WO2024067479A1 - Procédé de détection de fuite de conteneur, dispositif électronique et système - Google Patents

Procédé de détection de fuite de conteneur, dispositif électronique et système Download PDF

Info

Publication number
WO2024067479A1
WO2024067479A1 PCT/CN2023/121088 CN2023121088W WO2024067479A1 WO 2024067479 A1 WO2024067479 A1 WO 2024067479A1 CN 2023121088 W CN2023121088 W CN 2023121088W WO 2024067479 A1 WO2024067479 A1 WO 2024067479A1
Authority
WO
WIPO (PCT)
Prior art keywords
namespace
address
host machine
identifier
cache area
Prior art date
Application number
PCT/CN2023/121088
Other languages
English (en)
Chinese (zh)
Inventor
陈念
季冬
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2024067479A1 publication Critical patent/WO2024067479A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines

Definitions

  • Embodiments of the present application relate to virtualization technology, and more particularly to a method, electronic device, and system for detecting container escape.
  • Container technology is a technology that packages applications into separate containers. It isolates each application and breaks the dependencies and connections between programs. In other words, with the support of container technology, a large service system can be composed of containers hosted by many different applications. Container technology effectively divides resources managed by a single operating system into isolated groups to better balance conflicting resource usage requirements between isolated groups. It is an operating system-level virtualization technology and is widely used due to its lightweight characteristics.
  • Container escape Users can create and run containers based on container images in a host machine, where the host machine can be a physical machine or a virtual machine.
  • Each container has an independent process running space.
  • processes in a container can only run in the process running space of the container.
  • the malicious process is likely to escape from the process running space of the container and then attack the host machine or other containers. This phenomenon is called container escape.
  • container escapes can be divided into the following four types: (1) container escapes caused by insecure configuration; (2) container escapes caused by insecure mounting; (3) container escapes caused by related program vulnerabilities; and (4) container escapes caused by kernel vulnerabilities. How to detect container escapes caused by kernel vulnerabilities is an urgent problem that the industry needs to solve.
  • the present application provides a method, electronic device and system for detecting container escape.
  • the host machine can prompt an alarm message when the address of the cache area to which the process belongs is not equal to the address in the namespace where the process is located.
  • the alarm message is used to prompt the process that the container escape has occurred.
  • the method has high accuracy and can effectively detect container escape.
  • an embodiment of the present application provides a method for detecting container escape, the method comprising:
  • the host determines that the namespace where the process is located is the initial namespace, it obtains the address of the cache area to which the process belongs;
  • the namespace where the process is located is the initial namespace, which means that the process can access the namespace indicated by init_nsproxy, in order to ensure the security of the namespace; therefore, the host can detect the process based on the address slab_cache of the cache area to which the process belongs; since slab_cache has a high credibility, slab_cache is compared with the address pid_cache in the namespace where the process is located; when the two are not equal, it can be determined that the process does not have the authority to access the namespace indicated by init_nsproxy, that is, the process has been maliciously tampered with, resulting in a container escape.
  • This method has high accuracy and can effectively detect container escapes.
  • the method includes:
  • the host machine obtains the address of the cache area corresponding to the process based on the address space of the process.
  • the address space pid_cachep of the process is not easily tampered with and has a high credibility. Therefore, the address slab_cache of the cache area corresponding to the process determined based on the address space pid_cachep of the process has a high credibility.
  • obtaining the address of the cache area to which the process belongs includes:
  • the host machine determines that the namespace where the process is located is the initial namespace, it obtains the user ID of the process;
  • the host machine determines that the user identifier is the identifier of the root user, it obtains the address of the cache area to which the process belongs.
  • the user identifier is at least one of a user identifier UID and a user group identifier GID; and the identifier of the root user is zero.
  • Get the address of the cache area to which the process belongs including:
  • the host determines that the namespace where the process is located is the initial namespace, it obtains the level of the namespace where the process is located;
  • the host determines that the level is zero, it obtains the address of the cache area to which the process belongs.
  • the method before obtaining the address of the cache area to which the process belongs, the method further includes:
  • the host obtains the data structure of the process; the data structure includes the identifier of the namespace where the process is located;
  • the host determines that the identifier nsproxy of the namespace where the process is located is equal to the identifier init_nsproxy of the initial namespace, it determines that the namespace where the process is located is the initial namespace.
  • an embodiment of the present application provides a method for detecting container escape, the method comprising:
  • the host determines that the mount point of the process is the root directory, it obtains the address of the cache area to which the process belongs;
  • the mount point of the process is the root directory, which means that the process can access all files under the root directory.
  • the process needs to be detected; therefore, the host machine can detect the process based on the address slab_cache of the cache area to which the process belongs; since the address of the cache area to which the process belongs is more credible, the address of the cache area to which the process belongs is compared with the address pid_cache in the namespace where the process is located. When the two are not equal, it is considered that the process originally did not have the authority to access all files under the root directory, and the process has been maliciously tampered with, resulting in a container escape.
  • the embodiment of the present application adds a mount point-based detection mechanism in the kernel code, which can detect the behavior of escaping to the root directory and effectively monitor the container escape behavior that occurs by exploiting kernel vulnerabilities, thereby improving system security.
  • the method includes:
  • the host machine obtains the address of the cache area corresponding to the process based on the address space of the process.
  • obtaining the address of the cache area to which the process belongs includes:
  • the host machine determines that the namespace where the process is located is the initial namespace, it obtains the user ID of the process;
  • the host machine determines that the user identifier of the process is the identifier of the root user, it obtains the address of the cache area to which the process belongs.
  • the user identifier is at least one of a user identifier UID and a user group identifier GID; and the identifier of the root user is zero.
  • obtaining the address of the cache area to which the process belongs includes:
  • the host determines that the namespace where the process is located is the initial namespace, it obtains the level of the namespace where the process is located;
  • the host determines that the level is zero, it obtains the address of the cache area to which the process belongs.
  • the method before obtaining the address of the cache area to which the process belongs, the method further includes:
  • the host obtains the data structure of the process;
  • the data structure includes the mount point identifier of the process;
  • the mount point identifier of the host is a root directory identifier
  • the mount point of the process is determined to be the root directory.
  • an embodiment of the present application provides a device for detecting a container escape, the device comprising:
  • An acquisition unit used for acquiring an address of a cache area to which the process belongs when it is determined that the namespace where the process is located is the initial namespace;
  • the prompt unit is used to prompt an alarm message when it is determined that the address of the cache area to which the process belongs is not equal to the address in the namespace where the process is located, and the alarm message is used to prompt the process that the container escape occurs.
  • the namespace where the process is located is the initial namespace, that is, the namespace that the process can indicate by init_nsproxy, in order to ensure the security of the namespace; therefore, the host machine can detect the process based on the address slab_cache of the cache area to which the process belongs; since slab_cache has a high credibility, slab_cache is compared with the address pid_cache in the namespace where the process is located; when the two are not equal, it can be determined that the process does not have the authority to access the namespace indicated by init_nsproxy, that is, the process has been maliciously tampered with, and the container escape occurs.
  • This method has high accuracy and can effectively detect container escapes.
  • the embodiment of the present application adds a mount point-based detection mechanism in the kernel code, which can detect the behavior of escaping to the root directory and effectively monitor the container escape behavior that occurs by exploiting kernel vulnerabilities, thereby improving system security.
  • the acquiring unit is used to:
  • the address space pid_cachep of the process is not easily tampered with and has a high credibility. Therefore, the address slab_cache of the cache area corresponding to the process determined based on the address space pid_cachep of the process has a high credibility.
  • An acquisition unit used for acquiring a user ID of the process when it is determined that the namespace where the process is located is the initial namespace
  • the acquisition unit is used to acquire the address of the cache area to which the process belongs when it is determined that the user identifier is the identifier of the root user.
  • the user identifier is at least one of a user identifier UID and a user group identifier GID; and the identifier of the root user is zero.
  • the acquiring unit is configured to:
  • the level of the namespace where the process is located is obtained
  • the device further includes a determining unit,
  • An acquisition unit used for acquiring a data structure of a process; the data structure includes an identifier of a namespace where the process is located;
  • the determination unit is used to determine that the namespace where the process is located is the initial namespace when the identifier nsproxy of the namespace where the process is located is equal to the identifier init_nsproxy of the initial namespace.
