devices. In the RAM303, various programs and data required for the system operation are also stored. The CPU 301, ROM302, and RAM303 are connected to each other through a bus 304. An Input/Output (I/O) interface 305 is also connected to bus 304.
The following components are connected to the I/O interface 305: an input section 306 including a keyboard, a mouse, and the like; an output portion 307 including a Cathode Ray Tube (CRT), a liquid crystal display (Liquid Crystal Display, LCD), and the like, a speaker, and the like; a storage section 308 including a hard disk or the like; and a communication section 309 including a network interface card such as a LAN (Local Area Network ) card, a modem, or the like. The communication section 309 performs communication processing via a network such as the internet. The drive 310 is also connected to the I/O interface 305 as needed. A removable medium 311 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed on the drive 310 as needed, so that a computer program read therefrom is installed into the storage section 308 as needed.
In particular, according to embodiments of the present application, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present application include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising a computer program for performing the method shown in the flowchart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication portion 309, and/or installed from the removable medium 311. When executed by a Central Processing Unit (CPU) 301, performs the various functions defined in the system of the present application.
It should be noted that, the computer readable medium shown in the embodiments of the present application may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-Only Memory (ROM), an erasable programmable read-Only Memory (Erasable Programmable Read Only Memory, EPROM), flash Memory, an optical fiber, a portable compact disc read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
In the present application, however, a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with a computer-readable computer program embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. A computer program embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. Where each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units involved in the embodiments of the present application may be implemented by means of software, or may be implemented by means of hardware, and the described units may also be provided in a processor. Wherein the names of the units do not constitute a limitation of the units themselves in some cases.
As another aspect, the present application also provides a computer-readable medium that may be contained in the electronic device described in the above embodiment; or may exist alone without being incorporated into the electronic device. The computer-readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to implement the methods described in the above embodiments.
It should be noted that although in the above detailed description several modules or units of a device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functions of two or more modules or units described above may be embodied in one module or unit, in accordance with embodiments of the present application. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a usb disk, a mobile hard disk, etc.) or on a network, and includes several instructions to cause a computing device (may be a personal computer, a server, a touch terminal, or a network device, etc.) to perform the method according to the embodiments of the present application.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the embodiments disclosed herein. This application is intended to cover any variations, uses, or adaptations of the application following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the application pertains.
It is to be understood that the present application is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the application is limited only by the appended claims.
Claims (8)
1. The safety reinforcement method of the Docker container is characterized by being applied to the Docker container;
the safety reinforcement method of the Docker container comprises the following steps:
when static analysis is carried out on the mirror image to be detected, the mirror image to be detected is analyzed;
scanning a binary file in the mirror image to be detected to acquire the name and version number information of the software package;
comparing the name and version number information of the software package with a known vulnerability database to determine the existing vulnerability characteristics in the mirror layer;
storing the vulnerability characteristics into a self-built knowledge base;
taking the vulnerability characteristics of the self-built knowledge base as a reference, tracking the vulnerability characteristics of the child mirror image constructed by the common parent mirror image through the vulnerability characteristics of the common parent mirror image, and assisting in static scanning of the mirror image to be detected;
under static scanning of the mirror image to be detected, determining security holes of the mirror image to be detected;
carrying out dynamic analysis based on the mirror image to be detected, and acquiring a white list corresponding to the dynamic analysis tool;
monitoring the operation of the Docker container, and when a system call outside the white list is found, determining the system call to be an abnormal call and blocking the system call.
2. The method of claim 1, wherein the performing a static analysis based on the image to be tested and obtaining the existing vulnerability characteristics in the image layer further comprises:
acquiring layer structure information of the mirror image based on the mirror image binary file;
determining a mirror image layer file according to mirror image layer structure information;
existing vulnerability characteristics of the corresponding image layer are determined based on the image layer files and the static analysis tool.
3. The method of claim 1, wherein storing vulnerability characteristics in a self-built knowledge base comprises:
acquiring a self-built knowledge base;
and storing the vulnerability characteristics into a self-built knowledge base to enrich the self-built knowledge base.
4. The method of claim 1, wherein the dynamically analyzing based on the image to be measured and obtaining the whitelist corresponding to the dynamic analysis tool comprises:
when static analysis is carried out on the mirror image to be detected, a dynamic analysis tool is obtained;
and determining a corresponding white list based on the dynamic analysis tool, wherein the white list is a safe system call.
5. The method of claim 1, wherein monitoring the operation of the Docker container, when a system call outside the whitelist is found, determining the system call is an exception call, and blocking the system call, comprises:
monitoring the operation of the Docker container, and comparing the current system call with a white list;
determining system calls outside the white list based on the comparison of the current system call and the white list;
when a system call outside the white list is found, the system call is determined to be an abnormal call.
