基于异构观测链的容器逃逸检测方法

doi:10.11959/j.issn.1000-436x.2023008

通信学报 ›› 2023, Vol. 44 ›› Issue (1): 49-63.doi: 10.11959/j.issn.1000-436x.2023008

基于异构观测链的容器逃逸检测方法

张云涛¹, 方滨兴¹^,², 杜春来³, 王忠儒⁴, 崔志坚³, 宋首友¹^,⁵

¹ 北京邮电大学网络空间安全学院，北京 100876
² 广州大学网络空间先进技术研究院，广东广州 510006
³ 北方工业大学信息学院，北京 100144
⁴ 中国网络空间研究院信息化研究所，北京 100010
⁵ 北京丁牛科技有限公司，北京 100081

修回日期:2022-11-11 出版日期:2023-01-25 发布日期:2023-01-01
作者简介:张云涛（1993- ），男，山西晋城人，北京邮电大学博士生，主要研究方向为网络安全、二进制脆弱性分析等
方滨兴（1960- ），男，江西万年人，博士，中国工程院院士，北京邮电大学教授，主要研究方向为计算机体系结构、计算机网络、信息安全
杜春来（1975- ），男，河北保定人，博士，北方工业大学副教授，主要研究方向为网络安全、恶意代码分析等
王忠儒（1986- ），男，山东烟台人，博士，中国网络空间研究院高级工程师，主要研究方向为人工智能、网络安全
崔志坚（1998- ），男，河北保定人，北方工业大学硕士生，主要研究方向为网络安全、漏洞挖掘
宋首友（1989- ），男，云南昆明人，北京邮电大学博士生，主要研究方向为网络安全
基金资助:
国家自然科学基金资助项目(62172006);广东省重点研发计划基金资助项目(2019B010136003);国家重点研发计划基金资助项目(2019YFA0706404)

Container escape detection method based on heterogeneous observation chain

Yuntao ZHANG¹, Binxing FANG¹^,², Chunlai DU³, Zhongru WANG⁴, Zhijian CUI³, Shouyou SONG¹^,⁵

¹ School of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing 100876, China
² Cyberspace Institute Advanced Technology, Guangzhou University, Guangzhou 510006, China
³ School of Information Science and Technology, North China University of Technology, Beijing 100144, China
⁴ Chinese Academy of Cyberspace Studies, Institute of Information Technology, Beijing 100010, China
⁵ Beijing DigApis Technology Co., Ltd., Beijing 100081, China

Revised:2022-11-11 Online:2023-01-25 Published:2023-01-01
Supported by:
The National Natural Science Foundation of China(62172006);The Key Research and Development Program of Guangdong Province(2019B010136003);The National Key Research and Development Program of China(2019YFA0706404)

摘要/Abstract

摘要：

针对现有容器逃逸检测技术漏报率较高的问题，提出一种异构观测的实时检测方法。首先对利用内核漏洞的容器逃逸行为建模，选取进程的关键属性作为观测点，提出以“权限提升”为检测标准的异构观测方法；然后利用内核模块实时捕获进程的属性信息，构建进程起源图，并通过容器内外进程边界识别技术缩小起源图规模；最后基于进程属性信息构建异构观测链，实现原型系统HOC-Detector。实验结果表明，HOC-Detector可以成功检测测试数据集中利用内核漏洞的容器逃逸，并且运行时增加的总体开销低于0.8%。

关键词: 容器逃逸, 内核漏洞, 开放起源模型, 异构观测链

Abstract:

Aiming at the problem of high false negative rate in container escape detection technologies, a real-time detecting method of heterogeneous observation was proposed.Firstly, the container escape behavior utilizing kernel vulnerabilities was modeled, and the critical attributes of the process were selected as observation points.A heterogeneous observation method was proposed with “privilege escalation” as the detection criterion.Secondly, the kernel module was adopted to capture the attribute information of the process in real time, and the process provenance graph was constructed.The scale of the provenance graph was reduced through container boundary identification technology.Finally, a heterogeneous observation chain was built based on the process attribute information, and the prototype system HOC-Detector was implemented.The experiments show that HOC-Detector can successfully detect all container escapes using kernel vulnerabilities in the test dataset, and the increased runtime overhead is less than 0.8%.