  • an embodiment of the present application provides a device for detecting a container escape, the device comprising:
  • An acquisition unit used for acquiring an address of a cache area to which the process belongs when it is determined that the mount point of the process is a root directory
  • the prompt unit is used to prompt an alarm message when it is determined that the address of the cache area to which the process belongs is not equal to the address in the namespace where the process is located, and the alarm message is used to prompt the process that the container escape occurs.
  • the namespace nsproxy where the process is located is the initial namespace init_nsproxy, which means that the process can be indicated by init_nsproxy.
  • the host can detect the process based on the address slab_cache of the cache area to which the process belongs. Since slab_cache has a high credibility, slab_cache is compared with the address pid_cache in the namespace where the process is located. When the two are not equal, it can be determined that the process does not have the authority to access the namespace indicated by init_nsproxy, that is, the process has been maliciously tampered with, resulting in a container escape. This method has high accuracy and can effectively detect container escapes.
  • the acquiring unit is used to:
  • the acquiring unit is used to:
  • the user identifier is at least one of a user identifier UID and a user group identifier GID; and the identifier of the root user is zero.
  • the acquiring unit is used to:
  • the level of the namespace where the process is located is obtained
  • the device further includes a determining unit
  • An acquisition unit used for acquiring a data structure of a process; the data structure includes a mount point identifier of the process;
  • the determination unit is used to determine that the mount point of the process is the root directory when the mount point identifier is the root directory identifier.
  • an embodiment of the present application provides a method for detecting container escape, the method comprising:
  • the host determines that the mount point of the process is the root directory, it obtains the target data from the data structure of the process;
  • the host When the target data meets the preset conditions, the host prompts an alarm message, which is used to prompt the process that the container escapes.
  • a mount point-based detection mechanism is added to the kernel code, which can detect the behavior of escaping to the root directory and effectively monitor the container escape behavior that occurs by exploiting kernel vulnerabilities, thereby improving system security.
  • the target data is a level of the namespace in which it is located; when the target data meets a preset condition, the host machine prompts an alarm message, including:
  • the host determines that the level of the namespace where the process is located is zero, it prompts a warning message.
  • the target data is a user identifier of the process; the host machine When setting conditions, warning information is prompted, including:
  • the host machine determines that the user ID of the process is the ID of the root user, it prompts a warning message.
  • the user identifier is at least one of a user identifier UID and a user group identifier GID; and the root user's identifier is zero.
  • the method further includes:
  • the host obtains the data structure of the process;
  • the data structure includes the mount point identifier of the process;
  • the mount point identifier of the host is a root directory identifier
  • the mount point of the process is determined to be the root directory.
  • an embodiment of the present application provides a device for detecting a container escape, the device comprising:
  • An acquisition unit used for acquiring target data from a data structure of the process when it is determined that the mount point of the process is a root directory
  • the prompt unit is used for the host machine to prompt an alarm message when the target data meets the preset conditions.
  • the alarm message is used to prompt the process that the container escape occurs.
  • a mount point-based detection mechanism is added to the kernel code, which can detect the behavior of escaping to the root directory and effectively monitor the container escape behavior that occurs by exploiting kernel vulnerabilities, thereby improving system security.
  • the target data is a level of the namespace in which it is located; and the prompt unit is used to:
  • the target data is a user identifier of the process; and the prompting unit is used to:
  • the host machine determines that the user ID of the process is the ID of the root user, it prompts a warning message.
  • the user identifier is at least one of a user identifier UID and a user group identifier GID; and the root user's identifier is zero.
  • the apparatus further includes a determining unit:
  • An acquisition unit used for acquiring a data structure of a process; the data structure includes a mount point identifier of the process;
  • the determination unit is used to determine that the mount point of the process is the root directory when the mount point identifier of the host machine is the root directory identifier.
  • an embodiment of the present application provides an electronic device, comprising one or more functional modules, which can be used to execute a method for detecting container escape as in any possible implementation of the first aspect described above.
  • the present application provides a computer storage medium, comprising computer instructions, which, when executed on an electronic device, causes a communication device to execute a method for detecting container escape in any possible implementation of any of the above aspects.
  • the present application provides a computer program product, which, when executed on a computer, enables the computer to execute a method for detecting container escape in any possible implementation of any of the above aspects.
  • the present application provides a chip, comprising: a processor and an interface, wherein the processor and the interface cooperate with each other so that the chip executes the container escape detection method in any possible implementation of any of the above aspects.
  • the electronic device provided in the seventh aspect, the computer-readable storage medium provided in the eighth aspect, the computer program product provided in the ninth aspect, and the chip provided in the tenth aspect are all used to execute the method provided in the embodiment of the present application. Therefore, the beneficial effects that can be achieved can refer to the beneficial effects in the corresponding method, which will not be repeated here.
  • FIG1 is a hierarchical relationship diagram of a namespace provided in an embodiment of the present application.
  • FIG2 is a schematic diagram of a detection process provided in an embodiment of the present application.
  • FIG3 is a schematic diagram of a detection system provided in an embodiment of the present application.
  • FIG4 is a schematic diagram of a scenario of container escape provided by an embodiment of the present application.
  • FIG5 is a schematic diagram of another scenario of container escape provided by an embodiment of the present application.
  • FIG6 is a flow chart of a method for detecting container escape provided in an embodiment of the present application.
  • FIG7 is a flow chart of another method for detecting container escape provided in an embodiment of the present application.
  • FIG8A is a flow chart of a method for detecting container escape provided in an embodiment of the present application.
  • FIG8B is a flow chart of another method for detecting container escape provided in an embodiment of the present application.
  • FIG9A is a flow chart of a method for detecting container escape provided in an embodiment of the present application.
  • 9B is a flow chart of another method for detecting container escape provided in an embodiment of the present application.
  • FIG. 10 is a schematic structural diagram of a container escape detection device 100 provided in an embodiment of the present application.
  • FIG. 11 is a schematic structural diagram of a container escape detection device 110 provided in an embodiment of the present application.
  • FIG. 12 is a schematic structural diagram of another container escape detection device 120 provided in an embodiment of the present application.
  • first and second are used for descriptive purposes only and are not to be understood as suggesting or implying relative importance or implicitly indicating the number of the indicated technical features.
  • a feature defined as “first” or “second” may explicitly or implicitly include one or more of the features, and in the description of the embodiments of the present application, unless otherwise specified, "plurality” means two or more.
  • Container An instance created based on an image.
  • the instance is an object that includes the user configuration and running configuration required to implement the functions of the image.
  • a container is a running instance created by an image. It can be started, started, stopped, and deleted. Each container is isolated from each other and ensures security. The container provides an isolated environment for running programs, and the container strictly controls the resources that the programs in it can access.
  • Containers provide isolated operating spaces for applications: each container contains a complete user environment space that is exclusive to it, and changes in one container will not affect the operating environment of other containers.
  • container technology uses a series of system-level mechanisms such as using Linux namespaces to isolate spaces, using file system mount points to determine which files containers can access, and using cgroups to determine how many resources each container can use.
  • containers share the same system kernel, so when the same library is used by multiple containers, memory usage efficiency will be improved.
  • Container escape refers to the following process and results: First, the attacker has obtained the ability to execute commands under certain permissions in the container by hijacking the containerized business logic or directly controlling it (CaaS and other scenarios where container control is legally obtained). The attacker uses this command execution capability to further obtain the ability to execute commands under certain permissions on the direct host machine where the container is located (it is common to see the scenario of "physical machines running virtual machines, and virtual machines running containers”. The direct host machine in this scenario refers to the virtual machine outside the container).
  • Namespace is mainly used for resource isolation. Resources in different namespaces are not visible. The main resources implemented by namespace are: IPC/NetWork/Mount/PID/User/UTS/Cgroup.
  • namespace provides an abstraction of global resources. Resources are placed in different namespaces. The resources in each namespace are isolated from each other and are called by different processes. Resources are placed in different containers (different namespaces), and each container is isolated from each other.
  • the PID number is the kernel's unique identifier for distinguishing each process.
  • the PID number is a number assigned to a process in Linux to uniquely identify it in its namespace. It is called the process ID number, or PID for short.
  • the process generated will be assigned a new unique PID value by the kernel.
  • the level of the namespace where the process is located represents the level of the current namespace.
