TWI733490B - System for detecting image file security and method thereof - Google Patents
System for detecting image file security and method thereof Download PDFInfo
- Publication number
- TWI733490B TWI733490B TW109119672A TW109119672A TWI733490B TW I733490 B TWI733490 B TW I733490B TW 109119672 A TW109119672 A TW 109119672A TW 109119672 A TW109119672 A TW 109119672A TW I733490 B TWI733490 B TW I733490B
- Authority
- TW
- Taiwan
- Prior art keywords
- image file
- detection
- security
- image
- host side
- Prior art date
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
Description
本發明係關於容器資源保護之技術,特別是指一種容器映像檔資安檢測系統及其方法。 The present invention relates to the technology of container resource protection, in particular to a container image file information security detection system and method.
在軟體微服務化的技術領域中,微服務具備有敏捷、彈性擴充等特性,相對於單體應用服務,可解決很多單體應用服務所衍生的議題,但由於以往並未有合適的微服務架構執行環境,一直並未被廣泛使用,近年來隨著容器技術的興起,為微服務提供了一個完美的執行環境,使得基於容器技術構建微服務架構非常適用於如今的雲端應用程式,其中,每一個微服務都必須能獨立更新,如此鬆散耦合架構讓應用程式能夠快速的創新,另外微服務可通過不同的程式語言與工具進行開發,在容器化的優勢下,更不受限於平台的環境,更可以提升服務對於平台的移植性。 In the technical field of software microservices, microservices have the characteristics of agility and flexible expansion. Compared with monolithic application services, it can solve many issues derived from monolithic application services. However, there was no suitable microservice in the past. The architecture execution environment has not been widely used. In recent years, with the rise of container technology, it has provided a perfect execution environment for microservices, making the construction of microservice architecture based on container technology very suitable for today's cloud applications. Among them, Each microservice must be able to be updated independently. This loosely coupled architecture allows applications to innovate quickly. In addition, microservices can be developed through different programming languages and tools. With the advantages of containerization, it is not limited to the platform. The environment can also improve the portability of the service to the platform.
惟,容器化技術其背後也伴隨其風險,在容器技術下產生的映像檔資源勢必也會衍生出資安問題,在映像檔倉儲及各個本機端之間的傳輸過程中,若是非封閉環境的案場,勢必有機會被外部的惡意攻擊者透過各種方式竄改映像檔資源,進而導致在後端佈署服務的時候下載到惡意映像檔,運行此 映像檔後很有可能造成本機端被攻擊破壞。簡言之,容器化技術可能會面臨的資安問題包含容器資源的保護,容器資源即是將特定應用程式封裝好的映像檔,這些映像檔可以來自於公共的映像檔倉儲(Docker Hub),又或者來自於私有自建的映像檔倉儲,而使用映像檔資源存在著潛在風險,一是映像檔本身就擁有安全漏洞,二是映像檔資源有風險遭受外部惡意攻擊者進行竄改,當本機端運行到高風險的映像檔資源,很有可能造成本機端的其他服務受到嚴重影響,因此容器資源的保護也極為重要。 However, the containerization technology is accompanied by its risks. The image file resources generated under the container technology will inevitably give rise to security problems. In the image file storage and the transmission process between each local terminal, if it is not a closed environment In the case, there is bound to be an opportunity for external malicious attackers to tamper with the image file resources in various ways, which will cause the malicious image file to be downloaded when the back-end service is deployed and run this After the image file is likely to cause the local end to be attacked and damaged. In short, the information security issues that containerization technology may face include the protection of container resources. Container resources are images that encapsulate specific applications. These images can come from a public image repository (Docker Hub). Or it may come from a private self-built image file storage, and the use of image file resources has potential risks. One is that the image file itself has security vulnerabilities, and the other is that the image file resources are at risk of being tampered with by external malicious attackers. If the image file resource runs to a high risk, it is very likely that other services on the local end will be severely affected. Therefore, the protection of container resources is also extremely important.
因此,若能找出一種容器資源保護之技術,特別是映像檔被下載至本機端的過程中能確保其一致性,以及能驗證主機端上所持有之映像檔是否符合規範,此將成為本技術領域人員急欲追求解決方案之目標。 Therefore, if a technology for protecting container resources can be found, especially if the image file is downloaded to the local side to ensure its consistency and can verify whether the image file held on the host side meets the specifications, this will become Those skilled in the art are eager to pursue the goal of a solution.
本發明之目的即在於提供一種容器映像檔資安檢測技術,係透過開源安全漏洞比對進行檢測,以取得潛在風險的層級及問題所在;次之,透過映像檔的內容比對技術,藉以能確保其內容的一致性;另外,可於主機端執行檢測以確認主機端上所持有的映像檔資源是否合規化。 The purpose of the present invention is to provide a container image information security detection technology, which is detected through open source security vulnerability comparison to obtain the level of potential risks and the problem; secondly, through the content comparison technology of the image file, it can Ensure the consistency of its content; in addition, a test can be performed on the host side to confirm whether the image file resources held on the host side are compliant.