Key words: container escape, kernel vulnerability, open provenance model, heterogeneous observation chain

中图分类号:

TP393.081

张云涛, 方滨兴, 杜春来, 王忠儒, 崔志坚, 宋首友. 基于异构观测链的容器逃逸检测方法[J]. 通信学报, 2023, 44(1): 49-63.

Yuntao ZHANG, Binxing FANG, Chunlai DU, Zhongru WANG, Zhijian CUI, Shouyou SONG. Container escape detection method based on heterogeneous observation chain[J]. Journal on Communications, 2023, 44(1): 49-63.

图/表 15

图1

图2

图3

图4

图5

图6

图7

表1

图8

表2

图9

表3

图10

表4

表5

参考文献 28

[1]	SOFIA Z . Container technologies[J]. Hypatia, 2000,15(2): 181-201.
[2]	BABU S A , HAREESH M J , MARTIN J P ,et al. System performance evaluation of Para virtualization,container virtualization,and full virtualization using xen,OpenVZ,and XenServer[C]// Proceedings of 2014 Fourth International Conference on Advances in Computing and Communications. Piscataway:IEEE Press, 2014: 247-250.
[3]	BERNSTEIN D . Containers and cloud:from LXC to docker to Kubernetes[J]. IEEE Cloud Computing, 2014,1(3): 81-84.
[4]	MARATHE N , GANDHI A , SHAH J M . Docker swarm and Kubernetes in cloud computing environment[C]// Proceedings of 2019 3rd International Conference on Trends in Electronics and Informatics(ICOEI). Piscataway:IEEE Press, 2019: 179-184.
[5]	SULTAN S , AHMAD I , DIMITRIOU T . Container security:issues,challenges,and the road ahead[J]. IEEE Access, 2019,7: 52976-52996.
[6]	COMBE T , MARTIN A , DI PIETRO R . To docker or not to docker:a security perspective[J]. IEEE Cloud Computing, 2016,3(5): 54-62.
[7]	SALAMERO J . Kubernetes runtime security with falco and sysdig[R]. 2019.
[8]	JIAN Z , CHEN L . A defense method against docker escape attack[C]// Proceedings of the 2017 International Conference on Cryptography,Security and Privacy. Piscataway:IEEE Press, 2017: 142-146.
[9]	ROSEN R . Resource management:Linux kernel namespacess and cgroups[R]. 2013.
[10]	BACARELLA M . Taking advantage of Linux capabilities[R]. 2002.
[11]	ROSEN R . Namespacess and cgroups,the basis of Linux containers[R]. 2016.
[12]	LIN X , LEI L G , WANG Y W ,et al. A measurement study on linux container security:attacks and countermeasures[C]// Proceedings of the 34th Annual Computer Security Applications Conference. New York:ACM Press, 2018: 418-429.
[13]	COOK K . Kernel address space layout randomization[R]. 2013.
[14]	CORBET J . Supervisor mode access prevention[R]. 2012.
[15]	WILFAHRT N . Dirtycow vulnerability details[R]. 2016.
[16]	CORBET J . On vsyscalls and the vDSO[R]. 2011.
[17]	MASON J , SMALL S , MONROSE F ,et al. English shellcode[C]// Proceedings of the 16th ACM Conference on Computer and Communications Security. New York:ACM Press, 2009: 524-533.
[18]	BONGARD M , ILLI D . Reverse shell via voice[D]. Zurich:HSR Hochschule für Technik Rapperswil, 2019.
[19]	RANDAZZO A , TINNIRELLO I . Kata containers:an emerging architecture for enabling MEC services in fast and secure way[C]// Proceedings of 2019 Sixth International Conference on Internet of Things:Systems,Management and Security (IOTSMS). Piscataway:IEEE Press, 2019: 209-214.
[20]	YOUNG E G , ZHU P , CARAZA-HARTER T ,et al. The true cost of containing:a gVisor case study[C]// Proceedings of 11th USENIX Workshop on Hot Topics in Cloud Computing. Berkeley:USENIX Association, 2019: 1-16.
[21]	MOREAU L , FREIRE J , FUTRELLE J ,et al. The open provenance model:an overview[C]// Provenance and Annotation of Data and Processes. Berlin:Springer, 2008: 323-326.
[22]	MORISSON B . Analysis of the linux audit system[D]. England:Royal Holloway,University of London, 2015.
[23]	GEHANI A , TARIQ D . SPADE:support for provenance auditing in distributed environments[C]// ACM/IFIP/USENIX International Conference on Distributed Systems Platforms and Open Distributed Processing. Berlin:Springer, 2012: 101-120.
[24]	LORCZAK P R , CAGLAYAN A K , ECKHARDT D E . A theoretical investigation of generalized voters for redundant systems[C]// Proceedings of the Nineteenth International Symposium on Fault-Tolerant Computing.Digest of Papers. Piscataway:IEEE Press, 1989: 444-451.
[25]	NETZER R H B , MILLER B P . What are race conditions?[J]. ACM Letters on Programming Languages and Systems, 1992,1(1): 74-88.
[26]	FáBREGA F J T , JAVIER F , GUTTMAN J D . Copy on write[R]. 1995.
[27]	CHEN X , IRSHAD H , CHEN Y ,et al. CLARION:sound and clear provenance tracking for microservice deployments[C]// Proceedings of 30th USENIX Security Symposium. Berkeley:USENIX Association, 2021: 3989-4006.
[28]	GOOGLE. Google microservice demo:online boutique[R]. 2019.