  • the initial namespace has a level of 0, and its sub-namespace has a level of 1, and so on.
  • the sub-namespace is visible to the parent namespace. From a given level setting, the kernel can infer how many IDs the process will be associated with.
  • Namespace also has the concept of hierarchy. Level indicates the hierarchy of different namespaces. Level indicates which layer the namespace is in. When creating a child process through the clone function or fork function, you can specify whether to create a new namespce. If not specified, the namespce of the parent process is integrated by default; otherwise, a new namespce is created and the level in task_struct is increased by 1.
  • a high-level namespace can be seen by a low-level namespace.
  • a high-level process has multiple PID numbers. For example, the system defaults to namespace mirroring level0, and a new namespace called level1 is created under level0, and a process is run in level. The PID number of this process in level is 1. Because the higher-level PID namespace needs to be seen by the lower-level PID namespace, this process is PID xxx in level0, and the PID number xxx is assigned according to the PID sequence in level0.
  • FIG. 1 exemplarily shows a hierarchical relationship diagram of a namespace.
  • each parent namespace derives two child namespaces; the parent namespace has a level 0 (i.e., level 0); the child namespace has a level 1 (i.e., level 1).
  • level 0 i.e., level 0
  • level 1 i.e., level 1
  • each namespace can have a process with PID number 1; but due to the hierarchical nature of the namespace, the parent namespace knows the existence of the child namespace, and the child namespace must be mapped to the parent namespace. Therefore, the six processes of the two child namespaces in level 1 in Figure 1 are mapped to PID numbers 5 to 10 of their parent namespaces respectively.
  • a process is a program or command being executed. Each process is a running entity, has its own address space, and occupies certain system resources. Once a program is running, it is a process.
  • a process can be seen as an instance of program execution.
  • a process is an independent entity allocated by system resources, and each process has an independent address space.
  • a process cannot access the variables and data structures of another process. If you want a process to access the resources of another process, you need to use inter-process communication, such as pipes, files, sockets, etc.
  • a process is a dynamic entity consisting of a text segment, a user data segment, and a system data segment.
  • the system data segment stores the control information of the process, including the process control block (PCB).
  • PCB process control block
  • PCB is a data structure used to describe and control the operation of a process. It is part of the process entity and the most important record-type data structure in the operating system. Generally, PCB contains the following:
  • Process identifier used to uniquely identify a process
  • Processor information general registers, instruction counter, program status word PSW, user stack pointer
  • Process scheduling information (process status, process priority, other information required for process scheduling, events);
  • Process control information address of program data, resource list, process synchronization and communication mechanism, link pointer
  • the content defined in the data structure provides support for subsequent management, so different operating systems have made some adjustments to the content of the PCB according to their own characteristics. Different operating systems have different PCB structures.
  • the Linux process control block is a data structure defined by the structure task_struct, which includes various information required to manage the process. All process control blocks of the Linux system are organized into a structure array.
  • task_struct is the unique identifier of the process and the core of the Linux process entity.
  • the Linux kernel uses the task_struct data structure to associate all process-related data and structures. All algorithms in the Linux kernel involving processes and programs are built around this data structure, which is one of the most important data structures in the kernel.
  • Mount namespace is used to isolate the mount points of the file system, so that different mount namespaces have their own independent mount point information, and different namespaces will not affect each other.
  • Mounting usually mounting a storage device to an existing directory. Accessing this directory means accessing the contents of the storage device.
  • All files are placed in a tree-like directory structure starting from the root directory.
  • Any hardware device is also in the form of a file. For example, if Linux wants to use a USB flash drive hardware device, it must combine the Linux directory and the hardware device's file directory into one. This process is called mounting.
  • Mount point The mount operation will hide the files in the original Linux directory, so choose the Linux directory itself. It is best to create a new empty operation directory for mounting. After mounting, this operation directory is called a mount point.
  • the root directory of the Linux system (/): The file system of Linux and UNIX is a hierarchical tree file structure with "/" as the root, so "/" is called the root directory. Every file and directory starts from here.
  • This directory is different from the /root directory, which is the home directory of the root user.
  • the root directory “/” is located at the top level of the file system directory structure. It is the top-level directory. All files and directories are placed under the root directory “/”; under the root directory “/” there are also subdirectories such as “/bin”, “/home”, and “/usr”.
  • the system manager authorizes each process to use a given user identifier (UID).
  • UID user identifier
  • Each started process has a UID of the user who started it.
  • a child process has the same UID as the parent process.
  • a user can be a member of a group, and each group also has a group identifier (GID).
  • GID group identifier
  • User identifier UID An integer used by the system to distinguish different users.
  • Linux uses a 32-bit integer to record and distinguish different users. This number that distinguishes different users is called User ID, or UID for short. Users in the Linux system are divided into three categories, namely ordinary users, root users, and system users.
  • the root user is also called the administrator account, and its UID is usually 0.
  • the root user can manage ordinary users and the entire system.
  • Ordinary users refer to all real users who use the Linux system.
  • the UID of ordinary users can be specified by the administrator when they are created. If not specified, the UID of ordinary users can be greater than 500; the user's UID can also be numbered sequentially from 1000 to 60000 by default.
  • System users refer to users who are required for the system to run, but are not real users. In other words, system users are automatically created during the installation process and do not have the ability to log in to the system.
  • User group identifier GID An integer used by the system to distinguish different user groups.
  • GID Group ID
  • UID and GID are managed by the Linux kernel and are used by kernel-level system calls to determine whether a request should be granted privileges. For example, when a process attempts to write to a file, the kernel checks the UID and GID of the creating process to determine whether it has sufficient permissions to modify the file.
  • (VI) Slab is a memory allocation mechanism of the Linux operating system.
  • the slab allocation algorithm uses cache to store kernel objects.
  • the slab allocator is managed based on objects. Objects of the same type are classified into one category (such as process descriptors). Whenever such an object is requested, the slab allocator allocates a unit of this size from a slab list, and when it is released, it is saved in the list again instead of being returned directly to the buddy system, thus avoiding internal fragmentation. The slab allocator does not discard the allocated objects, but releases and stores them in memory. When a new object is requested in the future, it can be obtained directly from the slab without repeated initialization.
  • each slab consists of one or more consecutive page frames, which contain both allocated objects and free objects.
  • the slab allocation algorithm uses a cache to store kernel objects.
  • a cache When a cache is created, it initially contains a number of objects marked as free. The number of objects depends on the size of the slab. Initially, all objects are marked as free.
  • an object of a kernel data structure When an object of a kernel data structure is needed, it can be directly obtained from the cache and the object is initialized for use.
  • struct task_struct is about 1.7KB in size.
  • the Linux kernel creates a new task, it obtains the memory required for the struct task_struct object from the cache. There will be a struct task_struct object allocated and marked as free in the cache to satisfy the request.
  • Linux slabs can have three states:
  • Partial Some objects in the slab are marked as used, and some are marked as free.
  • the slab allocator first allocates from some free slabs. If there are, it allocates from the empty slab. If not, it allocates a new slab from the physical continuous page, assigns it to a cache, and then allocates space from the new slab.
  • each process includes a process control block PBC in the kernel, which contains all the information of the process, that is, a data structure (task_strcut).
  • the task_strcut of a process includes the following information:
  • Process ID including PID/UID or GID
  • Mount point identifier indicates the file system fs that the process can operate, including reading and writing files
  • the namespace identifier of the process (nsproxy): used to identify the namespace to which the process belongs
  • the Linux kernel provides multiple namespaces such as PID namespace, a process may belong to multiple namespaces.
  • the kernel introduces nsproxy to uniformly manage the namespaces to which processes belong.
  • nsproxy stores a set of pointers to various namespace types, acting as a proxy for processes to access various namespaces. Since multiple processes may have exactly the same namespace, nsproxy can be shared between processes. The count field in nsproxy is responsible for recording the number of references to the structure.
  • Initial namespace identifier init_nsproxy The system predefines an init_nsproxy, which is used as the default nsproxy.
  • init_nsproxy defines the initial global namespace, which stores pointers to the initial namespace objects of each subsystem and has higher permissions.
  • an attacker can exploit certain kernel vulnerabilities to tamper with the nsproxy in the process task_struct into init_nsproxy, thereby achieving privilege escalation.
  • a preliminary detection mechanism was released to the public. It detects the escape to the init namespace by detecting whether the nsproxy of the process is init_nsproxy, whether the current process is a root process, and whether the level of the current process is 0.
  • the root process refers to a process running with root privileges. The specific detection process can be seen in Figure 2.
  • the host machine can first obtain the task_strcut of the current process, and obtain nsproxy from the task_strcut; when nsproxy is not initnsproxy, end the detection; when nsproxy is initnsproxy, check whether the UID or GID of the current process is the UID or GID of the root user; when the UID or GID of the current process is not the UID or GID of the root user, end the detection; when the UID or GID of the current process is the UID or GID of the root user, check whether the level of the namespace of the current process is 0; when the level of the namespace of the current process is 0, end the detection; when the level of the UID or GID of the current process is not 0, it is determined that the process has a container escape, and a warning message (i.e., an alarm) can be prompted.
  • a warning message i.e., an alarm
  • the detection principle of Figure 2 is that it is assumed that the nsproxy of the process is init nsproxy, and the process is a root process with a level of 0, indicating that it is a root process with a level of 0. Since the level is 0, the namespace of all child nodes can be operated, but the namaspce of the mount point in the nsproxy data structure is separate, so here all namespaces except fs are obtained.
  • level indicates the level of different namespaces.
  • Level indicates which layer the namespace is in.
  • the method shown in Figure 2 cannot deal with container escapes caused by other kernel vulnerabilities. For example, if an attacker changes the UID and GID in the task_struct structure to the UID and GID of the root user and changes the level of the current process to 0, the detection mechanism shown in Figure 2 can be bypassed; for another example, when an attacker exploits a kernel vulnerability to tamper with the operating directory (i.e., the mount point) of the attack process to the root directory, the detection mechanism shown in Figure 2 can be bypassed to achieve the behavior of obtaining the namespace of fs.
  • the operating directory i.e., the mount point
  • Figure 3 is a schematic diagram of a detection system provided in an embodiment of the present application.
  • the system includes a physical machine and one or more virtual machines (VMs) running on an operating system of the physical machine (only virtual machine 1 , virtual machine 2 , and virtual machine 3 are shown in FIG3 ).
  • VMs virtual machines
  • the physical machine is responsible for the management and allocation of hardware resources, and presents a virtual hardware platform to the virtual machine, for example, providing the virtual machine with a virtual CPU, memory, virtual disk, virtual network card, etc.
  • One or more containers can be created in a virtual machine.
  • FIG3 exemplarily shows two containers in virtual machine 1, container 1 and container 2; two containers in virtual machine 2, container 3 and container 4; and two containers in virtual machine 3, container 5 and container 6.
  • Virtual machines can use containers to provide relatively independent and isolated operating environments for processes. For example, container 1 supports the operation of process 1, and container 2 supports the operation of process 2.
  • Virtual Machine refers to one or more virtual computers simulated on a physical computer. These virtual machines can work like real physical computers.
  • Process It is an entity that executes instructions. A process can be used to run a program to execute various instructions.
  • Container used to provide a relatively independent and isolated operating environment for a process.
  • a container includes an independent file system, namespace, resource view, etc.
  • Container instance After a process runs in the environment provided by a container, the container can be called a container instance.
  • the physical machine may include: a central processing unit (CPU), memory, hard disk, motherboard, and 3D processing graphics card, etc., and based on these hardware, the physical machine may include a virtual machine manager (VMM) module and at least one virtual machine, and the VMM and VM are software modules in the physical machine, wherein:
  • the CPU is used to execute various logical calls; the VMM is used to create at least one virtual machine and virtualize the physical resources in the physical machine into multiple virtual resources for use by the virtual machines; and each virtual machine has independent storage and computing units, and the functions and structures of each virtual machine are similar.
  • the container escape detection method provided in the embodiment of the present application is executed by a host machine, which may be the above-mentioned physical machine or the above-mentioned virtual machine.
  • the detection system shown in FIG. 3 is only an exemplary implementation of the embodiment of the present application, and the system architecture in the embodiment of the present application includes but is not limited to the above architecture.
  • privileged containers refer to some namespaces with higher permissions, such as init_nsproxy.
  • the method for detecting container escape provided in the embodiment of the present application can detect that a process in the following three scenarios has a container escape.
  • the detection program display message, dmesg
  • the detection shown in Figure 2 can be successfully bypassed; then, the attacker can obtain other namespaces except the mount namespace through the process.
  • the container escape can be detected by the container escape detection method shown in FIG. 6 or FIG. 7 .
  • an attacker can exploit a kernel vulnerability to modify the user ID or GID of a process to 0, and modify the mount point (tsk->fs) to the root directory (init_task->fs), thus successfully bypassing the detection shown in Figure 2. Then, the attacker can obtain the namespace of the mounted file system through the process. For example, as shown in Figure 4, assuming that the process before modification can only obtain the contents of the rop directory, when the attacker modifies its UID or GID to 0 and changes the mount point to the root directory, the modified process can obtain the mounted file system fs, that is, the namespace of fs.
  • the container escape can be detected by the container escape detection method shown in Figures 8A to 9B.
  • the modified process can obtain the root user's permissions; further, obtain the host name (hostname) of the host machine; obtain the host machine's network card information; and obtain the host machine's file mount.
  • the container escape can be detected by the container escape detection method shown in FIG. 6 or FIG. 7 .
  • Figure 6 is a method for detecting container escape provided by an embodiment of the present application.
  • the method may include some or all of the following steps:
  • S101 The host machine detects whether the namespace where the process is located is an initial namespace.
  • the host machine may start to detect whether the current process has escaped when the system calls the current process, or the current process performs process scheduling, process exit or namespace copy (copy namespace) related operations, that is, start to execute step S101. It should be noted that the present application can be applied to scenarios with high real-time escape detection.
  • nsproxy stores a set of pointers to various types of namespaces, acting as a proxy for processes to access various namespaces. Since multiple processes may have exactly the same namespace, nsproxy can be shared between processes; init_nsproxy stores pointers to the initial namespace objects of each subsystem and has higher permissions. The process can access all namespaces except the mounted file system fs. To ensure the security of the namespace, the embodiment of the present application can execute step S102 to continue to detect the process.
  • S102 The host machine detects whether the address of the cache area to which the process belongs is equal to the address in the namespace where the process is located.
  • the host machine can obtain the address space pid_cachep of the process; then, based on pid_cachep, determine the address slab_cache of the cache area corresponding to the process; when slab_cache is equal to the address pid_cache in the namespace where the process is located, determine that the address of the cache area to which the process belongs is equal to the address in the namespace where the process is located.
  • the host executes step S104 when the address of the cache area to which the process belongs is equal to the address in the namespace where the process is located; and executes step S103 when the address of the cache area to which the process belongs is not equal to the address in the namespace where the process is located.
  • S103 The host prompts an alarm message, where the alarm message is used to prompt the process that a container escape has occurred.
  • the host machine may display a warning message on the screen, where the warning message is used to indicate that a container escape has occurred in the current process.
  • the warning message may include information about the current process.
  • the host machine may also use other methods to prompt warning information, such as recording the escape behavior of the current process through the kernel dmesg, or restarting the host machine.
  • the embodiment of the present application does not limit the method of prompting warning information by the host machine.
  • S104 The host machine ends the detection.
  • the host machine ends the detection when it determines that the namespace where the process is located is not the initial namespace. It should be noted that if the nsproxy of the process is init_nsproxy, the process can access all namespaces except the mounted file system fs. To ensure the security of the namespace, the embodiment of the present application needs to detect the process; if the nsproxy of the process is not init_nsproxy, the host machine can end the detection of the process.
  • the host machine ends the detection when it determines that the address of the cache area to which the process belongs is equal to the address in the namespace where the process is located. It should be noted that the address of the cache area to which the process belongs has a high credibility. When the address of the cache area to which the process belongs is equal to the address in the namespace where the process is located, it can be proved that the process does have the permission to access the namespace where the process is located, so the detection of the process can be ended.
  • Figure 7 is a flow chart of another method for detecting container escape provided by an embodiment of the present application.
  • the method may include some or all of the following steps:
  • S201 The host machine obtains the data structure of the process.
  • the data structure may include an identifier nsproxy of the namespace where the process is located, a user identifier UID or GID, and a level of the namespace where the process is located.
  • the host machine can detect whether the current process has escaped when the system calls the current process, or the current process performs process scheduling, process exit or namespace copy related operations, that is, starts executing step S201. It should be noted that the present application can be applied to scenarios with high real-time escape detection.
  • task_struct is the process control block PCB under Linux, which contains all the information of a process, including the UID of the process.
  • PCB process control blocks
  • the Linux process control block is a data structure defined by the task_struct structure, which includes various information needed to manage the process, such as the nsproxy mentioned above.
  • S202 The host machine detects whether the namespace where the process is located is an initial namespace.
  • S203 The host machine detects whether the user identifier is the root user's identifier.
  • the user identifier may be at least one of a user identifier UID and a user group identifier GID; the root user identifier may be zero.
  • the host executes step S204; when it is determined that the user identifier is not an identifier of the root user, the host executes step S207.
  • S204 The host machine detects whether the level of the namespace where the process is located is zero.
  • the host machine detects whether the process level is zero; when the level of the namespace where the process is located is zero, step S205 is executed; when it is determined that the level of the namespace where the process is located is not zero, step S206 is executed.
  • the level of the namespace where the process is located represents the level of the current namespace.
  • the initial namespace has a level of 0, and its sub-namespace has a level of 1, and they increase in sequence.
  • the sub-namespace is visible to the parent namespace. From a given level setting, the kernel can infer how many IDs the process will be associated with.
  • S205 The host machine detects whether the address of the cache area to which the process belongs is equal to the address in the namespace where the process is located.
  • page is the virtual address space of the object
  • slab_cache is the slab manager pointed to by the current page, and subsequent memory allocations are all based on this cache
  • pid_cachep is the address of the slab that points to the allocated pid.
  • step S207 when the address of the cache area to which the process belongs is equal to the address in the namespace where the process is located, the host executes step S207; when the address of the cache area to which the process belongs is not equal to the address in the namespace where the process is located, the host executes step S206.
  • S205 is a detection for slab_cache.
  • the principle is (1) the no merge attribute is set when the namespace slab_cache is created, and caches of similar sizes are not allowed to merge; (2) when the process pid_cachep is allocated, a new slab cache is directly created; (the pid_cachep of each process is different).
  • merge is a feature of the slab allocator.
  • S206 The host prompts an alarm message, where the alarm message is used to prompt the process that a container escape has occurred.
  • the host machine may display a warning message on the screen, where the warning message is used to indicate that a container escape has occurred in the current process.
  • the warning message may include information about the current process.
  • the host machine determines that the address of the cache area to which the process belongs is not equal to the address in the namespace where the process is located, it determines that the process has been detected to have escaped; then, an alarm message is prompted.
  • the host machine may also use other methods to prompt warning information, such as recording the escape behavior of the current process through the kernel dmesg, or restarting the host machine.
  • the embodiment of the present application does not limit the method of prompting warning information by the host machine.
  • S207 The host machine ends the detection.
  • the host machine ends the detection when it determines that the namespace where the process is located is not the initial namespace. It should be noted that if the nsproxy of the process is init_nsproxy, the process can access all namespaces except the mounted file system fs. To ensure the security of the namespace, the embodiment of the present application needs to detect the process; if the nsproxy of the process is not init_nsproxy, the host machine can end the detection of the process.
  • the host machine ends the detection when it determines that the user identifier of the process is not the identifier of the root user. It should be noted that when the user identifier of the process is not the identifier of the root user, the process has low authority and the possibility of container escape is low, so the detection is ended.
  • the host machine ends the detection when it determines that the address of the cache area to which the process belongs is equal to the address in the namespace where the process is located. It should be noted that the address of the cache area to which the process belongs has a high credibility. When the address of the cache area to which the process belongs is equal to the address in the namespace where the process is located, it can be proved that the process does have the permission to access the namespace where the process is located, so the detection of the process can be ended.
  • Figure 8A is a flow chart of a method for detecting container escape provided by an embodiment of the present application.
  • the method may include some or all of the following steps:
  • S301 The host machine detects whether the mount point of the process is a root directory.
  • the host machine can detect whether the current process has escaped when the system calls the current process, or the current process performs process scheduling, process exit or namespace copy related operations, that is, starts to execute step S301. It should be noted that the present application can be applied to scenarios with high real-time escape detection.
  • the mount point is an operation directory. It should be noted that the mount operation will hide the files in the original Linux directory, so it is best to select the Linux directory itself and create an empty operation directory for mounting. After mounting, this operation directory is called a mount point.
  • the mount point identifier is used to indicate the file system fs that the process can operate, including reading and writing files.
  • S301 is a bypass detection for init_fs, that is, adding an fs-based detection mechanism in the kernel code to detect the escape behavior of escaping to the root directory.
  • S302 The host machine detects whether the address of the cache area to which the process belongs is equal to the address in the namespace where the process is located.
  • the host machine can obtain the address space pid_cachep of the process; then, based on pid_cachep, determine the address slab_cache of the cache area corresponding to the process; when slab_cache is equal to the address pid_cache in the namespace where the process is located, determine that the address of the cache area to which the process belongs is equal to the address in the namespace where the process is located.
  • the host executes step S304 when the address of the cache area to which the process belongs is equal to the address in the namespace where the process is located; and executes step S303 when the address of the cache area to which the process belongs is not equal to the address in the namespace where the process is located.
  • S303 The host prompts an alarm message, where the alarm message is used to prompt the process that a container escape has occurred.
  • the host machine may display a warning message on the screen, where the warning message is used to indicate that a container escape has occurred in the current process.
  • the warning message may include information about the current process.
  • the host machine may also use other methods to prompt warning information, such as recording the escape behavior of the current process through the kernel dmesg, or restarting the host machine.
  • the embodiment of the present application does not limit the method of prompting warning information by the host machine.
  • S304 The host machine ends the detection.
  • the host machine ends the detection when it determines that the mount point of the process is not the root directory. It should be noted that if the mount point of the process is the root directory, the process can access all files except the mounted file system fs. To ensure the security of all files of the mounted file system fs, the embodiment of the present application needs to detect the process; if the mount point of the process is the root directory, the host machine can end the detection of the process.
  • the host machine ends the detection when it determines that the address of the cache area to which the process belongs is equal to the address in the namespace where the process is located. It should be noted that the address of the cache area to which the process belongs has a high credibility. When the address of the cache area to which the process belongs is equal to the address in the namespace where the process is located, it can be proved that the process does have the permission to access the namespace where the process is located, so the detection can be ended. Process detection.
  • FIG. 8A The method embodiment shown in FIG. 8A above includes many possible implementation schemes. Some of the implementation schemes are illustrated below in conjunction with FIG. 8B. It should be noted that related concepts, operations or logical relationships not explained in FIG. 8B can refer to the corresponding descriptions in the embodiment shown in FIG. 8A.
  • Figure 8B is a flow chart of another method for detecting container escape provided by an embodiment of the present application.
  • the method may include some or all of the following steps:
  • S401 The host machine obtains the data structure of the process.
  • the data structure may include a mount point identifier of the process, a user identifier UID or GID, and a level of the namespace where the process is located.
  • the host machine can detect whether the current process has escaped when the system calls the current process, or the current process performs process scheduling, process exit or namespace copy related operations, that is, starts to execute step S401. It should be noted that the present application can be applied to scenarios with high real-time escape detection.
  • S402 The host machine detects whether the mount point of the process is a root directory.
  • S403 The host machine detects whether the user identifier is the root user identifier.
  • the host machine checks whether the user identifier is the root user's identifier, that is, checks the UID/GID of the process to see whether the current process is a ROOT process.
  • the user identifier may be at least one of a user identifier UID and a user group identifier GID; the root user identifier may be zero.
  • the host executes step S404; when it is determined that the user identifier is not an identifier of the root user, the host executes step S407.
  • S404 The host machine detects whether the level of the namespace where the process is located is zero.
  • the host machine detects whether the process level is zero, that is, checks whether the nsproxy level of the process is the level (0) of init_proxy; when the level of the namespace where the process is located is zero, execute step S405; when it is determined that the level of the namespace where the process is located is not zero, execute step S406.
  • S405 The host machine detects whether the address of the cache area to which the process belongs is equal to the address in the namespace where the process is located.
  • page is the virtual address space of the object
  • slab_cache is the slab manager pointed to by the current page, and subsequent memory allocations are all based on this cache
  • pid_cachep is the address of the slab that points to the allocated pid.
  • step S407 when the address of the cache area to which the process belongs is equal to the address in the namespace where the process is located, the host executes step S407; when the address of the cache area to which the process belongs is not equal to the address in the namespace where the process is located, the host executes step S406.
  • S405 is a detection for slab_cache.
  • the principle is (1) the no merge attribute is set when the namespace slab_cache is created, and caches of similar sizes are not allowed to merge; (2) when the process pid_cachep is allocated, a new slab cache is directly created; (the pid_cachep of each process is different).
  • merge is a feature of the slab allocator.
  • S406 The host prompts an alarm message, where the alarm message is used to prompt the process that a container escape has occurred.
  • the host machine may display a warning message on the screen, where the warning message is used to indicate that a container escape has occurred in the current process.
  • the warning message may include information about the current process.
  • the host can also use other methods to prompt warning information, such as recording the escape of the current process through the kernel dmesg
  • the embodiment of the present application does not limit the manner in which the host prompts the warning information.
  • the host machine ends the detection when it determines that the mount point of the process is not the root directory. It should be noted that if the mount point of the process is the root directory, the process can access all files except the mounted file system fs. To ensure the security of all files of the mounted file system fs, the embodiment of the present application needs to detect the process; if the mount point of the process is the root directory, the host machine can end the detection of the process.
  • the host machine ends the detection when it determines that the user identifier of the process is not the identifier of the root user. It should be noted that when the user identifier of the process is not the identifier of the root user, the process has low authority and the possibility of container escape is low, so the detection is ended.
  • the host machine ends the detection when it determines that the address of the cache area to which the process belongs is equal to the address in the namespace where the process is located. It should be noted that the address of the cache area to which the process belongs has a high credibility. When the address of the cache area to which the process belongs is equal to the address in the namespace where the process is located, it can be proved that the process does have the permission to access the namespace where the process is located, so the detection of the process can be ended.
  • the host machine can simultaneously execute the methods of Figures 7 and 8A, that is, after obtaining the data structure of the process, the host machine can execute steps S202 and S402, and when the process satisfies the condition that the namespace of the process is the initial namespace and the mount point of the process is any one of the root directories, execute steps S203 to S207 or S403 to S407.
  • the above method includes a detection mechanism for detecting namespce that escapes to fs and detecting slab_cache, which can detect the behavior of obtaining all namecpaces due to escaping due to modifying the namespace.
  • Figure 9A is a flow chart of a method for detecting container escape provided by an embodiment of the present application.
  • the method may include some or all of the following steps:
  • S501 The host machine detects whether the mount point of the process is a root directory.
  • the host machine can detect whether the current process has escaped when the system calls the current process, or the current process performs process scheduling, process exit or namespace copy related operations, that is, starts to execute step S501. It should be noted that the present application can be applied to scenarios with high real-time escape detection.
  • the mount point is an operation directory. It should be noted that the mount operation will hide the files in the original Linux directory, so it is best to select the Linux directory itself and create an empty operation directory for mounting. After mounting, this operation directory is called a mount point.
  • the mount point identifier is used to indicate the file system fs that the process can operate, including reading and writing files.
  • S501 is a bypass detection for init_fs, that is, adding an fs-based detection mechanism in the kernel code to detect the escape behavior of escaping to the root directory.
  • S502 The host machine detects whether the target data in the data structure of the process meets the preset conditions.
  • the host machine may obtain target data from the data structure of the process; and then detect whether the target data meets a preset condition.
  • the target data is the level of the namespace where the process is located; the host determines whether the level of the namespace where the process is located is zero; when it is determined that the level of the namespace where the process is located is zero, it is determined that the target data in the data structure of the process meets the preset conditions, and step S503 is executed. It should be noted that since the level of the namespace where the process is located is zero, it proves that the process has a high authority, so an alarm is issued.
  • the target data is the user ID of the process; the host machine can detect whether the user ID of the process is the ID of the root user; when it is determined that the user ID of the process is the ID of the root user, it is determined that the target data in the data structure of the process meets the preset conditions, and step S503 is executed. It should be noted that since the user ID of the process is the ID of the root user, it proves that the process has higher authority, so an alarm is issued.
  • the user identifier may be at least one of a user identifier UID and a user group identifier GID; the root user identifier may be zero.
  • step S504 when the host machine determines that the target data in the data structure of the process meets the preset condition, step S504 is executed; otherwise, step S503 is executed.
  • S503 The host machine prompts an alarm message, where the alarm message is used to prompt the process that a container escape has occurred.
  • the host machine may display a warning message on the screen, where the warning message is used to indicate that a container escape has occurred in the current process.
  • the warning message may include information about the current process.
  • the host machine may also use other methods to prompt warning information, such as recording the escape behavior of the current process through the kernel dmesg, or restarting the host machine.
  • the embodiment of the present application does not limit the method of prompting warning information by the host machine.
  • the host machine ends the detection when it determines that the mount point of the process is not the root directory. It should be noted that if the mount point of the process is the root directory, the process can access all files except the mounted file system fs. To ensure the security of all files of the mounted file system fs, the embodiment of the present application needs to detect the process; if the mount point of the process is the root directory, the host machine can end the detection of the process.
  • the host machine ends the detection when it determines that the user identifier of the process is not the identifier of the root user. It should be noted that when the user identifier of the process is not the identifier of the root user, the process has low authority and the possibility of container escape is low, so the detection is ended.
  • FIG. 9A The method embodiment shown in FIG. 9A above includes many possible implementation schemes. Some of the implementation schemes are illustrated below in conjunction with FIG. 9B . It should be noted that related concepts, operations or logical relationships not explained in FIG. 9B can refer to the corresponding descriptions in the embodiment shown in FIG. 9A .
  • Figure 9B is a flow chart of another method for detecting container escape provided by an embodiment of the present application.
  • the method may include some or all of the following steps:
  • S601 The host machine obtains the data structure of the process.
  • the data structure may include a mount point identifier of the process, a user identifier UID or GID, and a level of the namespace where the process is located.
  • the host machine can detect whether the current process has escaped when the system calls the current process, or the current process performs process scheduling, process exit or namespace copy related operations, that is, starts to execute step S601. It should be noted that the present application can be applied to scenarios with high real-time escape detection.
  • S602 The host machine detects whether the mount point of the process is a root directory.
  • S603 The host machine detects whether the user identifier is the root user's identifier.
  • the user identifier may be at least one of a user identifier UID and a user group identifier GID; the root user identifier may be zero.
  • the host executes step S604; when it is determined that the user identifier is not an identifier of the root user, the host executes step S606.
  • S604 The host machine detects whether the level of the namespace where the process is located is zero.
  • the host machine detects whether the process level is zero; when the level of the namespace where the process is located is not zero, step S605 is executed; when it is determined that the level of the namespace where the process is located is zero, step S606 is executed.
  • S605 The host prompts an alarm message, where the alarm message is used to prompt the process that a container escape has occurred.
  • the host machine may display a warning message on the screen, where the warning message is used to indicate that a container escape has occurred in the current process.
  • the warning message may include information about the current process.
  • the host machine may also use other methods to prompt warning information, such as recording the escape behavior of the current process through the kernel dmesg, or restarting the host machine.
  • the embodiment of the present application does not limit the method of prompting warning information by the host machine.
  • S606 The host machine ends the detection.
  • the host machine ends the detection when it determines that the mount point of the process is not the root directory. It should be noted that if the mount point of the process is the root directory, the process can access all files except the mounted file system fs. To ensure the security of all files of the mounted file system fs, the embodiment of the present application needs to detect the process; if the mount point of the process is the root directory, the host machine can end the detection of the process.
  • the host machine ends the detection when it determines that the user identifier of the process is not the identifier of the root user. It should be noted that when the user identifier of the process is not the identifier of the root user, the process has low authority and the possibility of container escape is low, so the detection is ended.
  • FIG. 10 is a schematic diagram of the structure of a container escape detection device 100 provided in an embodiment of the present application. It may include an acquisition unit 1001 and a prompt unit 1002, and may also include a determination unit 1003.
  • the container escape detection device 100 is used to implement the above-mentioned container escape detection method, such as the container escape detection method of any embodiment shown in FIG. 6 or FIG. 7 .
  • the container escape detection device 100 comprises:
  • the acquisition unit 1001 is used to acquire the address of the cache area to which the process belongs when it is determined that the namespace where the process is located is the initial namespace;
  • the prompt unit 1002 is used to prompt an alarm message when it is determined that the address of the cache area to which the process belongs is not equal to the address in the namespace where the process is located, and the alarm message is used to prompt the process that the container escape occurs.
  • the namespace where the process is located is the initial namespace, that is, the namespace that the process can indicate by init_nsproxy, in order to ensure the security of the namespace; therefore, the host machine can detect the process based on the address slab_cache of the cache area to which the process belongs; since slab_cache has a high credibility, slab_cache is compared with the address pid_cache in the namespace where the process is located; when the two are not equal, it can be determined that the process does not have the authority to access the namespace indicated by init_nsproxy, that is, the process has been maliciously tampered with, and the container escape occurs.
  • This method has high accuracy and can effectively detect container escapes.
  • the embodiment of the present application adds a mount point-based detection mechanism in the kernel code, which can detect the behavior of escaping to the root directory and effectively monitor the container escape behavior that occurs by exploiting kernel vulnerabilities, thereby improving system security.
  • the acquiring unit 1001 is used to:
  • the address space pid_cachep of the process is not easily tampered with and has a high credibility. Therefore, the address slab_cache of the cache area corresponding to the process determined based on the address space pid_cachep of the process has a high credibility.
  • An acquisition unit 1001 is used to acquire a user identifier of the process when it is determined that the namespace where the process is located is an initial namespace;
  • the acquisition unit 1001 is used to acquire the address of the cache area to which the process belongs when it is determined that the user identifier is the identifier of the root user.
  • the user identifier is at least one of a user identifier UID and a user group identifier GID; the identifier of the root user is zero.
  • the acquiring unit 1001 is configured to:
  • the level of the namespace where the process is located is obtained
  • the device further includes a determining unit 1003,
  • the acquisition unit 1001 is used to acquire the data structure of the process; the data structure includes the identifier of the namespace where the process is located;
  • the determining unit 1003 is configured to determine that the namespace where the process is located is the initial namespace when the identifier nsproxy of the namespace where the process is located is equal to the identifier init_nsproxy of the initial namespace.
  • each unit may also correspond to the corresponding description of the embodiment shown in FIG. 6 or FIG. 7 .
  • each unit corresponds to its own program code (or program instruction), and when the program codes corresponding to each of these units are run on the processor, the corresponding process of the unit is implemented to achieve the corresponding function.
  • FIG 11 is a schematic diagram of the structure of a container escape detection device 110 provided in an embodiment of the present application.
  • the device 110 may include an acquisition unit 1101 and a prompt unit 1102, and may also include a determination unit 1103.
  • the container escape detection device 110 is used to implement the aforementioned container escape detection method, such as the container escape detection method of any one of the embodiments shown in Figure 8A or Figure 8B.
  • the container escape detection device 110 comprises:
  • the acquisition unit 1101 is used to acquire the address of the cache area to which the process belongs when it is determined that the mount point of the process is the root directory;
  • the prompt unit 1102 is used to prompt an alarm message when it is determined that the address of the cache area to which the process belongs is not equal to the address in the namespace where the process is located, and the alarm message is used to prompt the process that the container escape occurs.
  • the mount point of the process is the root directory, which means that the process can access all files under the root directory.
  • the process needs to be detected; therefore, the host machine can detect the process based on the address slab_cache of the cache area to which the process belongs; since the address of the cache area to which the process belongs is more credible, the address of the cache area to which the process belongs is compared with the address pid_cache in the namespace where the process is located. When the two are not equal, it is considered that the process originally did not have the authority to access all files under the root directory, and the process has been maliciously tampered with, resulting in a container escape.
  • the embodiment of the present application adds a mount point-based detection mechanism in the kernel code, which can detect the behavior of escaping to the root directory and effectively monitor the container escape behavior that occurs by exploiting kernel vulnerabilities, thereby improving system security.
  • the acquiring unit 1101 is used to:
  • the acquiring unit 1101 is used to:
  • the user identifier is at least one of a user identifier UID and a user group identifier GID; the identifier of the root user is zero.
  • the acquiring unit 1101 is used to:
  • the level of the namespace where the process is located is obtained
  • the device further includes a determining unit 1103,
  • the acquisition unit 1101 is used to acquire the data structure of the process; the data structure includes the mount point identifier of the process;
  • the determining unit 1103 is configured to determine that the mount point of the process is a root directory when the mount point identifier is a root directory identifier.
  • each unit may also correspond to the corresponding description of the embodiment shown in FIG. 8A or FIG. 8B .
  • each unit corresponds to its own program code (or program instruction), and when the program codes corresponding to each of these units are run on the processor, the corresponding process of the unit is implemented to achieve the corresponding function.
  • FIG 12 is a schematic diagram of the structure of another container escape detection device 120 provided in an embodiment of the present application.
  • the device 120 includes at least one processor 1201, at least one memory 1202, and at least one communication interface 1203.
  • the processor 1201, the memory 1202, and the communication interface 1203 are connected through the communication bus and communicate with each other.
  • Processor 1201 can be a general-purpose central processing unit (CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more integrated circuits for controlling the execution of the above program.
  • CPU central processing unit
  • ASIC application-specific integrated circuit
  • Communication interface 1203 is used to communicate with other devices or communication networks, such as Ethernet, radio access network (RAN), wireless local area network (Wireless Local Area Networks, WLAN), etc.
  • RAN radio access network
  • WLAN Wireless Local Area Networks
  • the memory 1202 may be a read-only memory (ROM) or other types of static storage devices that can store static information and instructions, a random access memory (RAM) or other types of dynamic storage devices that can store information and instructions, or an electrically erasable programmable read-only memory (EEPROM), a compact disc (CD-ROM) or other optical disc storage, optical disc storage (including compressed optical disc, laser disc, optical disc, digital versatile disc, Blu-ray disc, etc.), a magnetic disk storage medium or other magnetic storage device, or any other medium that can be used to carry or store the desired program code in the form of instructions or data structures and can be accessed by a computer, but is not limited thereto.
  • the memory may exist independently and be connected to the processor through a bus. The memory may also be integrated with the processor.
  • the memory 1202 is used to store application code for executing the above solution, and the execution is controlled by the processor 1201.
  • the processor 1201 is used to execute the application code stored in the memory 1202.
  • the code stored in the memory 1202 may execute any of the container escape detection methods provided above, such as:
  • the address of the cache area to which the process belongs is obtained; when it is determined that the address of the cache area to which the process belongs is not equal to the address in the namespace where the process is located, an alarm message is prompted, and the alarm message is used to prompt the process that a container escape occurs.
  • An embodiment of the present application also provides an electronic device, which includes one or more processors and one or more memories; wherein the one or more memories are coupled to the one or more processors, and the one or more memories are used to store computer program codes, and the computer program codes include computer instructions, and when the one or more processors execute the computer instructions, the electronic device executes the method described in the above embodiment.
  • the present application also provides a computer program product including instructions.
  • the computer program product is run on an electronic device, The electronic device is enabled to execute the method described in the above embodiment.
  • An embodiment of the present application further provides a computer storage medium, wherein the computer storage medium may store a program, and when the program is executed, the program includes part or all of the steps of any one of the container escape detection devices recorded in the above method embodiments.
  • the disclosed device can be implemented in other ways.
  • the device embodiments described above are only schematic, such as the division of the units, which is only a logical function division. There may be other division methods in actual implementation, such as multiple units or components can be combined or integrated into another system, or some features can be ignored or not executed.
  • Another point is that the mutual coupling or direct coupling or communication connection shown or discussed can be through some interfaces, and the indirect coupling or communication connection of the device or unit can be electrical or other forms.
  • the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place or distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above-mentioned integrated unit may be implemented in the form of hardware or in the form of software functional units.
  • the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer-readable memory.
  • the technical solution of the present application, or the part that contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product, which is stored in a memory and includes several instructions for a computer device (which can be a personal computer, server or network device, etc.) to execute all or part of the steps of the method described in each embodiment of the present application.
  • the aforementioned memory includes: U disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), mobile hard disk, magnetic disk or optical disk and other media that can store program codes.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