6. The method of claim 5, wherein monitoring the operation of the Docker container, when a system call outside the whitelist is found, determining the system call is an exception call and blocking the system call, further comprising:
when the system call is an abnormal call, triggering the control of the abnormal call and blocking the system call.
7. A safety reinforcement device for a Docker container, comprising:
the acquisition module is used for scanning binary files in the mirror image to be detected to acquire the name and version number information of the software package when the mirror image to be detected is subjected to static analysis, and comparing the name and version number information of the software package with a known vulnerability library to determine the existing vulnerability characteristics in the mirror image layer;
the storing module is used for storing the vulnerability characteristics into a self-built knowledge base;
the security vulnerability module is used for tracking vulnerability characteristics of the child mirror images constructed by the public parent mirror images by taking the vulnerability characteristics of the self-built knowledge base as a reference, assisting static scanning of the mirror images to be detected, and determining security vulnerabilities of the mirror images to be detected under the static scanning of the mirror images to be detected;
the white list module is used for carrying out dynamic analysis based on the mirror image to be detected and acquiring a white list corresponding to the dynamic analysis tool;
and the blocking module is used for monitoring the operation of the Docker container, determining the system call to be abnormal call when the system call outside the white list is found, and blocking the system call.
8. A computer readable medium on which a computer program is stored, characterized in that the computer program, when executed by a processor, implements a security reinforcement method of a Docker container according to any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410095044.0A CN117608765B (en) | 2024-01-24 | 2024-01-24 | Safety reinforcement method, device and medium of Docker container |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410095044.0A CN117608765B (en) | 2024-01-24 | 2024-01-24 | Safety reinforcement method, device and medium of Docker container |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117608765A CN117608765A (en) | 2024-02-27 |
| CN117608765B true CN117608765B (en) | 2024-04-09 |
Family
ID=89953908
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410095044.0A Active CN117608765B (en) | 2024-01-24 | 2024-01-24 | Safety reinforcement method, device and medium of Docker container |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117608765B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114564719A (en) * | 2022-02-18 | 2022-05-31 | 浙江大学 | Docker mirror image scanning method based on static analysis |
| CN116821917A (en) * | 2023-06-14 | 2023-09-29 | 苏州棱镜七彩信息科技有限公司 | Container vulnerability detection method and system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20230008660A1 (en) * | 2021-07-08 | 2023-01-12 | Foundation Of Soongsil University-Industry Cooperation | Method of analyzing container system call configuration error, and recording medium and apparatus for performing the same |
-
2024
- 2024-01-24 CN CN202410095044.0A patent/CN117608765B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114564719A (en) * | 2022-02-18 | 2022-05-31 | 浙江大学 | Docker mirror image scanning method based on static analysis |
| CN116821917A (en) * | 2023-06-14 | 2023-09-29 | 苏州棱镜七彩信息科技有限公司 | Container vulnerability detection method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117608765A (en) | 2024-02-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109255234B (en) | Processing method, device, medium and electronic equipment of machine learning model | |
| US8468605B2 (en) | Identifying security vulnerability in computer software | |
| US20120278892A1 (en) | Updating anti-virus software | |
| US11176248B2 (en) | Remediation of security vulnerabilities in computer software | |
| CN107403093B (en) | System and method for detecting redundant software | |
| CN110929264A (en) | Vulnerability detection method and device, electronic equipment and readable storage medium | |
| CN106326735B (en) | Method and apparatus for preventing injection | |
| US11893117B2 (en) | Software package analysis for detection of malicious properties | |
| US20180341770A1 (en) | Anomaly detection method and anomaly detection apparatus | |
| CN116055102A (en) | Method for updating necessary repair loopholes, method for scanning necessary repair loopholes and related equipment | |
| CN117608765B (en) | Safety reinforcement method, device and medium of Docker container | |
| EP3929751A1 (en) | Test case generation device, test case generation method, and test case generation program | |
| US11880470B2 (en) | System and method for vulnerability detection in computer code | |
| US11822673B2 (en) | Guided micro-fuzzing through hybrid program analysis | |
| CN115688108A (en) | Webshell static detection method and system | |
| CN115630373A (en) | Cloud service security analysis method, monitoring equipment and analysis system | |
| Malik et al. | Static Malware Detection And Analysis Using Machine Learning Methods | |
| CN114547610A (en) | File detection method, device and equipment | |
| CN111310162A (en) | Trusted computing-based equipment access control method, device, product and medium | |
| US11822655B1 (en) | False alarm reduction by novelty detection | |
| CN116415255A (en) | System vulnerability detection method and device | |
| CN111309311B (en) | Vulnerability detection tool generation method, device, equipment and readable storage medium | |
| CN114969759B (en) | Asset security assessment method, device, terminal and medium of industrial robot system | |
| CN111723016B (en) | File closing method, device, electronic equipment and storage medium | |
| CN117034261A (en) | Exception detection method and device based on identifier, medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |