WO2024067479A1

WO2024067479A1 - Container escape detection method, electronic device, and system

Info

Publication number: WO2024067479A1
Application number: PCT/CN2023/121088
Authority: WO
Inventors: 陈念; 季冬
Original assignee: 华为技术有限公司
Priority date: 2022-09-29
Filing date: 2023-09-25
Publication date: 2024-04-04
Also published as: CN117827362A

Abstract

The present application provides a container escape detection method, an electronic device, and a system. The method comprises: when determining that a namespace where a process is located is an initial namespace, a host machine acquires the address of a cache region to which the process belongs; and when determining that the address of the cache region to which the process belongs is not equivalent to the address in the namespace where the process is located, the host machine prompts alarm information, the alarm information being used for prompting the occurrence of container escape in the process. By implementing embodiments of the present application, the accuracy is high, and container escape can be effectively detected.

Description

Container escape detection method, electronic device and system

This application claims the priority of the Chinese patent application filed with the State Intellectual Property Office of China on September 29, 2022, with application number 202211200843.7, and the priority of the Chinese patent application entitled "A method, electronic device and system for detecting container escape", all contents of which are incorporated by reference in this application.

Technical Field

Embodiments of the present application relate to virtualization technology, and more particularly to a method, electronic device, and system for detecting container escape.

Background technique

Container technology is a technology that packages applications into separate containers. It isolates each application and breaks the dependencies and connections between programs. In other words, with the support of container technology, a large service system can be composed of containers hosted by many different applications. Container technology effectively divides resources managed by a single operating system into isolated groups to better balance conflicting resource usage requirements between isolated groups. It is an operating system-level virtualization technology and is widely used due to its lightweight characteristics.

Users can create and run containers based on container images in a host machine, where the host machine can be a physical machine or a virtual machine. Each container has an independent process running space. Ideally, processes in a container can only run in the process running space of the container. However, when there is a malicious process in the container, the malicious process is likely to escape from the process running space of the container and then attack the host machine or other containers. This phenomenon is called container escape.

Currently, container escapes can be divided into the following four types: (1) container escapes caused by insecure configuration; (2) container escapes caused by insecure mounting; (3) container escapes caused by related program vulnerabilities; and (4) container escapes caused by kernel vulnerabilities. How to detect container escapes caused by kernel vulnerabilities is an urgent problem that the industry needs to solve.

Summary of the invention

The present application provides a method, electronic device and system for detecting container escape. In the method for detecting container escape, the host machine can prompt an alarm message when the address of the cache area to which the process belongs is not equal to the address in the namespace where the process is located. The alarm message is used to prompt the process that the container escape has occurred. The method has high accuracy and can effectively detect container escape.

In a first aspect, an embodiment of the present application provides a method for detecting container escape, the method comprising:

When the host determines that the namespace where the process is located is the initial namespace, it obtains the address of the cache area to which the process belongs;

When the host determines that the address of the cache area to which the process belongs is not equal to the address in the namespace where the process is located, an alarm message is prompted, and the alarm message is used to prompt the process that the container escape occurs.

In the embodiment of the present application, the namespace where the process is located is the initial namespace, which means that the process can access the namespace indicated by init_nsproxy, in order to ensure the security of the namespace; therefore, the host can detect the process based on the address slab_cache of the cache area to which the process belongs; since slab_cache has a high credibility, slab_cache is compared with the address pid_cache in the namespace where the process is located; when the two are not equal, it can be determined that the process does not have the authority to access the namespace indicated by init_nsproxy, that is, the process has been maliciously tampered with, resulting in a container escape. This method has high accuracy and can effectively detect container escapes.

In combination with the first aspect, in a possible implementation manner, the method includes:

The host machine obtains the address of the cache area corresponding to the process based on the address space of the process.

In the embodiment of the present application, the address space pid_cachep of the process is not easily tampered with and has a high credibility. Therefore, the address slab_cache of the cache area corresponding to the process determined based on the address space pid_cachep of the process has a high credibility.

In combination with the first aspect, in a possible implementation manner, when the host machine determines that the namespace where the process is located is the initial namespace, obtaining the address of the cache area to which the process belongs includes:

When the host machine determines that the namespace where the process is located is the initial namespace, it obtains the user ID of the process;

When the host machine determines that the user identifier is the identifier of the root user, it obtains the address of the cache area to which the process belongs.

In combination with the first aspect, in a possible implementation manner, the user identifier is at least one of a user identifier UID and a user group identifier GID; and the identifier of the root user is zero.

In combination with the first aspect, in a possible implementation, when the host machine determines that the namespace where the process is located is the initial namespace, Get the address of the cache area to which the process belongs, including:

When the host determines that the namespace where the process is located is the initial namespace, it obtains the level of the namespace where the process is located;

When the host determines that the level is zero, it obtains the address of the cache area to which the process belongs.

In combination with the first aspect, in a possible implementation manner, before obtaining the address of the cache area to which the process belongs, the method further includes:

The host obtains the data structure of the process; the data structure includes the identifier of the namespace where the process is located;

When the host determines that the identifier nsproxy of the namespace where the process is located is equal to the identifier init_nsproxy of the initial namespace, it determines that the namespace where the process is located is the initial namespace.

In a second aspect, an embodiment of the present application provides a method for detecting container escape, the method comprising:

When the host determines that the mount point of the process is the root directory, it obtains the address of the cache area to which the process belongs;

In the embodiment of the present application, the mount point of the process is the root directory, which means that the process can access all files under the root directory. In order to ensure the security of the files under the root directory, the process needs to be detected; therefore, the host machine can detect the process based on the address slab_cache of the cache area to which the process belongs; since the address of the cache area to which the process belongs is more credible, the address of the cache area to which the process belongs is compared with the address pid_cache in the namespace where the process is located. When the two are not equal, it is considered that the process originally did not have the authority to access all files under the root directory, and the process has been maliciously tampered with, resulting in a container escape.

It should be noted that the embodiment of the present application adds a mount point-based detection mechanism in the kernel code, which can detect the behavior of escaping to the root directory and effectively monitor the container escape behavior that occurs by exploiting kernel vulnerabilities, thereby improving system security.

In conjunction with the second aspect, in a possible implementation manner, the method includes:

In conjunction with the second aspect, in a possible implementation, when the host machine determines that the namespace where the process is located is the initial namespace, obtaining the address of the cache area to which the process belongs includes:

When the host machine determines that the user identifier of the process is the identifier of the root user, it obtains the address of the cache area to which the process belongs.

In combination with the second aspect, in a possible implementation manner, the user identifier is at least one of a user identifier UID and a user group identifier GID; and the identifier of the root user is zero.

In conjunction with the second aspect, in a possible implementation manner, before obtaining the address of the cache area to which the process belongs, the method further includes:

The host obtains the data structure of the process; the data structure includes the mount point identifier of the process;

When the mount point identifier of the host is a root directory identifier, the mount point of the process is determined to be the root directory.

In a third aspect, an embodiment of the present application provides a device for detecting a container escape, the device comprising:

An acquisition unit, used for acquiring an address of a cache area to which the process belongs when it is determined that the namespace where the process is located is the initial namespace;

The prompt unit is used to prompt an alarm message when it is determined that the address of the cache area to which the process belongs is not equal to the address in the namespace where the process is located, and the alarm message is used to prompt the process that the container escape occurs.

In the embodiment of the present application, the namespace where the process is located is the initial namespace, that is, the namespace that the process can indicate by init_nsproxy, in order to ensure the security of the namespace; therefore, the host machine can detect the process based on the address slab_cache of the cache area to which the process belongs; since slab_cache has a high credibility, slab_cache is compared with the address pid_cache in the namespace where the process is located; when the two are not equal, it can be determined that the process does not have the authority to access the namespace indicated by init_nsproxy, that is, the process has been maliciously tampered with, and the container escape occurs. This method has high accuracy and can effectively detect container escapes.

In conjunction with the third aspect, in a possible implementation manner, the acquiring unit is used to:

Based on the address space of the process, get the address of the cache area corresponding to the process.

In conjunction with the third aspect, in a possible implementation,

An acquisition unit, used for acquiring a user ID of the process when it is determined that the namespace where the process is located is the initial namespace;

The acquisition unit is used to acquire the address of the cache area to which the process belongs when it is determined that the user identifier is the identifier of the root user.

In combination with the third aspect, in a possible implementation manner, the user identifier is at least one of a user identifier UID and a user group identifier GID; and the identifier of the root user is zero.

In conjunction with the third aspect, in a possible implementation manner, the acquiring unit is configured to:

When it is determined that the namespace where the process is located is the initial namespace, the level of the namespace where the process is located is obtained;

When it is determined that the level is zero, the address of the buffer area to which the process belongs is obtained.

In combination with the third aspect, in a possible implementation manner, the device further includes a determining unit,

An acquisition unit, used for acquiring a data structure of a process; the data structure includes an identifier of a namespace where the process is located;

The determination unit is used to determine that the namespace where the process is located is the initial namespace when the identifier nsproxy of the namespace where the process is located is equal to the identifier init_nsproxy of the initial namespace.

In a fourth aspect, an embodiment of the present application provides a device for detecting a container escape, the device comprising:

An acquisition unit, used for acquiring an address of a cache area to which the process belongs when it is determined that the mount point of the process is a root directory;

In the embodiment of the present application, the namespace nsproxy where the process is located is the initial namespace init_nsproxy, which means that the process can be indicated by init_nsproxy. To ensure the security of the namespace, the host can detect the process based on the address slab_cache of the cache area to which the process belongs. Since slab_cache has a high credibility, slab_cache is compared with the address pid_cache in the namespace where the process is located. When the two are not equal, it can be determined that the process does not have the authority to access the namespace indicated by init_nsproxy, that is, the process has been maliciously tampered with, resulting in a container escape. This method has high accuracy and can effectively detect container escapes.

In conjunction with the fourth aspect, in a possible implementation manner, the acquiring unit is used to:

When it is determined that the namespace where the process is located is the initial namespace, the user ID of the process is obtained;

When it is determined that the user identifier of the process is the identifier of the root user, an address of the buffer area to which the process belongs is obtained.

In combination with the fourth aspect, in a possible implementation manner, the user identifier is at least one of a user identifier UID and a user group identifier GID; and the identifier of the root user is zero.

In conjunction with the fourth aspect, in a possible implementation manner, the device further includes a determining unit,

An acquisition unit, used for acquiring a data structure of a process; the data structure includes a mount point identifier of the process;

The determination unit is used to determine that the mount point of the process is the root directory when the mount point identifier is the root directory identifier.

In a fifth aspect, an embodiment of the present application provides a method for detecting container escape, the method comprising:

When the host determines that the mount point of the process is the root directory, it obtains the target data from the data structure of the process;

When the target data meets the preset conditions, the host prompts an alarm message, which is used to prompt the process that the container escapes.

In an embodiment of the present application, a mount point-based detection mechanism is added to the kernel code, which can detect the behavior of escaping to the root directory and effectively monitor the container escape behavior that occurs by exploiting kernel vulnerabilities, thereby improving system security.

In conjunction with the fifth aspect, in a possible implementation, the target data is a level of the namespace in which it is located; when the target data meets a preset condition, the host machine prompts an alarm message, including:

When the host determines that the level of the namespace where the process is located is zero, it prompts a warning message.

In conjunction with the fifth aspect, in a possible implementation, the target data is a user identifier of the process; the host machine When setting conditions, warning information is prompted, including:

When the host machine determines that the user ID of the process is the ID of the root user, it prompts a warning message.

In combination with the fifth aspect, in a possible implementation manner, the user identifier is at least one of a user identifier UID and a user group identifier GID; and the root user's identifier is zero.

In conjunction with the fifth aspect, in a possible implementation manner, the method further includes:

In a sixth aspect, an embodiment of the present application provides a device for detecting a container escape, the device comprising:

An acquisition unit, used for acquiring target data from a data structure of the process when it is determined that the mount point of the process is a root directory;

The prompt unit is used for the host machine to prompt an alarm message when the target data meets the preset conditions. The alarm message is used to prompt the process that the container escape occurs.

In conjunction with the sixth aspect, in a possible implementation manner, the target data is a level of the namespace in which it is located; and the prompt unit is used to:

When it is determined that the level of the namespace where the process is located is zero, a warning message is prompted.

In conjunction with the sixth aspect, in a possible implementation manner, the target data is a user identifier of the process; and the prompting unit is used to:

In combination with the sixth aspect, in a possible implementation manner, the user identifier is at least one of a user identifier UID and a user group identifier GID; and the root user's identifier is zero.

In conjunction with the sixth aspect, in a possible implementation manner, the apparatus further includes a determining unit:

The determination unit is used to determine that the mount point of the process is the root directory when the mount point identifier of the host machine is the root directory identifier.

In a seventh aspect, an embodiment of the present application provides an electronic device, comprising one or more functional modules, which can be used to execute a method for detecting container escape as in any possible implementation of the first aspect described above.

In an eighth aspect, the present application provides a computer storage medium, comprising computer instructions, which, when executed on an electronic device, causes a communication device to execute a method for detecting container escape in any possible implementation of any of the above aspects.

In a ninth aspect, the present application provides a computer program product, which, when executed on a computer, enables the computer to execute a method for detecting container escape in any possible implementation of any of the above aspects.

In a tenth aspect, the present application provides a chip, comprising: a processor and an interface, wherein the processor and the interface cooperate with each other so that the chip executes the container escape detection method in any possible implementation of any of the above aspects.

It is understandable that the electronic device provided in the seventh aspect, the computer-readable storage medium provided in the eighth aspect, the computer program product provided in the ninth aspect, and the chip provided in the tenth aspect are all used to execute the method provided in the embodiment of the present application. Therefore, the beneficial effects that can be achieved can refer to the beneficial effects in the corresponding method, which will not be repeated here.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG1 is a hierarchical relationship diagram of a namespace provided in an embodiment of the present application;

FIG2 is a schematic diagram of a detection process provided in an embodiment of the present application;

FIG3 is a schematic diagram of a detection system provided in an embodiment of the present application;

FIG4 is a schematic diagram of a scenario of container escape provided by an embodiment of the present application;

FIG5 is a schematic diagram of another scenario of container escape provided by an embodiment of the present application;

FIG6 is a flow chart of a method for detecting container escape provided in an embodiment of the present application;

FIG7 is a flow chart of another method for detecting container escape provided in an embodiment of the present application;

FIG8A is a flow chart of a method for detecting container escape provided in an embodiment of the present application;

FIG8B is a flow chart of another method for detecting container escape provided in an embodiment of the present application;

FIG9A is a flow chart of a method for detecting container escape provided in an embodiment of the present application;

9B is a flow chart of another method for detecting container escape provided in an embodiment of the present application;

FIG. 10 is a schematic structural diagram of a container escape detection device 100 provided in an embodiment of the present application;

FIG. 11 is a schematic structural diagram of a container escape detection device 110 provided in an embodiment of the present application;

FIG. 12 is a schematic structural diagram of another container escape detection device 120 provided in an embodiment of the present application.

Detailed ways

The technical solutions in the embodiments of the present application will be described clearly and in detail below in conjunction with the accompanying drawings. In the description of the embodiments of the present application, unless otherwise specified, "/" means or, for example, A/B can mean A or B; "and/or" in the text is only a description of the association relationship of the associated objects, indicating that there can be three relationships, for example, A and/or B can mean: A exists alone, A and B exist at the same time, and B exists alone. In addition, in the description of the embodiments of the present application, "multiple" means two or more than two.

In the following, the terms "first" and "second" are used for descriptive purposes only and are not to be understood as suggesting or implying relative importance or implicitly indicating the number of the indicated technical features. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of the features, and in the description of the embodiments of the present application, unless otherwise specified, "plurality" means two or more.

The following is an introduction to the technical terms involved in this application.

1. Container Technology

1. Container: An instance created based on an image. The instance is an object that includes the user configuration and running configuration required to implement the functions of the image. A container is a running instance created by an image. It can be started, started, stopped, and deleted. Each container is isolated from each other and ensures security. The container provides an isolated environment for running programs, and the container strictly controls the resources that the programs in it can access.

Containers provide isolated operating spaces for applications: each container contains a complete user environment space that is exclusive to it, and changes in one container will not affect the operating environment of other containers. To achieve this effect, container technology uses a series of system-level mechanisms such as using Linux namespaces to isolate spaces, using file system mount points to determine which files containers can access, and using cgroups to determine how many resources each container can use. In addition, containers share the same system kernel, so when the same library is used by multiple containers, memory usage efficiency will be improved.

2. Container escape: refers to the following process and results: First, the attacker has obtained the ability to execute commands under certain permissions in the container by hijacking the containerized business logic or directly controlling it (CaaS and other scenarios where container control is legally obtained). The attacker uses this command execution capability to further obtain the ability to execute commands under certain permissions on the direct host machine where the container is located (it is common to see the scenario of "physical machines running virtual machines, and virtual machines running containers". The direct host machine in this scenario refers to the virtual machine outside the container).

(2) Namespace

1. Namespace is mainly used for resource isolation. Resources in different namespaces are not visible. The main resources implemented by namespace are: IPC/NetWork/Mount/PID/User/UTS/Cgroup.

Currently, there are six different namespaces implemented, namely mount namespace, UTS namespace, inter-process communication (IPC) namespace, user namespace, process identifier (PID) namespace, and network namespace. In simple terms, namespace provides an abstraction of global resources. Resources are placed in different namespaces. The resources in each namespace are isolated from each other and are called by different processes. Resources are placed in different containers (different namespaces), and each container is isolated from each other.

2. Namespace

(1) The PID number is the kernel's unique identifier for distinguishing each process.

The PID number is a number assigned to a process in Linux to uniquely identify it in its namespace. It is called the process ID number, or PID for short. When using the fork or clone system call, the process generated will be assigned a new unique PID value by the kernel.

(2) Namespaces also have a hierarchical relationship.

The level of the namespace where the process is located: represents the level of the current namespace. The initial namespace has a level of 0, and its sub-namespace has a level of 1, and so on. The sub-namespace is visible to the parent namespace. From a given level setting, the kernel can infer how many IDs the process will be associated with.

Namespace also has the concept of hierarchy. Level indicates the hierarchy of different namespaces. Level indicates which layer the namespace is in. When creating a child process through the clone function or fork function, you can specify whether to create a new namespce. If not specified, the namespce of the parent process is integrated by default; otherwise, a new namespce is created and the level in task_struct is increased by 1.

A high-level namespace can be seen by a low-level namespace. A high-level process has multiple PID numbers. For example, the system defaults to namespace mirroring level0, and a new namespace called level1 is created under level0, and a process is run in level. The PID number of this process in level is 1. Because the higher-level PID namespace needs to be seen by the lower-level PID namespace, this process is PID xxx in level0, and the PID number xxx is assigned according to the PID sequence in level0.

FIG. 1 exemplarily shows a hierarchical relationship diagram of a namespace.

As shown in Figure 1, there are four namespaces, one parent namespace derives two child namespaces; the parent namespace has a level 0 (i.e., level 0); the child namespace has a level 1 (i.e., level 1). Taking the namespace as an example, since each namespace is isolated from each other, each namespace can have a process with PID number 1; but due to the hierarchical nature of the namespace, the parent namespace knows the existence of the child namespace, and the child namespace must be mapped to the parent namespace. Therefore, the six processes of the two child namespaces in level 1 in Figure 1 are mapped to PID numbers 5 to 10 of their parent namespaces respectively.

(III) Process

1. A process is a program or command being executed. Each process is a running entity, has its own address space, and occupies certain system resources. Once a program is running, it is a process.

A process can be seen as an instance of program execution. A process is an independent entity allocated by system resources, and each process has an independent address space. A process cannot access the variables and data structures of another process. If you want a process to access the resources of another process, you need to use inter-process communication, such as pipes, files, sockets, etc.

A process is a dynamic entity consisting of a text segment, a user data segment, and a system data segment. The system data segment stores the control information of the process, including the process control block (PCB).

2. PCB is a data structure used to describe and control the operation of a process. It is part of the process entity and the most important record-type data structure in the operating system. Generally, PCB contains the following:

(1) Process identifier (internal, external): used to uniquely identify a process;

(2) Processor information (general registers, instruction counter, program status word PSW, user stack pointer);

(3) Process scheduling information (process status, process priority, other information required for process scheduling, events);

(4) Process control information (address of program data, resource list, process synchronization and communication mechanism, link pointer);

The content defined in the data structure provides support for subsequent management, so different operating systems have made some adjustments to the content of the PCB according to their own characteristics. Different operating systems have different PCB structures.

The Linux process control block is a data structure defined by the structure task_struct, which includes various information required to manage the process. All process control blocks of the Linux system are organized into a structure array.

3. Linux process control block (task_struct)

task_struct is the unique identifier of the process and the core of the Linux process entity.

The Linux kernel uses the task_struct data structure to associate all process-related data and structures. All algorithms in the Linux kernel involving processes and programs are built around this data structure, which is one of the most important data structures in the kernel.

When creating a new process, the system applies for an empty task_struct area in memory, that is, an idle PCB block, and fills in the required information. At the same time, the pointer to the structure is filled into the task[] array. The PCB of the currently running process is pointed out by the pointer array current_set[]. This is because Linux supports multi-processor systems, and there may be multiple processes running simultaneously in the system, so current_set is defined as a pointer array.

(IV) Mounting

Mount namespace is used to isolate the mount points of the file system, so that different mount namespaces have their own independent mount point information, and different namespaces will not affect each other.

1. Mounting: usually mounting a storage device to an existing directory. Accessing this directory means accessing the contents of the storage device.

For Linux systems, everything is a file. All files are placed in a tree-like directory structure starting from the root directory. Any hardware device is also in the form of a file. For example, if Linux wants to use a USB flash drive hardware device, it must combine the Linux directory and the hardware device's file directory into one. This process is called mounting.

2. Mount point: The mount operation will hide the files in the original Linux directory, so choose the Linux directory itself. It is best to create a new empty operation directory for mounting. After mounting, this operation directory is called a mount point.

3. Root Directory

The root directory of the Linux system (/): The file system of Linux and UNIX is a hierarchical tree file structure with "/" as the root, so "/" is called the root directory. Every file and directory starts from here.

Only the root user has write permission in this directory. This directory is different from the /root directory, which is the home directory of the root user.

In Linux, the root directory “/” is located at the top level of the file system directory structure. It is the top-level directory. All files and directories are placed under the root directory “/”; under the root directory “/” there are also subdirectories such as “/bin”, “/home”, and “/usr”.

5. Linux users and user groups

The system manager authorizes each process to use a given user identifier (UID). Each started process has a UID of the user who started it. A child process has the same UID as the parent process. A user can be a member of a group, and each group also has a group identifier (GID).

1. User identifier UID: An integer used by the system to distinguish different users.

Linux uses a 32-bit integer to record and distinguish different users. This number that distinguishes different users is called User ID, or UID for short. Users in the Linux system are divided into three categories, namely ordinary users, root users, and system users.

Among them, the root user is also called the administrator account, and its UID is usually 0. The root user can manage ordinary users and the entire system. Ordinary users refer to all real users who use the Linux system. For example, the UID of ordinary users can be specified by the administrator when they are created. If not specified, the UID of ordinary users can be greater than 500; the user's UID can also be numbered sequentially from 1000 to 60000 by default. System users refer to users who are required for the system to run, but are not real users. In other words, system users are automatically created during the installation process and do not have the ability to log in to the system.

2. User group identifier GID: An integer used by the system to distinguish different user groups.

In Linux systems, there are users and user groups. Different user groups are also distinguished by numbers. This ID used to distinguish different user groups is called Group ID, or GID.

UID and GID are managed by the Linux kernel and are used by kernel-level system calls to determine whether a request should be granted privileges. For example, when a process attempts to write to a file, the kernel checks the UID and GID of the creating process to determine whether it has sufficient permissions to modify the file.

All containers running on the same host share the same kernel (the kernel of the host). The great value brought by containerization is that all these independent containers (actually processes) can share a kernel. This means that even if there are hundreds or thousands of containers running on the Docker host, there is still only one set of UIDs and GIDs controlled by the kernel. So the same UID represents the same user in the host and the container (even if different user names are displayed in different places).

(VI) Slab is a memory allocation mechanism of the Linux operating system. The slab allocation algorithm uses cache to store kernel objects.

Its work is to target some frequently allocated and released objects, such as process descriptors. The size of these objects is generally small. If the buddy system is used directly for allocation and release, it will not only cause a large amount of memory fragmentation, but also the processing speed will be too slow. The slab allocator is managed based on objects. Objects of the same type are classified into one category (such as process descriptors). Whenever such an object is requested, the slab allocator allocates a unit of this size from a slab list, and when it is released, it is saved in the list again instead of being returned directly to the buddy system, thus avoiding internal fragmentation. The slab allocator does not discard the allocated objects, but releases and stores them in memory. When a new object is requested in the future, it can be obtained directly from the slab without repeated initialization.

The organization of the object cache, the memory area of the cache is divided into multiple slabs, each slab consists of one or more consecutive page frames, which contain both allocated objects and free objects.

The slab allocation algorithm uses a cache to store kernel objects. When a cache is created, it initially contains a number of objects marked as free. The number of objects depends on the size of the slab. Initially, all objects are marked as free. When an object of a kernel data structure is needed, it can be directly obtained from the cache and the object is initialized for use.

Next, consider how the kernel allocates slabs to objects that represent process descriptors. In Linux systems, the type of a process descriptor is struct task_struct, which is about 1.7KB in size. When the Linux kernel creates a new task, it obtains the memory required for the struct task_struct object from the cache. There will be a struct task_struct object allocated and marked as free in the cache to satisfy the request.

Linux slabs can have three states:

Full: All objects in the slab are marked as used.

Empty: All objects in the slab are marked as free.

Partial: Some objects in the slab are marked as used, and some are marked as free.

The slab allocator first allocates from some free slabs. If there are, it allocates from the empty slab. If not, it allocates a new slab from the physical continuous page, assigns it to a cache, and then allocates space from the new slab.

The following is an example of a container escape situation.

First, let's introduce the process data structure task_strcut.

In the Linux system, each process includes a process control block PBC in the kernel, which contains all the information of the process, that is, a data structure (task_strcut). The task_strcut of a process includes the following information:

(1) Process ID: including PID/UID or GID

(2) Process status

(3) Process scheduling information

(4) Process priority

(5) Process communication information

(6) Mount point identifier: indicates the file system fs that the process can operate, including reading and writing files

(7) The namespace identifier of the process (nsproxy): used to identify the namespace to which the process belongs

in:

1.nsproxy: The pointer points to the namespace-related domain. Through nsproxy, you can know which PIDnamespace the task_struct belongs to.

Since the Linux kernel provides multiple namespaces such as PID namespace, a process may belong to multiple namespaces. In order to simplify task_struct, the kernel introduces nsproxy to uniformly manage the namespaces to which processes belong.

nsproxy stores a set of pointers to various namespace types, acting as a proxy for processes to access various namespaces. Since multiple processes may have exactly the same namespace, nsproxy can be shared between processes. The count field in nsproxy is responsible for recording the number of references to the structure.

2. Initial namespace identifier init_nsproxy: The system predefines an init_nsproxy, which is used as the default nsproxy. init_nsproxy defines the initial global namespace, which stores pointers to the initial namespace objects of each subsystem and has higher permissions.

Based on the above, an attacker can exploit certain kernel vulnerabilities to tamper with the nsproxy in the process task_struct into init_nsproxy, thereby achieving privilege escalation.

Next, an existing technology for detecting the escape of the above-mentioned container is introduced.

In 2019, a preliminary detection mechanism was released to the public. It detects the escape to the init namespace by detecting whether the nsproxy of the process is init_nsproxy, whether the current process is a root process, and whether the level of the current process is 0. The root process refers to a process running with root privileges. The specific detection process can be seen in Figure 2.

As shown in Figure 2, the host machine can first obtain the task_strcut of the current process, and obtain nsproxy from the task_strcut; when nsproxy is not initnsproxy, end the detection; when nsproxy is initnsproxy, check whether the UID or GID of the current process is the UID or GID of the root user; when the UID or GID of the current process is not the UID or GID of the root user, end the detection; when the UID or GID of the current process is the UID or GID of the root user, check whether the level of the namespace of the current process is 0; when the level of the namespace of the current process is 0, end the detection; when the level of the UID or GID of the current process is not 0, it is determined that the process has a container escape, and a warning message (i.e., an alarm) can be prompted.

The detection principle of Figure 2 is that it is assumed that the nsproxy of the process is init nsproxy, and the process is a root process with a level of 0, indicating that it is a root process with a level of 0. Since the level is 0, the namespace of all child nodes can be operated, but the namaspce of the mount point in the nsproxy data structure is separate, so here all namespaces except fs are obtained.

Among them, level indicates the level of different namespaces. Level indicates which layer the namespace is in. When cloning or forking a child process, you can specify whether to create a new namespce. If not specified, the namespce of the parent process is integrated by default. Otherwise, a new namespce will be created and the level in task_struct will be increased by 1.

However, the method shown in Figure 2 cannot deal with container escapes caused by other kernel vulnerabilities. For example, if an attacker changes the UID and GID in the task_struct structure to the UID and GID of the root user and changes the level of the current process to 0, the detection mechanism shown in Figure 2 can be bypassed; for another example, when an attacker exploits a kernel vulnerability to tamper with the operating directory (i.e., the mount point) of the attack process to the root directory, the detection mechanism shown in Figure 2 can be bypassed to achieve the behavior of obtaining the namespace of fs.

The system architecture and business scenarios of the embodiments of the present application are described below. It should be noted that the system architecture and business scenarios described in this application are intended to more clearly illustrate the technical solutions of the present application and do not constitute a limitation on the technical solutions provided by the present application. It is known to those skilled in the art that with the evolution of the system architecture and the emergence of new business scenarios, the technical solutions provided by the present application are also applicable to similar technical problems.

In order to more clearly and in detail introduce the container escape detection method provided in the embodiment of the present application, the detection system provided in the embodiment of the present application is first introduced below.

Please refer to Figure 3, which is a schematic diagram of a detection system provided in an embodiment of the present application.

As shown in FIG3 , the system includes a physical machine and one or more virtual machines (VMs) running on an operating system of the physical machine (only virtual machine 1 , virtual machine 2 , and virtual machine 3 are shown in FIG3 ).

Among them, the physical machine is responsible for the management and allocation of hardware resources, and presents a virtual hardware platform to the virtual machine, for example, providing the virtual machine with a virtual CPU, memory, virtual disk, virtual network card, etc. One or more containers can be created in a virtual machine. FIG3 exemplarily shows two containers in virtual machine 1, container 1 and container 2; two containers in virtual machine 2, container 3 and container 4; and two containers in virtual machine 3, container 5 and container 6. Virtual machines can use containers to provide relatively independent and isolated operating environments for processes. For example, container 1 supports the operation of process 1, and container 2 supports the operation of process 2.

in:

(1) Virtual Machine: refers to one or more virtual computers simulated on a physical computer. These virtual machines can work like real physical computers.

(2) Process: It is an entity that executes instructions. A process can be used to run a program to execute various instructions.

(3) Container: used to provide a relatively independent and isolated operating environment for a process. For example, a container includes an independent file system, namespace, resource view, etc. Container instance: After a process runs in the environment provided by a container, the container can be called a container instance.

In some embodiments, the physical machine may include: a central processing unit (CPU), memory, hard disk, motherboard, and 3D processing graphics card, etc., and based on these hardware, the physical machine may include a virtual machine manager (VMM) module and at least one virtual machine, and the VMM and VM are software modules in the physical machine, wherein:

The CPU is used to execute various logical calls; the VMM is used to create at least one virtual machine and virtualize the physical resources in the physical machine into multiple virtual resources for use by the virtual machines; and each virtual machine has independent storage and computing units, and the functions and structures of each virtual machine are similar.

The container escape detection method provided in the embodiment of the present application is executed by a host machine, which may be the above-mentioned physical machine or the above-mentioned virtual machine.

It can be understood that the detection system shown in FIG. 3 is only an exemplary implementation of the embodiment of the present application, and the system architecture in the embodiment of the present application includes but is not limited to the above architecture.

Since the host machine is a shared kernel, when an attacker exploits a kernel vulnerability to escape to a privileged container, the container escape detection method provided by the embodiment of the present application can effectively detect such escape behavior and take corresponding countermeasures against such behavior. Among them, privileged containers refer to some namespaces with higher permissions, such as init_nsproxy.

Next, some application scenarios of the method for detecting container escape in the embodiment of the present application are introduced exemplarily. The method for detecting container escape provided in the embodiment of the present application can detect that a process in the following three scenarios has a container escape.

In the first scenario, an attacker can exploit a kernel vulnerability to change the UID or GID of a process to 0, change the nsproxy of the process to init_nsproxy, and change the level of the process namespace to 0, that is, UID or GID = 0, tsk->nsproxy = init_nsproxy, PID->level = 0. When the detection program (display message, dmesg) has no detection log, the detection shown in Figure 2 can be successfully bypassed; then, the attacker can obtain other namespaces except the mount namespace through the process.

In this scenario, the container escape can be detected by the container escape detection method shown in FIG. 6 or FIG. 7 .

In the second scenario, an attacker can exploit a kernel vulnerability to modify the user ID or GID of a process to 0, and modify the mount point (tsk->fs) to the root directory (init_task->fs), thus successfully bypassing the detection shown in Figure 2. Then, the attacker can obtain the namespace of the mounted file system through the process. For example, as shown in Figure 4, assuming that the process before modification can only obtain the contents of the rop directory, when the attacker modifies its UID or GID to 0 and changes the mount point to the root directory, the modified process can obtain the mounted file system fs, that is, the namespace of fs.

In this scenario, the container escape can be detected by the container escape detection method shown in Figures 8A to 9B.

In the third scenario, an attacker can exploit a kernel vulnerability to change the user ID or GID of a process to 0, modify the nsproxy of the process to init_nsproxy, and modify the level of the namespace of the process to 0, that is, tsk->nsproxy = init_nsproxy, PID->level = 0, and tsk->fs to init_task->fs, successfully bypassing the detection shown in Figure 2; then, the attacker can obtain all namespaces through the process. As shown in Figure 5, the modified process can obtain the root user's permissions; further, obtain the host name (hostname) of the host machine; obtain the host machine's network card information; and obtain the host machine's file mount.

The following is a detailed description of the method for detecting container escape provided by an embodiment of the present application.

Please refer to Figure 6, which is a method for detecting container escape provided by an embodiment of the present application. The method may include some or all of the following steps:

S101: The host machine detects whether the namespace where the process is located is an initial namespace.

In one implementation, the host machine can obtain the data structure (task_struct) of the process, task_struct including the identifier nsproxy of the namespace where the process is located; the host machine can detect whether the namespace where the process is located is the initial namespace (task->nsproxy == init nsproxy); when it is determined that the identifier nsproxy of the namespace where the process is located is equal to the identifier init_nsproxy of the initial namespace, it is determined that the namespace where the process is located is the initial namespace; when it is determined that the namespace where the process is located is the initial namespace, step S102 is executed; when it is determined that the namespace where the process is located is not the initial namespace, step S104 is executed.

In some embodiments, the host machine may start to detect whether the current process has escaped when the system calls the current process, or the current process performs process scheduling, process exit or namespace copy (copy namespace) related operations, that is, start to execute step S101. It should be noted that the present application can be applied to scenarios with high real-time escape detection.

It should be noted that nsproxy stores a set of pointers to various types of namespaces, acting as a proxy for processes to access various namespaces. Since multiple processes may have exactly the same namespace, nsproxy can be shared between processes; init_nsproxy stores pointers to the initial namespace objects of each subsystem and has higher permissions. The process can access all namespaces except the mounted file system fs. To ensure the security of the namespace, the embodiment of the present application can execute step S102 to continue to detect the process.

S102: The host machine detects whether the address of the cache area to which the process belongs is equal to the address in the namespace where the process is located.

In one implementation, the host machine can obtain the address space pid_cachep of the process; then, based on pid_cachep, determine the address slab_cache of the cache area corresponding to the process; when slab_cache is equal to the address pid_cache in the namespace where the process is located, determine that the address of the cache area to which the process belongs is equal to the address in the namespace where the process is located.

In some embodiments, the host executes step S104 when the address of the cache area to which the process belongs is equal to the address in the namespace where the process is located; and executes step S103 when the address of the cache area to which the process belongs is not equal to the address in the namespace where the process is located.

It should be noted that, in order to solve the container escape problem by modifying the namepsace related data structure using kernel vulnerabilities, adding a slab_cache-based detection mechanism in the kernel code can enhance the detection of container escape behavior.

S103: The host prompts an alarm message, where the alarm message is used to prompt the process that a container escape has occurred.

In some embodiments, the host machine may display a warning message on the screen, where the warning message is used to indicate that a container escape has occurred in the current process. The warning message may include information about the current process.

It should be noted that the host machine may also use other methods to prompt warning information, such as recording the escape behavior of the current process through the kernel dmesg, or restarting the host machine. The embodiment of the present application does not limit the method of prompting warning information by the host machine.

S104: The host machine ends the detection.

In one implementation, the host machine ends the detection when it determines that the namespace where the process is located is not the initial namespace. It should be noted that if the nsproxy of the process is init_nsproxy, the process can access all namespaces except the mounted file system fs. To ensure the security of the namespace, the embodiment of the present application needs to detect the process; if the nsproxy of the process is not init_nsproxy, the host machine can end the detection of the process.

In another implementation, the host machine ends the detection when it determines that the address of the cache area to which the process belongs is equal to the address in the namespace where the process is located. It should be noted that the address of the cache area to which the process belongs has a high credibility. When the address of the cache area to which the process belongs is equal to the address in the namespace where the process is located, it can be proved that the process does have the permission to access the namespace where the process is located, so the detection of the process can be ended.

The method embodiment shown in Figure 6 above includes many possible implementation schemes. Some of the implementation schemes are illustrated below in conjunction with Figure 7. It should be noted that the relevant concepts, operations or logical relationships not explained in Figure 7 can refer to the corresponding descriptions in the embodiment shown in Figure 6.

Please refer to Figure 7, which is a flow chart of another method for detecting container escape provided by an embodiment of the present application. The method may include some or all of the following steps:

S201: The host machine obtains the data structure of the process.

The data structure (task_struct) may include an identifier nsproxy of the namespace where the process is located, a user identifier UID or GID, and a level of the namespace where the process is located.

In some embodiments, the host machine can detect whether the current process has escaped when the system calls the current process, or the current process performs process scheduling, process exit or namespace copy related operations, that is, starts executing step S201. It should be noted that the present application can be applied to scenarios with high real-time escape detection.

Among them, task_struct is the process control block PCB under Linux, which contains all the information of a process, including the UID of the process.

It should be noted that different operating systems have different process control blocks (PCB). PCB is a data structure used to describe and control the operation of a process. It is part of the process entity and the most important record-type data structure in the operating system. The Linux process control block is a data structure defined by the task_struct structure, which includes various information needed to manage the process, such as the nsproxy mentioned above.

S202: The host machine detects whether the namespace where the process is located is an initial namespace.

In one implementation, the host machine can detect whether the namespace where the process is located is the initial namespace (task->nsproxy == init nsproxy), that is, check whether the process task->nsproxy is equal to init_proxy; when it is determined that the identifier nsproxy of the namespace where the process is located is equal to the identifier init_nsproxy of the initial namespace, it is determined that the namespace where the process is located is the initial namespace; when it is determined that the namespace where the process is located is the initial namespace, execute step S203; otherwise, execute step S207.

S203: The host machine detects whether the user identifier is the root user's identifier.

The user identifier may be at least one of a user identifier UID and a user group identifier GID; the root user identifier may be zero.

In some embodiments, when at least one of the user identifier UID and the user group identifier GID is zero, the host executes step S204; when it is determined that the user identifier is not an identifier of the root user, the host executes step S207.

S204: The host machine detects whether the level of the namespace where the process is located is zero.

In some embodiments, the host machine detects whether the process level is zero; when the level of the namespace where the process is located is zero, step S205 is executed; when it is determined that the level of the namespace where the process is located is not zero, step S206 is executed.

The level of the namespace where the process is located: represents the level of the current namespace. The initial namespace has a level of 0, and its sub-namespace has a level of 1, and they increase in sequence. The sub-namespace is visible to the parent namespace. From a given level setting, the kernel can infer how many IDs the process will be associated with.

S205: The host machine detects whether the address of the cache area to which the process belongs is equal to the address in the namespace where the process is located.

In one implementation, the host machine can obtain the address space pid_cachep of the process; then, based on pid_cachep, determine the address slab_cache of the cache area corresponding to the process, for example, find the head address (virt_to_head_page) of the slab_cache of the namespace according to the pid_cachep of the process, that is, find the head address of the page according to the pid of the process; determine whether it is the same as the pid_cache of the current namespace, that is, check the slab_cache of the process == ns->pid cachep, that is, check whether it is the same as the slab_cache of the namespace where the process is located; when slab_cache is equal to the address pid_cache in the namespace where the process is located, determine that the address of the cache area to which the process belongs is equal to the address in the namespace where the process is located.

Among them, page is the virtual address space of the object; slab_cache is the slab manager pointed to by the current page, and subsequent memory allocations are all based on this cache; pid_cachep is the address of the slab that points to the allocated pid.

In some embodiments, when the address of the cache area to which the process belongs is equal to the address in the namespace where the process is located, the host executes step S207; when the address of the cache area to which the process belongs is not equal to the address in the namespace where the process is located, the host executes step S206.

It should be noted that S205 is a detection for slab_cache. The principle is (1) the no merge attribute is set when the namespace slab_cache is created, and caches of similar sizes are not allowed to merge; (2) when the process pid_cachep is allocated, a new slab cache is directly created; (the pid_cachep of each process is different). In other words, based on the no merge attribute, when the process is created, a new memory is directly created, so there will be no reuse scenario, that is, the slab address of each process must be different. Among them, merge is a feature of the slab allocator. When the merge attribute is specified, when allocating cache memory, if a cache block of similar size that can be reused is found, it is directly referenced by aliasing without re-creating.

S206: The host prompts an alarm message, where the alarm message is used to prompt the process that a container escape has occurred.

In one implementation, when the host machine determines that the address of the cache area to which the process belongs is not equal to the address in the namespace where the process is located, it determines that the process has been detected to have escaped; then, an alarm message is prompted.

S207: The host machine ends the detection.

In another implementation, the host machine ends the detection when it determines that the user identifier of the process is not the identifier of the root user. It should be noted that when the user identifier of the process is not the identifier of the root user, the process has low authority and the possibility of container escape is low, so the detection is ended.

Please refer to Figure 8A, which is a flow chart of a method for detecting container escape provided by an embodiment of the present application. The method may include some or all of the following steps:

S301: The host machine detects whether the mount point of the process is a root directory.

In one implementation, the host machine can obtain the data structure (task_struct) of the process, task_struct includes the mount point identifier fs of the process; the host machine can detect whether the mount point identifier of the process is the root directory identifier (task->fs == init task.fs), that is, check whether the task->fs of the process is equal to init_task->fs; when it is determined that the mount point identifier of the process is equal to the root directory identifier, it is determined that the mount point of the process is the root directory; when it is determined that the mount point of the process is the root directory, execute step S302; otherwise, execute step S304.

In some embodiments, the host machine can detect whether the current process has escaped when the system calls the current process, or the current process performs process scheduling, process exit or namespace copy related operations, that is, starts to execute step S301. It should be noted that the present application can be applied to scenarios with high real-time escape detection.

The mount point is an operation directory. It should be noted that the mount operation will hide the files in the original Linux directory, so it is best to select the Linux directory itself and create an empty operation directory for mounting. After mounting, this operation directory is called a mount point.

The mount point identifier is used to indicate the file system fs that the process can operate, including reading and writing files.

It should be noted that S301 is a bypass detection for init_fs, that is, adding an fs-based detection mechanism in the kernel code to detect the escape behavior of escaping to the root directory.

S302: The host machine detects whether the address of the cache area to which the process belongs is equal to the address in the namespace where the process is located.

In some embodiments, the host executes step S304 when the address of the cache area to which the process belongs is equal to the address in the namespace where the process is located; and executes step S303 when the address of the cache area to which the process belongs is not equal to the address in the namespace where the process is located.

S303: The host prompts an alarm message, where the alarm message is used to prompt the process that a container escape has occurred.

S304: The host machine ends the detection.

In one implementation, the host machine ends the detection when it determines that the mount point of the process is not the root directory. It should be noted that if the mount point of the process is the root directory, the process can access all files except the mounted file system fs. To ensure the security of all files of the mounted file system fs, the embodiment of the present application needs to detect the process; if the mount point of the process is the root directory, the host machine can end the detection of the process.

In another implementation, the host machine ends the detection when it determines that the address of the cache area to which the process belongs is equal to the address in the namespace where the process is located. It should be noted that the address of the cache area to which the process belongs has a high credibility. When the address of the cache area to which the process belongs is equal to the address in the namespace where the process is located, it can be proved that the process does have the permission to access the namespace where the process is located, so the detection can be ended. Process detection.

The method embodiment shown in FIG. 8A above includes many possible implementation schemes. Some of the implementation schemes are illustrated below in conjunction with FIG. 8B. It should be noted that related concepts, operations or logical relationships not explained in FIG. 8B can refer to the corresponding descriptions in the embodiment shown in FIG. 8A.

Please refer to Figure 8B, which is a flow chart of another method for detecting container escape provided by an embodiment of the present application. The method may include some or all of the following steps:

S401: The host machine obtains the data structure of the process.

The data structure (task_struct) may include a mount point identifier of the process, a user identifier UID or GID, and a level of the namespace where the process is located.

In some embodiments, the host machine can detect whether the current process has escaped when the system calls the current process, or the current process performs process scheduling, process exit or namespace copy related operations, that is, starts to execute step S401. It should be noted that the present application can be applied to scenarios with high real-time escape detection.

S402: The host machine detects whether the mount point of the process is a root directory.

In one implementation, the host machine can obtain the data structure (task_struct) of the process, task_struct including the mount point identifier fs of the process; the host machine can detect whether the mount point identifier of the process is the root directory identifier (task->fs == init task.fs); when it is determined that the mount point identifier of the process is equal to the root directory identifier, the mount point of the process is determined to be the root directory; when it is determined that the mount point of the process is the root directory, execute step S403; otherwise, execute step S407.

S403: The host machine detects whether the user identifier is the root user identifier.

In one implementation, the host machine checks whether the user identifier is the root user's identifier, that is, checks the UID/GID of the process to see whether the current process is a ROOT process.

In some embodiments, when at least one of the user identifier UID and the user group identifier GID is zero, the host executes step S404; when it is determined that the user identifier is not an identifier of the root user, the host executes step S407.

S404: The host machine detects whether the level of the namespace where the process is located is zero.

In some embodiments, the host machine detects whether the process level is zero, that is, checks whether the nsproxy level of the process is the level (0) of init_proxy; when the level of the namespace where the process is located is zero, execute step S405; when it is determined that the level of the namespace where the process is located is not zero, execute step S406.

S405: The host machine detects whether the address of the cache area to which the process belongs is equal to the address in the namespace where the process is located.

In one implementation, the host machine can obtain the address space pid_cachep of the process; then, based on pid_cachep, determine the address slab_cache of the cache area corresponding to the process, for example, find the head address (virt_to_head_page) of the namespace slab_cache according to the pid_cachep of the process; determine whether it is the same as the pid_cache of the current namespace, that is, check the process's slab_cache == ns->pid cachep; when slab_cache is equal to the address pid_cache in the namespace where the process is located, determine that the address of the cache area to which the process belongs is equal to the address in the namespace where the process is located.

In some embodiments, when the address of the cache area to which the process belongs is equal to the address in the namespace where the process is located, the host executes step S407; when the address of the cache area to which the process belongs is not equal to the address in the namespace where the process is located, the host executes step S406.

It should be noted that S405 is a detection for slab_cache. The principle is (1) the no merge attribute is set when the namespace slab_cache is created, and caches of similar sizes are not allowed to merge; (2) when the process pid_cachep is allocated, a new slab cache is directly created; (the pid_cachep of each process is different). In other words, based on the no merge attribute, when the process is created, a new memory is directly created, so there will be no reuse scenario, that is, the slab address of each process must be different. Among them, merge is a feature of the slab allocator. When the merge attribute is specified, when allocating cache memory, if a cache block of similar size that can be reused is found, it is directly referenced by aliasing without re-creating.

S406: The host prompts an alarm message, where the alarm message is used to prompt the process that a container escape has occurred.

It should be noted that the host can also use other methods to prompt warning information, such as recording the escape of the current process through the kernel dmesg The embodiment of the present application does not limit the manner in which the host prompts the warning information.

S407: The host machine ends the detection.

In other embodiments, the host machine can simultaneously execute the methods of Figures 7 and 8A, that is, after obtaining the data structure of the process, the host machine can execute steps S202 and S402, and when the process satisfies the condition that the namespace of the process is the initial namespace and the mount point of the process is any one of the root directories, execute steps S203 to S207 or S403 to S407. The above method includes a detection mechanism for detecting namespce that escapes to fs and detecting slab_cache, which can detect the behavior of obtaining all namecpaces due to escaping due to modifying the namespace.

Please refer to Figure 9A, which is a flow chart of a method for detecting container escape provided by an embodiment of the present application. The method may include some or all of the following steps:

S501: The host machine detects whether the mount point of the process is a root directory.

In one implementation, the host machine can obtain the data structure (task_struct) of the process, task_struct including the mount point identifier fs of the process; the host machine can detect whether the mount point identifier of the process is the root directory identifier (task->fs == init task.fs); when it is determined that the mount point identifier of the process is equal to the root directory identifier, the mount point of the process is determined to be the root directory; when it is determined that the mount point of the process is the root directory, execute step S502; otherwise, execute step S504.

In some embodiments, the host machine can detect whether the current process has escaped when the system calls the current process, or the current process performs process scheduling, process exit or namespace copy related operations, that is, starts to execute step S501. It should be noted that the present application can be applied to scenarios with high real-time escape detection.

It should be noted that S501 is a bypass detection for init_fs, that is, adding an fs-based detection mechanism in the kernel code to detect the escape behavior of escaping to the root directory.

S502: The host machine detects whether the target data in the data structure of the process meets the preset conditions.

In some embodiments, the host machine may obtain target data from the data structure of the process; and then detect whether the target data meets a preset condition.

In one implementation, the target data is the level of the namespace where the process is located; the host determines whether the level of the namespace where the process is located is zero; when it is determined that the level of the namespace where the process is located is zero, it is determined that the target data in the data structure of the process meets the preset conditions, and step S503 is executed. It should be noted that since the level of the namespace where the process is located is zero, it proves that the process has a high authority, so an alarm is issued.

In another implementation, the target data is the user ID of the process; the host machine can detect whether the user ID of the process is the ID of the root user; when it is determined that the user ID of the process is the ID of the root user, it is determined that the target data in the data structure of the process meets the preset conditions, and step S503 is executed. It should be noted that since the user ID of the process is the ID of the root user, it proves that the process has higher authority, so an alarm is issued.

In some embodiments, when the host machine determines that the target data in the data structure of the process meets the preset condition, step S504 is executed; otherwise, step S503 is executed.

S503: The host machine prompts an alarm message, where the alarm message is used to prompt the process that a container escape has occurred.

S504: The host machine ends the detection.

The method embodiment shown in FIG. 9A above includes many possible implementation schemes. Some of the implementation schemes are illustrated below in conjunction with FIG. 9B . It should be noted that related concepts, operations or logical relationships not explained in FIG. 9B can refer to the corresponding descriptions in the embodiment shown in FIG. 9A .

Please refer to Figure 9B, which is a flow chart of another method for detecting container escape provided by an embodiment of the present application. The method may include some or all of the following steps:

S601: The host machine obtains the data structure of the process.

In some embodiments, the host machine can detect whether the current process has escaped when the system calls the current process, or the current process performs process scheduling, process exit or namespace copy related operations, that is, starts to execute step S601. It should be noted that the present application can be applied to scenarios with high real-time escape detection.

S602: The host machine detects whether the mount point of the process is a root directory.

In one implementation, the host machine can obtain the data structure (task_struct) of the process, task_struct includes the mount point identifier fs of the process; the host machine can detect whether the mount point identifier of the process is the root directory identifier (task->fs == init task.fs); when it is determined that the mount point identifier of the process is equal to the root directory identifier, the mount point of the process is determined to be the root directory; when it is determined that the mount point of the process is the root directory, execute step S603; otherwise, execute step S606.

S603: The host machine detects whether the user identifier is the root user's identifier.

In some embodiments, when at least one of the user identifier UID and the user group identifier GID is zero, the host executes step S604; when it is determined that the user identifier is not an identifier of the root user, the host executes step S606.

S604: The host machine detects whether the level of the namespace where the process is located is zero.

In some embodiments, the host machine detects whether the process level is zero; when the level of the namespace where the process is located is not zero, step S605 is executed; when it is determined that the level of the namespace where the process is located is zero, step S606 is executed.

S605: The host prompts an alarm message, where the alarm message is used to prompt the process that a container escape has occurred.

S606: The host machine ends the detection.

The method of the embodiment of the present application is described in detail above, and the device of the embodiment of the present application is provided below.

Please refer to FIG. 10 , which is a schematic diagram of the structure of a container escape detection device 100 provided in an embodiment of the present application. It may include an acquisition unit 1001 and a prompt unit 1002, and may also include a determination unit 1003. The container escape detection device 100 is used to implement the above-mentioned container escape detection method, such as the container escape detection method of any embodiment shown in FIG. 6 or FIG. 7 .

The container escape detection device 100 comprises:

The acquisition unit 1001 is used to acquire the address of the cache area to which the process belongs when it is determined that the namespace where the process is located is the initial namespace;

The prompt unit 1002 is used to prompt an alarm message when it is determined that the address of the cache area to which the process belongs is not equal to the address in the namespace where the process is located, and the alarm message is used to prompt the process that the container escape occurs.

In a possible implementation, the acquiring unit 1001 is used to:

In one possible implementation,

An acquisition unit 1001 is used to acquire a user identifier of the process when it is determined that the namespace where the process is located is an initial namespace;

The acquisition unit 1001 is used to acquire the address of the cache area to which the process belongs when it is determined that the user identifier is the identifier of the root user.

In a possible implementation, the user identifier is at least one of a user identifier UID and a user group identifier GID; the identifier of the root user is zero.

In a possible implementation, the acquiring unit 1001 is configured to:

In a possible implementation, the device further includes a determining unit 1003,

The acquisition unit 1001 is used to acquire the data structure of the process; the data structure includes the identifier of the namespace where the process is located;

The determining unit 1003 is configured to determine that the namespace where the process is located is the initial namespace when the identifier nsproxy of the namespace where the process is located is equal to the identifier init_nsproxy of the initial namespace.

It should be noted that the implementation of each unit may also correspond to the corresponding description of the embodiment shown in FIG. 6 or FIG. 7 .

It is understandable that in each device embodiment of the present application, the division of multiple units or modules is only a logical division based on function, and is not intended to limit the specific structure of the device. In a specific implementation, some functional modules may be subdivided into more small functional modules, and some functional modules may be combined into one functional module, but regardless of whether these functional modules are subdivided or combined, the general process executed by the device 100 during the pairing process is the same. Usually, each unit corresponds to its own program code (or program instruction), and when the program codes corresponding to each of these units are run on the processor, the corresponding process of the unit is implemented to achieve the corresponding function.

Please refer to Figure 11, which is a schematic diagram of the structure of a container escape detection device 110 provided in an embodiment of the present application. The device 110 may include an acquisition unit 1101 and a prompt unit 1102, and may also include a determination unit 1103. The container escape detection device 110 is used to implement the aforementioned container escape detection method, such as the container escape detection method of any one of the embodiments shown in Figure 8A or Figure 8B.

The container escape detection device 110 comprises:

The acquisition unit 1101 is used to acquire the address of the cache area to which the process belongs when it is determined that the mount point of the process is the root directory;

The prompt unit 1102 is used to prompt an alarm message when it is determined that the address of the cache area to which the process belongs is not equal to the address in the namespace where the process is located, and the alarm message is used to prompt the process that the container escape occurs.

In a possible implementation, the acquiring unit 1101 is used to:

In a possible implementation, the device further includes a determining unit 1103,

The acquisition unit 1101 is used to acquire the data structure of the process; the data structure includes the mount point identifier of the process;

The determining unit 1103 is configured to determine that the mount point of the process is a root directory when the mount point identifier is a root directory identifier.

It should be noted that the implementation of each unit may also correspond to the corresponding description of the embodiment shown in FIG. 8A or FIG. 8B .

Please refer to Figure 12, which is a schematic diagram of the structure of another container escape detection device 120 provided in an embodiment of the present application. The device 120 includes at least one processor 1201, at least one memory 1202, and at least one communication interface 1203. The processor 1201, the memory 1202, and the communication interface 1203 are connected through the communication bus and communicate with each other.