為達到上述目的與其他目的,本發明提出一種容器映像檔資安檢測系統,係包括:中控伺服器,係包括用於安排映像檔執行檢測之排程模組,以於該排程模組收到該映像檔時,發出檢測請求;檢測伺服器,係接收來自該中控伺服器之檢測請求,以由該中控伺服器取得該映像檔再將該映像檔與安全漏洞資料庫之預存資訊進行比對而產生檢測結果;以及集中式資料庫,係包括用於整理及儲存該映像檔之安全弱點層級及問題之檢視模組,其中,該檢 視模組自該檢測伺服器取得該檢測結果,以將該檢測結果以及經檢測後之該映像檔儲存於該集中式資料庫中,供主機端取用。 In order to achieve the above and other objectives, the present invention proposes a container image file security inspection system, which includes: a central control server, which includes a scheduling module for arranging image file execution inspections, in order to use the scheduling module When the image file is received, it sends a detection request; the detection server receives the detection request from the central control server, so that the central control server obtains the image file and then pre-stores the image file and the security vulnerability database Information is compared to generate test results; and a centralized database, which includes a review module for sorting and storing the security vulnerability levels and problems of the image file, where the review The visual module obtains the detection result from the detection server, and stores the detection result and the image file after the detection in the centralized database for the host to use.
於上述系統中,該中控伺服器復包括於該映像檔進行檢測之前,執行該映像檔之簽章的中控簽章模組,以及該主機端復包括於接收經簽章之該映像檔後,執行解簽章之主機簽章模組。 In the above system, the central control server includes a central control signature module that executes the signature of the image file before the image file is tested, and the host side is included in the receiving of the signed image file After that, execute the host signature module of unsignature.
於上述系統中,該檢視模組定時向該檢測伺服器更新該檢測結果,以定時將該集中式資料庫內所有的映像檔進行最新安全漏洞的比對檢測。 In the above-mentioned system, the inspection module periodically updates the inspection result to the inspection server, so as to periodically perform comparison and inspection of the latest security vulnerabilities for all the image files in the centralized database.
於上述系統中,該主機端復包括收集該主機端使用該映像檔之使用資訊且回傳該使用資訊至該中控伺服器之監測模組,以及該中控伺服器復包括將該使用資訊與該集中式資料庫進行比對,以確認該主機端之該映像檔的使用情況之驗證模組。 In the above system, the host side includes the monitoring module that collects the use information of the host side using the image file and returns the use information to the central control server, and the central control server includes the use information The verification module that compares with the centralized database to confirm the usage of the image file on the host side.
於上述系統中,該監測模組於偵測到該主機端使用未知映像檔時,回報該未知映像檔之使用資訊至該驗證模組。 In the above system, when the monitoring module detects that the host side uses an unknown image file, it reports the usage information of the unknown image file to the verification module.
於一實施例中,該安全漏洞資料庫為第三方提供且持續更新之開源安全漏洞資料庫。 In one embodiment, the security vulnerability database is an open source security vulnerability database provided by a third party and continuously updated.
本發明復提出一種容器映像檔資安檢測方法,係包括以下步驟:於接收映像檔後,產生該映像檔之檢測請求;依據該檢測請求,比對該映像檔與安全漏洞資料庫之預存資訊,以產生檢測結果;以及儲存該檢測結果以及經檢測後之該映像檔至集中式資料庫,以供主機端取用經檢測後之該映像檔。 The present invention further proposes a container image file security detection method, which includes the following steps: after receiving the image file, generating a detection request for the image file; according to the detection request, comparing the image file with the pre-stored information in the security vulnerability database , To generate the detection result; and store the detection result and the detected image file to a centralized database for the host to use the detected image file.
於上述方法中,復包括於該映像檔進行檢測之前,執行該映像檔之簽章。 In the above method, the multiplexing includes executing the signature of the image file before the detection of the image file.
於上述方法中,復包括定時更新該集中式資料庫內之該檢測結果,以定時對該集中式資料庫內所有的映像檔進行最新安全漏洞的比對檢測。 In the above-mentioned method, the multiplexing includes regularly updating the detection result in the centralized database, so as to regularly perform comparison and detection of the latest security vulnerabilities in all the image files in the centralized database.
於上述方法中,於該主機端取得並使用該映像檔後,係由該主機端收集及回傳該映像檔之使用資訊,藉以確認該主機端之該映像檔的使用情況。 In the above method, after the image file is obtained and used on the host side, the host side collects and returns the usage information of the image file to confirm the usage of the image file on the host side.
於上述方法中,於該主機端偵測到該主機端使用未知映像檔時,係由該主機端回報該未知映像檔之使用資訊。 In the above method, when the host side detects that the host side uses an unknown image file, the host side reports the usage information of the unknown image file.
綜上可知,本發明提出之容器映像檔資安檢測系統及其方法,可利用多個不同的開源安全漏洞資料庫進行檢測,回報潛在風險的層級及問題所在,並且提供映像檔的持續檢測機制,確保在集中式資料庫內的既有映像檔資源未有新的風險出現,而為了避免容器遭受竄改,本發明透過映像檔的內容比對技術,從映像檔上傳至平台上,到映像檔被下載至本機端的過程中,皆能確保其內容的一致性;另外,為了提供進一步的防護,在每一個主機端部分可執行用戶端服務,即與伺服器端進行定時同步,檢測主機端上所持有的映像檔資源是否合規化,並於需要時,即時告警通知本機端的擁有者進行風險處理。 In summary, the container image information security detection system and method proposed by the present invention can use multiple different open source security vulnerability databases for detection, report the level of potential risks and problems, and provide a continuous detection mechanism for image files. To ensure that the existing image file resources in the centralized database do not have new risks, and in order to avoid the container from being tampered with, the present invention uses the image file content comparison technology to upload the image file to the platform and then to the image file. In the process of being downloaded to the local machine, the consistency of the content can be ensured; in addition, in order to provide further protection, the client service can be executed on each host side, which is to synchronize with the server side regularly and detect the host side. Whether the image file resources held by the computer are compliant, and when necessary, an immediate alarm will be notified to the owner of the machine to carry out risk handling.
1:容器映像檔資安檢測系統 1: Container image file information security inspection system
11:中控伺服器 11: Central control server
111:排程模組 111: Scheduling module
112:中控簽章模組 112: Central Control Signature Module
113:驗證模組 113: Verification Module
12:檢測伺服器 12: Check the server
13:集中式資料庫 13: Centralized database
131:檢視模組 131: View Module
14:主機端 14: host side
141:主機簽章模組 141: Host Signature Module
142:監測模組 142: Monitoring Module
100:映像檔 100: Image file
S61~S63:步驟 S61~S63: steps
S71~S75:步驟 S71~S75: steps
請參閱有關本發明之詳細說明及其附圖,將可進一步瞭解本發明之技術內容及其目的功效,相關附圖說明如下。 Please refer to the detailed description of the present invention and its accompanying drawings to further understand the technical content of the present invention and its objectives and effects. The relevant drawings are described as follows.
圖1為本發明之容器映像檔資安檢測系統的架構圖。 FIG. 1 is a structural diagram of the container image file information security inspection system of the present invention.
圖2為本發明之容器映像檔資安檢測系統另一實施例的架構圖。 2 is a structural diagram of another embodiment of the container image file security inspection system of the present invention.
圖3為本發明之容器映像檔資安檢測系統執行風險檢測的示意 圖。 Figure 3 is a schematic diagram of risk detection performed by the container image file information security detection system of the present invention picture.
圖4為本發明之容器映像檔資安檢測系統執行映像檔簽章的示意圖。 4 is a schematic diagram of the image file signature executed by the container image file security inspection system of the present invention.
圖5為本發明之容器映像檔資安檢測系統執行合規化驗證的示意圖。 FIG. 5 is a schematic diagram of the container image file information security inspection system of the present invention performing compliance verification.
圖6為本發明之容器映像檔資安檢測方法的步驟圖。 Figure 6 is a step diagram of the container image file security detection method of the present invention.
圖7為本發明之容器映像檔資安檢測方法執行風險檢測、簽章及合規化驗證的流程圖。 FIG. 7 is a flowchart of the risk detection, signature and compliance verification performed by the container image file security detection method of the present invention.
以下藉由特定的具體實施形態說明本發明之技術內容,熟悉此技藝之人士可由本說明書所揭示之內容輕易地瞭解本發明之優點與功效。然本發明亦可藉由其他不同的具體實施形態加以施行或應用。 The following describes the technical content of the present invention with specific specific embodiments. Those familiar with the art can easily understand the advantages and effects of the present invention from the content disclosed in this specification. However, the present invention can also be implemented or applied by other different specific embodiments.
本發明提出一套通用的容器映像檔資安檢測解決方案,可在不同的平台上套用此檢測流程,當使用者將映像檔透過各個平台的上傳功能上傳至集中式資料庫或是映像檔被下載至各個主機端的過程中,皆能確保其內容的一致性,以及持續的檢測映像檔自身的安全漏洞,並提供主機端的映像檔之使用情形持續監測及即時告警的資安檢測解決方案。 The present invention proposes a universal container image file security detection solution, which can be applied to different platforms. When the user uploads the image file to a centralized database through the upload function of each platform or the image file is In the process of downloading to each host, it can ensure the consistency of its content, and continuously detect the security vulnerabilities of the image file itself, and provide an information security detection solution that continuously monitors the use of the image file on the host side and real-time alarms.
圖1為本發明之容器映像檔資安檢測系統的架構圖。如圖所示,容器映像檔資安檢測系統1用包括中控伺服器11、檢測伺服器12、集中式資料庫13以及主機端14。
FIG. 1 is a structural diagram of the container image file information security inspection system of the present invention. As shown in the figure, the container image file information
中控伺服器11包括用於安排映像檔100執行檢測之排程模組
111,該排程模組111將於收到該映像檔100時,會發出執行映像檔100之檢測的檢測請求,以要求檢測伺服器12執行該映像檔100之檢測。易言之,使用者傳送映像檔100至中控伺服器11,並由中控伺服器11發起該映像檔100之檢測,亦即,對該映像檔100啟動風險檢測。
The
檢測伺服器12接收來自該中控伺服器11之檢測請求,以由該中控伺服器11取得該映像檔100且與安全漏洞資料庫之預存資訊進行比對,以產生檢測結果。簡言之,中控伺服器11發出檢測請求以要求檢測伺服器12執行檢測,檢測伺服器12將映像檔100與安全漏洞資料庫內的資料作比對,藉此確認該映像檔100是否存在風險,該安全漏洞資料庫可為第三方提供之開源安全漏洞資料庫,並且會持續更新,以利檢測伺服器12持續判斷映像檔100是否有新的安全漏洞。
The
集中式資料庫13包括用於整理及儲存該映像檔之安全弱點層級及問題之檢視模組131,其中,該檢視模組131自該檢測伺服器12取得該檢測結果,以將該檢測結果以及經檢測後之該映像檔100儲存於該集中式資料庫13中,並供主機端14取用。詳言之,集中式資料庫13透過檢視模組131整理該映像檔100之安全弱點層級及問題,且集中式資料庫13會儲存檢測結果和經檢測後之映像檔100,經檢測後之映像檔100可供主機端14取用。
The
於一實施例中,檢視模組131定時向檢測伺服器12更新該檢測結果,以定時將該集中式資料庫13內所有的映像檔進行最新安全漏洞的比對檢測,如此可確保所有的映像檔的檢測結果是符合當下需求。
In one embodiment, the
於一具體實施時,風險檢測時可使用第三方開源碼檢測軟體,例如WhiteSource來進行檢測,會與後端數十個開源安全漏洞資料庫進行比對,以 辨識映像檔的第三方元件是否有弱點、版本更新狀況及許可(License)有效性。檢測流程可包括兩部分觸發檢測工作和更新檢測結果,其中,觸發檢測工作會提供通用的微服務API介面提供觸發檢測工作,佈署於各個平台上運行,透過平台上傳的映像檔與WhiteSource進行註冊觸發檢測,而更新檢測結果會提供通用的微服務API介面提供取得檢測結果,佈署於集中式資料庫端,和WhiteSource取得來自於不同平台的映像檔資源的結果分析,並且會定時觸發WhiteSource針對資料庫中所有映像檔進行最新安全漏洞資料庫的持續監控。如此的容器映像檔檢測架構,可以提供集中式的映像檔資源管控中心,並且針對所有映像檔進行持續監控,避免疏漏最新已知的潛在風險。 In a specific implementation, third-party open source detection software, such as WhiteSource, can be used for risk detection, and it will be compared with dozens of open source security vulnerability databases on the backend. Identify whether the third-party components of the image file have weaknesses, the version update status, and the validity of the license (License). The detection process can include two parts: trigger detection work and update detection results. Among them, the trigger detection work will provide a general microservice API interface to provide trigger detection work. It is deployed on various platforms and registered with WhiteSource through the image file uploaded by the platform. Trigger detection, and update detection results will provide a universal microservice API interface to obtain detection results, deploy on the centralized database side, and WhiteSource obtains the result analysis of image file resources from different platforms, and will periodically trigger WhiteSource to target All image files in the database are continuously monitored for the latest security vulnerability database. Such a container image detection architecture can provide a centralized image resource management and control center, and continuously monitor all images to avoid missing the latest known potential risks.
圖2為本發明之容器映像檔資安檢測系統另一實施例的架構圖。如圖所示,容器映像檔資安檢測系統1之中控伺服器11、檢測伺服器12、集中式資料庫13以及主機端14如同圖1所述。此外,於本實施例中,容器映像檔資安檢測系統1可供多個主機端14取得經檢測之映像檔100,多個主機端14以編號1-N表示,其中,中控伺服器11復包括中控簽章模組112和驗證模組113,各主機端14(編號1-N)復包括主機簽章模組141和監測模組142。
2 is a structural diagram of another embodiment of the container image file security inspection system of the present invention. As shown in the figure, the
為了確保映像檔100內容一致性,中控伺服器11之中控簽章模組112於該映像檔100進行檢測之前,將執行該映像檔100之簽章並且儲存於集中式資料庫13內,待主機端14取得經簽章之映像檔100後,該主機端14之主機簽章模組141將執行經簽章之映像檔100的解簽章。
In order to ensure the content consistency of the
為了確保主機端14所使用的映像檔100符合規範,本發明提出於主機端14持續監測其使用之映像檔100是否合規,因而主機端14之監測模組142會定時收集主機端14中所使用的所有映像檔100之使用資訊且回傳該
使用資訊至中控伺服器11,而中控伺服器11之驗證模組113取得該使用資訊後,將其與集中式資料庫13進行比對,藉以確認主機端14中所使用之映像檔100的使用情況。
In order to ensure that the
另外,除了主機端14從集中式資料庫13所取用之映像檔100外,主機端14也可能使用了非來自集中式資料庫13的其他映像檔,此時主機端14之監測模組142亦可將該些其他映像檔的使用情況回報給中控伺服器11之驗證模組113,以由驗證模組113協助確認該些其他映像檔是否為合規的映像檔。
In addition, in addition to the
於一實施例中,本發明採軟體平台Docker的映像檔做為實作對象,透過本發明所提出之通用的容器映像檔資安檢測解決方案,以在不同的平台上套用此檢測流程,當使用者將映像檔100透過各個平台上傳至集中式資料庫13,到此映像檔100被下載至各個主機端14的過程中,皆能確保其內容的一致性,並且透過更新比對以持續地檢測映像檔100自身的安全漏洞,另外,也可利用對主機端14內映像檔之使用情形持續監測,以便能即時告警映像檔是否有資安問題。
In one embodiment, the present invention uses the image file of the software platform Docker as the implementation object, and applies this detection process on different platforms through the universal container image security detection solution proposed by the present invention. The user uploads the
綜上,本發明透過排程模組111、檢測伺服器12及檢視模組131提供分散式平台的映像檔風險檢測機制,並且統整檢測結果於集中式資料庫13,藉此完成容器映像檔風險檢測。另外,透過監測模組142及驗證模組113提供分散式平台的映像檔合規化驗證機制,並且將資料集中於中控伺服器11,與集中式資料庫13進行比對確認,藉此完成容器映像檔合規化驗證。
In summary, the present invention provides a distributed platform image risk detection mechanism through the
圖3為本發明之容器映像檔資安檢測系統執行風險檢測的示意圖。本實施例是針對映像檔本身可能潛在安全漏洞這個議題,如圖所示,容器映像檔資安檢測系統1之中控伺服器11,在使用者將映像檔100上傳後便會經過
排程模組111發出安全漏洞的檢測請求,之後檢測伺服器12收取到檢測請求後,將映像檔100經過多個不同的開源安全漏洞資料庫進行檢測比對,辨識其使用的開源程式碼與套件是否有相對應的弱點、版本更新狀況及其授權的有效性,並由檢視模組131會將映像檔100的安全弱點層級及問題的結果整理後儲存在集中式資料庫13,在檢測伺服器12的安全漏洞資料庫持續更新下,同時也會持續地針對所有映像檔進行檢測,確保在集中式資料庫13內的既有映像檔資源未有新的安全弱點出現。
FIG. 3 is a schematic diagram of the risk detection performed by the container image file security detection system of the present invention. This embodiment addresses the issue of potential security vulnerabilities in the image file itself. As shown in the figure, the
圖4為本發明之容器映像檔資安檢測系統執行映像檔簽章的示意圖。本實施例是針對容器資源可能遭受惡意攻擊者竄改之議題,如圖所示,本發明之容器映像檔資安檢測系統1係使用映像檔內容的比對技術,在使用者將映像檔100透過中控伺服器11上傳功能上傳至集中式資料庫13,直到此映像檔100被下載至各個主機端14的過程中,映像檔100都受到簽章保護,亦即,中控伺服器11之中控簽章模組112會對映像檔100進行簽章,而主機端14之主機簽章模組141在取得經簽章之映像檔100,會對該映像檔100進行驗證,藉此確保其內容的一致性。
4 is a schematic diagram of the image file signature executed by the container image file security inspection system of the present invention. This embodiment is aimed at the issue that container resources may be tampered with by malicious attackers. As shown in the figure, the container image information
在一實施例中,針對映像檔安全性,Docker系統的映像檔在新的版本中,會多出一個名稱為Digest的資訊欄位,Digest為透過整個映像檔內容算出來的SHA256值,當映像檔內容異動,則Digest的SHA256值也會跟著變動。實際實施上,可透過Notary及Portieris兩套工具,在映像檔推送及抓取的過程中,對映像檔的簽章檢測,確保過程中的映像檔內容一致性。 In one embodiment, for the security of the image file, in the new version of the image file of the Docker system, an additional information field named Digest will be added. Digest is the SHA256 value calculated through the entire image file content. If the content of the file changes, the SHA256 value of Digest will also change accordingly. In actual implementation, two sets of tools, Notary and Portieris, can be used to check the signature of the image file during the process of image file push and capture to ensure the consistency of the image file content in the process.
圖5為本發明之容器映像檔資安檢測系統執行合規化驗證的示意圖。即便先前映像檔作了檢查程序以及信任簽章,但各主機端14可能透過其
他管道匯入未知映像檔,如此一來主機端14還是有被攻擊的可能,因而為了確保各主機端14所使用之映像檔為合規,如圖所示,本發明之容器映像檔資安檢測系統1提出對主機端14之環境資訊及所使用之映像檔的使用情形作持續監測,經由監測模組142進行主機端14的資料蒐集並回報至中控伺服器11,再經由中控伺服器11之驗證模組113與集中式資料庫13進行資料確認,藉以防止主機端14擁有潛在的安全漏洞,或者避免使用未知映像檔而造成主機端14被攻擊的風險。
FIG. 5 is a schematic diagram of the container image file information security inspection system of the present invention performing compliance verification. Even if the previous image file has been checked and signed by trust, each
最後,可藉由告警機制,一旦發現主機端14有使用到未知映像檔,必須立即通知系統管理者確認狀況並且排除問題,又或者映像檔100自身擁有安全漏洞,便會立即通知映像檔100的開發者進行映像檔100的安全漏洞修補並且重新上傳。因此,本發明結合前述各種機制以成為一個容器映像檔資安檢測解決方案,確保映像檔100一旦上傳至平台後便都符合自定義的資安規範,並且能夠主動偵測未知的潛在風險。
Finally, through the alarm mechanism, once it is found that the
下面說明本發明之容器映像檔資安檢測系統1一應用實例的整體架構,請同時參考圖2-5,係說明本發明可同時執行容器映像檔風險檢測、容器映像檔簽章以及容器映像檔合規化驗證等程序。首先,當使用者透過平台的使用者介面上傳映像檔100至中控伺服器11,便會進入整個容器映像檔資安檢測的管控內,從一開始映像檔100的資安檢測會經過排程模組111觸發映像檔100檢測的請求,經由檢測伺服器12與數十個開源安全漏洞資料庫進行比對後,在集中式資料庫13端的檢視模組131會定時向檢測伺服器12更新檢測結果,並且會定時將集中式資料庫13內所有的映像檔進行最新安全漏洞的比對檢測。
The following describes the overall architecture of an application example of the container image
由於檢測往往需要工作時間,在面臨使用者有服務立即上架的
需求下,因而在尚未產出檢測報告之前,可先透過容器映像檔簽章的機制來確保映像檔內容一致性,即中控伺服器11之中控簽章模組112先推送至集中式資料庫13,而主機端14需使用此映像檔100時,也會經由主機端14之主機簽章模組141進行映像檔100的抓取,進而確保映像檔100內容的一致性。
Since testing often requires working hours, when faced with users who have services on the shelves immediately
Under demand, before the inspection report is generated, the container image file signature mechanism can be used to ensure the consistency of the image file content, that is, the
最後,有關容器映像檔合規化驗證,監測模組142定時抓取各個主機端14的環境資訊以及映像檔資源使用情形,並回報至中控伺服器11的驗證模組113,經過驗證模組113的資料比對確認後,防止主機端14擁有潛在的安全漏洞,或者使用未知映像檔造成主機端14被攻擊的風險,若是發現主機端14有使用到未知映像檔時,可立即通知系統管理者確認狀況並且排除問題,又或者映像檔100自身擁有安全漏洞,便會立即通知映像檔100的開發者進行映像檔1的安全漏洞修補並且重新上傳。
Finally, regarding container image compliance verification, the
圖6為本發明之容器映像檔資安檢測方法的步驟圖。 Figure 6 is a step diagram of the container image file security detection method of the present invention.
於步驟S61,於接收使用者上傳之映像檔後,產生該映像檔之檢測請求。本步驟係說明當收到上傳之映像檔時,將執行映像檔之檢測,此時會產生該映像檔之檢測請求,實際運作上,檢測請求可由接收該映像檔之設備或伺服器提出,例如中控伺服器,用於管控上傳之映像檔的風險檢測。 In step S61, after receiving the image file uploaded by the user, a detection request for the image file is generated. This step is to explain that when the uploaded image file is received, the image file detection will be performed. At this time, a detection request for the image file will be generated. In actual operation, the detection request can be made by the device or server that receives the image file, such as The central control server is used to control the risk detection of uploaded image files.
於步驟S62,依據該檢測請求,比對該映像檔與安全漏洞資料庫之預存資訊,以產生檢測結果。本步驟係說明根據檢測請求,將該映像檔與安全漏洞資料庫之預存資訊進行比對,藉以確認該映像檔是否存在風險,進而產生檢測結果,實際運作上,中控伺服器可要求檢測伺服器執行檢測,檢測伺服器將連線外部之安全漏洞資料庫或是至檢測伺服器內建之安全漏洞資料庫進行映像檔的安全漏洞比對並產生檢測結果。 In step S62, according to the detection request, the pre-stored information of the image file and the security vulnerability database is compared to generate a detection result. This step describes the comparison of the image file with the pre-stored information in the security vulnerability database according to the detection request, so as to confirm whether the image file is at risk, and then generate the detection result. In actual operation, the central control server can request the detection server The detection server executes the detection, and the detection server connects to the external security vulnerability database or to the built-in security vulnerability database of the detection server to compare the security vulnerabilities of the image file and generate the detection result.
於步驟S63,儲存該檢測結果以及經檢測後之該映像檔至集中式資料庫,以供主機端取用經檢測後之該映像檔。本步驟係將經檢測後之映像檔和檢測結果儲存到集中式資料庫,實際運作上,集中式資料庫會整理映像檔之安全弱點層級及問題,而經檢測後之映像檔可供主機端取用。 In step S63, the detection result and the detected image file are stored in a centralized database for the host to use the detected image file. This step is to store the detected image file and the detection result in a centralized database. In actual operation, the centralized database will sort out the security vulnerability levels and problems of the image file, and the detected image file can be used by the host Access.
於一實施例中,於該映像檔進行檢測之前,係執行該映像檔之簽章。為了確保映像檔內容一致性,且可能在映像檔檢測前季可能有上架需求,故透過簽章機制來確保映像檔的內容一致性,換言之,即便傳送途中被有心人士攔截並竄改,之後再送達主機端時,被竄改後的映像檔也無法驗證通過。 In one embodiment, before the image file is detected, the image file is signed. In order to ensure the consistency of the content of the image file, and there may be a need for the shelf before the image file detection, the signature mechanism is used to ensure the content consistency of the image file, in other words, even if it is intercepted and tampered with by someone in the middle of the transmission, it will be delivered later On the host side, the image file that has been tampered with cannot be verified.
於一實施例中,係定時更新該集中式資料庫內之該檢測結果,以定時對該集中式資料庫內所有的映像檔進行最新安全漏洞的比對檢測。本實施例是說明,為確保檢測結果是符合當下需求,也就是風險漏洞之定義或規範有所更動,故檢測伺服器會定時去更新集中式資料庫內之檢測結果,如此可使先前通過檢測之映像檔後續仍滿足最新安全風險的標準。 In one embodiment, the detection result in the centralized database is regularly updated, so that all the image files in the centralized database are regularly checked for the latest security vulnerabilities. This embodiment illustrates that in order to ensure that the detection results meet the current requirements, that is, the definition or specifications of risk vulnerabilities have been changed, the detection server will periodically update the detection results in the centralized database, so that the previous detection can be passed. The image file will still meet the latest security risk standards.
於一實施例中,係於該主機端取得並使用該映像檔後,係由該主機端收集及回傳該映像檔之使用資訊,藉以確認該主機端之該映像檔的使用情況。為了確保主機端所使用的映像檔符合規範,主機端可持續監測其使用之映像檔是否合規,故主機端可定時收集其所使用之映像檔的使用資訊並回傳至中控伺服器,同樣地,若主機端偵測到其主機端使用到未知映像檔時,主機端也可回報此未知映像檔之使用資訊,藉此避免此未知映像檔可能造成主機端的危害。 In one embodiment, after obtaining and using the image file on the host side, the host side collects and returns the usage information of the image file to confirm the usage of the image file on the host side. In order to ensure that the image file used by the host complies with the specifications, the host can continuously monitor whether the image file it uses is compliant, so the host can periodically collect the usage information of the image file it uses and send it back to the central control server. Similarly, if the host side detects that the host side uses an unknown image file, the host side can also report the usage information of the unknown image file, thereby preventing the unknown image file from causing harm to the host side.
圖7為本發明之容器映像檔資安檢測方法執行風險檢測、簽章及合規化驗證的流程圖。 FIG. 7 is a flowchart of the risk detection, signature and compliance verification performed by the container image file security detection method of the present invention.
步驟S71,執行映像檔檢測並進行簽章加簽。易言之,使用者上傳映像檔後,可先執行映像檔檢測並且進行簽章加簽,本步驟是檢測映像檔存在的安全漏洞,並且對映像檔進行簽章加簽,確保之後抓取映像檔的請求為同一個映像檔資源。 Step S71: Perform image file detection and perform signature and signature. In other words, after uploading the image file, the user can perform image file detection and signature and endorsement first. This step is to detect security vulnerabilities in the image file, and sign and endorse the image file to ensure that the image is captured later The file request is the same image file resource.
步驟S72,集中式資料庫管理映像檔相關資訊結果。集中式資料庫負責存放來自不同平台的映像檔資訊及檢測結果,且定時會針對所有已檢測過的映像檔資料再次進行檢測,避免新的安全漏洞出現,本步驟係集中式管理來自於不同平台上傳的映像檔資訊及檢測結果,且定時會針對所有已檢測過的映像檔資料再次進行檢測。 Step S72, the centralized database manages the result of the image file related information. The centralized database is responsible for storing the image file information and detection results from different platforms, and will check all the image file data that have been detected again at regular intervals to avoid the emergence of new security vulnerabilities. This step is centralized management from different platforms The uploaded image file information and detection result will be checked again for all the detected image file data at regular intervals.
步驟S73,主機端取得映像檔並進行簽章確認。本步驟係指各個主機端透過集中式資料庫請求映像檔抓取,並且由主機端確認簽章內容,其目的為確認簽章內容以確保抓取映像檔的請求為同一個映像檔資源。 In step S73, the host side obtains the image file and performs signature confirmation. This step means that each host requests the image file capture through the centralized database, and the host side confirms the signature content. Its purpose is to confirm the signature content to ensure that the request to capture the image file is the same image file resource.
步驟S74,取得主機端映像檔使用資訊,與集中式資料庫進行合規化比對。本步驟係指主機端會定時確認所有遺留在本機端的映像檔資訊是否合規化,此目的是要確保本機端所使用之映像檔符合最新的規範,亦即定時取得主機端映像檔使用資訊,並與集中式資料庫進行映像檔內容確認,以判斷是否符合公司資安規範。 Step S74: Obtain the image file usage information on the host side, and perform a compliance comparison with the centralized database. This step means that the host side will periodically confirm whether all the image file information left on the local side is compliant. The purpose is to ensure that the image file used on the local side meets the latest specifications, that is, to obtain the host side image file regularly. Information, and confirm the content of the image file with the centralized database to determine whether it meets the company’s information security regulations.
步驟S75,發出告警通知系統管理者。本步驟係說明,若發現主機端使用未合規化的映像檔,會立即告知系統管理員進行處理。 In step S75, an alarm is issued to notify the system manager. This step is to explain that if an uncompliant image file is found on the host side, the system administrator will be notified immediately for processing.
由上可知,本發明提出一種容器映像檔資安檢測解決方案,可通用於不同平台上並套用此檢測流程,從映像檔上傳至平台上,到映像檔被下載至本機端的過程中,皆能確保其內容的一致性;其次,可對映像檔作持續檢測,此 機制可確保在集中式資料庫內的既有映像檔資源未有新的資安漏洞出現;另外,由於無法避免映像檔透過其他管道方式匯入主機端,本發明還提出一套驗證機制,即檢測主機端上所持有的映像檔資源以及組態檔是否符合規範與政策,避免主機端受到人為或者惡意攻擊者匯入未知的映像檔資源,並須即時告警通知本機端的擁有者進行風險處理。 It can be seen from the above that the present invention proposes a container image file security detection solution, which can be used universally on different platforms and apply this detection process, from the image file being uploaded to the platform to the image file being downloaded to the local terminal. It can ensure the consistency of its content; secondly, the image file can be continuously tested, this The mechanism can ensure that there are no new security loopholes in the existing image file resources in the centralized database; in addition, since it is unavoidable that the image file is imported into the host through other channels, the present invention also proposes a verification mechanism, namely Detect whether the image file resources and configuration files held on the host side comply with the specifications and policies, to prevent the host side from being artificially or maliciously attacked by importing unknown image file resources, and the owner of the host side must be alerted to the risk in real time handle.
綜上所述,本發明所述之容器映像檔資安檢測系統及其方法,與其他習用技術相比較時,具備下列幾項優點:第一、確保映像檔經由平台的上傳功能上傳至集中式資料庫,到此映像檔被下載至各個主機端的過程中,皆能確保其內容的一致性,防止內容遭受惡意攻擊者竄改;第二、持續的檢測映像檔自身的安全漏洞,以確保執行中的服務皆無安全漏洞或者為可接受的安全漏洞;第三、提供主機端的映像檔使用情形持續監測,防止主機端使用未知映像檔造成主機端被攻擊的風險;第四、提供即時告警功能,但凡被檢測出映像檔自身有安全漏洞,或者主機端存在未知的映像檔,皆能立即發出告警通知映像檔開發者或者系統管理者。 In summary, the container image information security inspection system and method of the present invention has the following advantages when compared with other conventional technologies: First, it ensures that the image file is uploaded to the centralized platform via the upload function of the platform. The database, when the image file is downloaded to each host, the consistency of its content can be ensured to prevent the content from being tampered with by malicious attackers; second, the security vulnerabilities of the image file itself are continuously detected to ensure the execution None of the services provided by the host have security vulnerabilities or acceptable security vulnerabilities; third, provide continuous monitoring of the image file usage on the host side to prevent the host side from using unknown image files to cause the host side to be attacked; fourth, provide real-time alarm function, wherever If it is detected that the image file itself has security vulnerabilities, or there is an unknown image file on the host side, an alarm can be issued immediately to notify the image file developer or system administrator.