La présente demande concerne un procédé de détection de fuite de conteneur, un dispositif électronique et un système. Le procédé comprend les étapes suivantes : lorsqu'il est déterminé qu'un espace de nommage où se trouve un processus est un espace de nommage initial, une machine hôte acquiert l'adresse d'une région de mémoire cache à laquelle le processus appartient ; et lorsqu'il est déterminé que l'adresse de la région de mémoire cache à laquelle le processus appartient n'est pas équivalente à l'adresse dans l'espace de nommage où se trouve le processus, la machine hôte émet des informations d'alarme, les informations d'alarme étant utilisées pour signaler l'apparition d'une fuite de conteneur dans le processus. En mettant en œuvre des modes de réalisation de la présente demande, la précision est élevée, et on peut détecter efficacement une fuite de conteneur.
PCT/CN2023/121088 2022-09-29 2023-09-25 Procédé de détection de fuite de conteneur, dispositif électronique et système WO2024067479A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202211200843.7A CN117827362A (zh) 2022-09-29 2022-09-29 一种容器逃逸的检测方法、电子设备及系统
CN202211200843.7 2022-09-29

Publications (1)

Publication Number Publication Date
WO2024067479A1 true WO2024067479A1 (fr) 2024-04-04

Family

ID=90476266

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/121088 WO2024067479A1 (fr) 2022-09-29 2023-09-25 Procédé de détection de fuite de conteneur, dispositif électronique et système

Country Status (2)

Country Link
CN (1) CN117827362A (fr)
WO (1) WO2024067479A1 (fr)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200334362A1 (en) * 2019-04-22 2020-10-22 Cyberark Software Ltd. Securing privileged virtualized execution instances
CN111881453A (zh) * 2020-07-20 2020-11-03 北京百度网讯科技有限公司 一种容器逃逸检测方法、装置以及电子设备
CN114547594A (zh) * 2022-01-24 2022-05-27 华北电力大学 一种智能物联终端容器的渗透攻击检测方法
CN114676424A (zh) * 2022-05-25 2022-06-28 杭州默安科技有限公司 一种容器逃逸检测与阻断方法、装置、设备及存储介质
CN114968494A (zh) * 2022-06-23 2022-08-30 杭州默安科技有限公司 一种容器逃逸检测方法及系统

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200334362A1 (en) * 2019-04-22 2020-10-22 Cyberark Software Ltd. Securing privileged virtualized execution instances
CN111881453A (zh) * 2020-07-20 2020-11-03 北京百度网讯科技有限公司 一种容器逃逸检测方法、装置以及电子设备
CN114547594A (zh) * 2022-01-24 2022-05-27 华北电力大学 一种智能物联终端容器的渗透攻击检测方法
CN114676424A (zh) * 2022-05-25 2022-06-28 杭州默安科技有限公司 一种容器逃逸检测与阻断方法、装置、设备及存储介质
CN114968494A (zh) * 2022-06-23 2022-08-30 杭州默安科技有限公司 一种容器逃逸检测方法及系统

Also Published As

Publication number Publication date
CN117827362A (zh) 2024-04-05

Similar Documents

Publication Publication Date Title
KR102255767B1 (ko) 가상 머신 감사를 위한 시스템 및 방법들
CN110612512B (zh) 保护虚拟执行环境
US8176294B2 (en) Reducing storage expansion of a virtual machine operating system
EP3070604B1 (fr) Procédé et appareil d'accès à des ressources physiques
WO2020244369A1 (fr) Procédé et appareil de communication inter-processus, et dispositif informatique
US7925818B1 (en) Expansion of virtualized physical memory of virtual machine
EP3637288B1 (fr) Procédé, appareil et systèmes pour accéder à un monde sécurisé
EP3365794B1 (fr) Techniques permettant de protéger des pages de mémoire d'une instance informatique virtuelle
US10489185B2 (en) Hypervisor-assisted approach for locating operating system data structures based on attribute matching
US11709931B2 (en) Shadow stack violation enforcement at module granularity
US20210311740A1 (en) Circular shadow stack in audit mode
CN112219202A (zh) 用于客户操作系统的存储器分配
CN115362433A (zh) 用于动态代码的影子堆栈强制范围
WO2023165308A1 (fr) Procédé et appareil de récupération de mémoire, et dispositif de commande
WO2024067479A1 (fr) Procédé de détection de fuite de conteneur, dispositif électronique et système
CN108241801B (zh) 处理系统调用的方法和装置
US11586727B2 (en) Systems and methods for preventing kernel stalling attacks
TW201201102A (en) Resource adjustment methods and systems for virtual machines, and computer program products thereof
US11301282B2 (en) Information protection method and apparatus
US11886900B1 (en) Unikernel hypervisor for managing multi-process applications using unikernel virtual machines
CN115248718A (zh) 内存数据获取方法、装置及存储介质
US20230401081A1 (en) Software isolation of virtual machine resources
CN113157299B (zh) 一种资源配置方法及系统
US11934857B2 (en) Supporting execution of a computer program by using a memory page of another computer program
US20220300314A1 (en) Hypervisor-assisted secured memory sharing among host and guest operating system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23870710

Country of ref document: EP

Kind code of ref document: A1