Processor 1201 can be a general-purpose central processing unit (CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more integrated circuits for controlling the execution of the above program.

Communication interface 1203 is used to communicate with other devices or communication networks, such as Ethernet, radio access network (RAN), wireless local area network (Wireless Local Area Networks, WLAN), etc.

The memory 1202 may be a read-only memory (ROM) or other types of static storage devices that can store static information and instructions, a random access memory (RAM) or other types of dynamic storage devices that can store information and instructions, or an electrically erasable programmable read-only memory (EEPROM), a compact disc (CD-ROM) or other optical disc storage, optical disc storage (including compressed optical disc, laser disc, optical disc, digital versatile disc, Blu-ray disc, etc.), a magnetic disk storage medium or other magnetic storage device, or any other medium that can be used to carry or store the desired program code in the form of instructions or data structures and can be accessed by a computer, but is not limited thereto. The memory may exist independently and be connected to the processor through a bus. The memory may also be integrated with the processor.

The memory 1202 is used to store application code for executing the above solution, and the execution is controlled by the processor 1201. The processor 1201 is used to execute the application code stored in the memory 1202.

The code stored in the memory 1202 may execute any of the container escape detection methods provided above, such as:

When it is determined that the namespace where the process is located is the initial namespace, the address of the cache area to which the process belongs is obtained; when it is determined that the address of the cache area to which the process belongs is not equal to the address in the namespace where the process is located, an alarm message is prompted, and the alarm message is used to prompt the process that a container escape occurs.

An embodiment of the present application also provides an electronic device, which includes one or more processors and one or more memories; wherein the one or more memories are coupled to the one or more processors, and the one or more memories are used to store computer program codes, and the computer program codes include computer instructions, and when the one or more processors execute the computer instructions, the electronic device executes the method described in the above embodiment.

The present application also provides a computer program product including instructions. When the computer program product is run on an electronic device, The electronic device is enabled to execute the method described in the above embodiment.

An embodiment of the present application further provides a computer storage medium, wherein the computer storage medium may store a program, and when the program is executed, the program includes part or all of the steps of any one of the container escape detection devices recorded in the above method embodiments.

It should be noted that, for the aforementioned method embodiments, for the sake of simplicity, they are all expressed as a series of action combinations, but those skilled in the art should be aware that the present application is not limited by the described order of actions, because according to the present application, certain steps can be performed in other orders or simultaneously. Secondly, those skilled in the art should also be aware that the embodiments described in the specification are all preferred embodiments, and the actions and modules involved are not necessarily required by the present application.

In the above embodiments, the description of each embodiment has its own emphasis. For parts that are not described in detail in a certain embodiment, reference can be made to the relevant descriptions of other embodiments.

In the several embodiments provided in the present application, it should be understood that the disclosed device can be implemented in other ways. For example, the device embodiments described above are only schematic, such as the division of the units, which is only a logical function division. There may be other division methods in actual implementation, such as multiple units or components can be combined or integrated into another system, or some features can be ignored or not executed. Another point is that the mutual coupling or direct coupling or communication connection shown or discussed can be through some interfaces, and the indirect coupling or communication connection of the device or unit can be electrical or other forms.

The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place or distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above-mentioned integrated unit may be implemented in the form of hardware or in the form of software functional units.

If the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer-readable memory. Based on this understanding, the technical solution of the present application, or the part that contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product, which is stored in a memory and includes several instructions for a computer device (which can be a personal computer, server or network device, etc.) to execute all or part of the steps of the method described in each embodiment of the present application. The aforementioned memory includes: U disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), mobile hard disk, magnetic disk or optical disk and other media that can store program codes.

A person skilled in the art may understand that all or part of the steps in the various methods of the above embodiments may be completed by instructing related hardware through a program, and the program may be stored in a computer-readable memory, and the memory may include: a flash drive, a read-only memory (ROM), a random access memory (RAM), a disk or an optical disk, etc.

The embodiments of the present application are introduced in detail above. Specific examples are used in this article to illustrate the principles and implementation methods of the present application. The description of the above embodiments is only used to help understand the method and core idea of the present application. At the same time, for general technical personnel in this field, according to the idea of the present application, there will be changes in the specific implementation method and application scope. In summary, the content of this specification should not be understood as a limitation on the present application.

Claims

A method for detecting container escape, characterized in that the method comprises:

When the host machine determines that the namespace where the process is located is the initial namespace, obtaining the address of the cache area to which the process belongs;

When the host machine determines that the address of the cache area to which the process belongs is not equal to the address in the namespace where the process is located, it prompts an alarm message, where the alarm message is used to prompt that a container escape occurs to the process.
The method according to claim 1, characterized in that obtaining the address of the cache area to which the process belongs comprises:

The host machine obtains the address of the cache area corresponding to the process based on the address space of the process.
The method according to claim 1 or 2 is characterized in that, when the host machine determines that the namespace where the process is located is the initial namespace, obtaining the address of the cache area to which the process belongs comprises:

When the host machine determines that the namespace where the process is located is the initial namespace, obtaining the user identifier of the process;

When the host machine determines that the user identifier is an identifier of a root user, it obtains an address of a cache area to which the process belongs.
The method according to claim 3 is characterized in that the user identifier is at least one of a user identifier UID and a user group identifier GID; and the root user's identifier is zero.
The method according to any one of claims 1 to 4 is characterized in that, when the host machine determines that the namespace where the process is located is the initial namespace, obtaining the address of the cache area to which the process belongs comprises:

When the host machine determines that the namespace where the process is located is the initial namespace, obtaining the level of the namespace where the process is located;

When the host machine determines that the level is zero, it obtains the address of the cache area to which the process belongs.
The method according to any one of claims 1 to 5, characterized in that before obtaining the address of the cache area to which the process belongs, the method further comprises:

The host machine obtains a data structure of the process; the data structure includes an identifier of a namespace where the process is located;

When the identifier of the namespace where the process is located is equal to the identifier of the initial namespace, the host machine determines that the namespace where the process is located is the initial namespace.
A method for detecting container escape, characterized in that the method comprises:

When the host machine determines that the mount point of the process is the root directory, obtaining the address of the cache area to which the process belongs;

When the host machine determines that the address of the cache area to which the process belongs is not equal to the address in the namespace where the process is located, it prompts an alarm message, where the alarm message is used to prompt that a container escape occurs to the process.
The method according to claim 7, characterized in that the method comprises:

The host machine obtains the address of the cache area corresponding to the process based on the address space of the process.
The method according to claim 7 or 8 is characterized in that, when the host machine determines that the namespace where the process is located is the initial namespace, obtaining the address of the cache area to which the process belongs comprises:

When the host machine determines that the namespace where the process is located is the initial namespace, obtaining the user identifier of the process;

When the host machine determines that the user identifier of the process is the identifier of the root user, it obtains the address of the cache area to which the process belongs.
The method according to claim 9 is characterized in that the user identifier is at least one of a user identifier UID and a user group identifier GID; and the root user's identifier is zero.
The method according to any one of claims 7 to 10 is characterized in that, when the host machine determines that the namespace where the process is located is the initial namespace, obtaining the address of the cache area to which the process belongs comprises:

When the host machine determines that the namespace where the process is located is the initial namespace, obtaining the level of the namespace where the process is located;

When the host machine determines that the level is zero, it obtains the address of the cache area to which the process belongs.
The method according to any one of claims 7 to 11, characterized in that before obtaining the address of the cache area to which the process belongs, the method further comprises:

The host machine obtains a data structure of a process; the data structure includes a mount point identifier of the process;

When the mount point identifier is a root directory identifier, the host machine determines that the mount point of the process is the root directory.
A method for detecting container escape, characterized in that the method comprises:

When the host machine determines that the mount point of the process is a root directory, acquiring target data from a data structure of the process;

When the target data meets a preset condition, the host machine prompts an alarm message, where the alarm message is used to prompt that a container escape occurs in the process.
An electronic device, characterized in that the electronic device includes one or more processors and one or more memories; wherein the one or more memories are coupled to the one or more processors, and the one or more memories are used to store computer program codes, and the computer program codes include computer instructions, and when the one or more processors execute the computer instructions, the electronic device executes the method as described in any one of claims 1-13.
A computer-readable storage medium comprises instructions, wherein when the instructions are executed on an electronic device, the electronic device executes the method as claimed in any one of claims 1 to 14.