上列詳細說明乃針對本發明之一可行實施例進行具體說明,惟該實施例並非用以限制本發明之專利範圍,凡未脫離本發明技藝精神所為之等效實施或變更,均應包含於本案之專利範圍中。 The above detailed description is a specific description of a feasible embodiment of the present invention, but this embodiment is not intended to limit the scope of the patent of the present invention. Any equivalent implementation or modification that does not deviate from the technical spirit of the present invention shall be included in In the scope of the patent in this case.
1:容器映像檔資安檢測系統 1: Container image file information security inspection system
11:中控伺服器 11: Central control server
111:排程模組 111: Scheduling module
12:檢測伺服器 12: Check the server
13:集中式資料庫 13: Centralized database
131:檢視模組 131: View Module
14:主機端 14: host side
100:映像檔 100: Image file
Claims (11)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW109119672A TWI733490B (en) | 2020-06-11 | 2020-06-11 | System for detecting image file security and method thereof |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW109119672A TWI733490B (en) | 2020-06-11 | 2020-06-11 | System for detecting image file security and method thereof |
Publications (2)
Publication Number | Publication Date |
---|---|
TWI733490B true TWI733490B (en) | 2021-07-11 |
TW202147159A TW202147159A (en) | 2021-12-16 |
Family
ID=77911184
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW109119672A TWI733490B (en) | 2020-06-11 | 2020-06-11 | System for detecting image file security and method thereof |
Country Status (1)
Country | Link |
---|---|
TW (1) | TWI733490B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TWI805514B (en) * | 2022-10-21 | 2023-06-11 | 台灣大哥大股份有限公司 | Traceability system and its method |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101689238A (en) * | 2007-07-06 | 2010-03-31 | 富士通株式会社 | File management system, device, program, and computer readable recording medium where its program is recorded |
TW201714108A (en) * | 2015-10-14 | 2017-04-16 | 廣達電腦股份有限公司 | Security management method, computing system and non-transitory computer-readable storage medium |
TW201913374A (en) * | 2017-08-21 | 2019-04-01 | 中華電信股份有限公司 | Automated continuous integration system and method under microservice software development infrastructure including a code review system, a code security check module, an automatic test component, and a deployment function module |
-
2020
- 2020-06-11 TW TW109119672A patent/TWI733490B/en active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101689238A (en) * | 2007-07-06 | 2010-03-31 | 富士通株式会社 | File management system, device, program, and computer readable recording medium where its program is recorded |
TW201714108A (en) * | 2015-10-14 | 2017-04-16 | 廣達電腦股份有限公司 | Security management method, computing system and non-transitory computer-readable storage medium |
TW201913374A (en) * | 2017-08-21 | 2019-04-01 | 中華電信股份有限公司 | Automated continuous integration system and method under microservice software development infrastructure including a code review system, a code security check module, an automatic test component, and a deployment function module |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TWI805514B (en) * | 2022-10-21 | 2023-06-11 | 台灣大哥大股份有限公司 | Traceability system and its method |
Also Published As
Publication number | Publication date |
---|---|
TW202147159A (en) | 2021-12-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR101621128B1 (en) | Data transit control between distributed systems in terms of security | |
WO2020123822A1 (en) | Breach response data management system and method | |
CN109076063A (en) | Protection dynamic and short-term virtual machine instance in cloud environment | |
US20080229149A1 (en) | Remote testing of computer devices | |
CN104285219A (en) | Unified scan management | |
CN111460404A (en) | Double-recording data processing method and device, computer equipment and storage medium | |
CN113315828B (en) | Traffic recording method and device, traffic recording equipment and storage medium | |
US20170061133A1 (en) | Automated Security Vulnerability Exploit Tracking on Social Media | |
CN110929259A (en) | Process security verification white list generation method and device | |
TWI733490B (en) | System for detecting image file security and method thereof | |
KR20220136040A (en) | compliance management system through automatic diagnosis of infrastructure asset threat and method therefor | |
CN116361807A (en) | Risk management and control method and device, storage medium and electronic equipment | |
CN112422527B (en) | Threat assessment system, method and device for substation power monitoring system | |
CN110148441A (en) | A kind of clinical test electronic data acquisition management method and device based on block chain | |
US20220277083A1 (en) | Backdoor inspection device, user device, system, method, and non-transitory computer-readable medium | |
JP2005242754A (en) | Security management system | |
CN117272308A (en) | Software security test method, device, equipment, storage medium and program product | |
CN116757710A (en) | Method and device for automatically processing data of monitoring and warehousing goods by intelligent antenna system | |
CN116436689A (en) | Vulnerability processing method and device, storage medium and electronic equipment | |
US20070276782A1 (en) | Information processing apparatus, database management system, control method and program for information processing apparatus | |
CN113395235B (en) | IoT system remote testing method, system and equipment | |
KR20220073657A (en) | Image-based malicious code analysis method and apparatus and artificial intelligence-based endpoint detection and response system using the same | |
CN112418723A (en) | Asset information management method, device, equipment and storage medium | |
CN117150506B (en) | Vulnerability full life cycle management operation system and method | |
KR20190061211A (en) | Automatic analyizing system and method of security weekness of application |