实验	内核漏洞信息			实验环境				实验结果
实验	CVE-ID	漏洞类型	影响版本	操作系统版本	内核版本	Docker版本	容器逃逸方式	HOCDetector	NSDetector
1	CVE-2017-7308	整型溢出漏洞	～4.10.6				直接	√	√
2	CVE-2017-18344	整型溢出漏洞	～4.14.8	64 位	4.8.0-34-generic	18.09.0	间接	√	×
	CVE-2017-1000112	堆溢出漏洞	～4.13.9	Ubuntu 16.04
3	CVE-2016-5195	内核条件竞争漏洞	2.x～4.8.3		4.4.0-43-generic		间接	√	×

pid	fs_root	uid	gid	cap_permitted	mnt_ns	pid_ns	net_ns
1	host	0	0	0000003fffffffff	4026531840	4026531836	4026531957
3045	container	5000	5000	0000000000000000	4026532688	4026532691	4026532693
3046	host	0	0	0000003fffffffff	4026531840	4026531836	4026531957

pid	fs_root	uid	gid	cap_permitted	mnt_ns	pid_ns	net_ns
1	host	0	0	0000003fffffffff	4026531840	4026531836	4026531957
2784	container	5000	5000	0000000000000000	4026532462	4026532465	4026532467
2798	host	0	0	0000003fffffffff	4026532462	4026532465	4026532523

pid	fs_root	uid	gid	cap_permitted	mnt_ns	pid_ns	net_ns
1	host	0	0	0000003fffffffff	4026531840	4026531836	4026531957
1729	container	5000	5000	0000000000000000	4026532458	4026532461	4026532463
1739	None	5000	5000	0000000000000000	None	None	None

微服务	基础测试/s	Linux Audit/s	SPADE/s	HOC-Detector/s	增量开销	总体开销
adservice	47	51	53	57	7.5%	21.3%
cartservice	31	35	43	48	11.6%	54.8%
checkoutservice	35	38	48	53	10.4%	51.4%
currencyservice	28	31	37	40	8.1%	42.9%
emailservice	35	40	44	49	11.4%	40.0%
frontend	33	36	45	49	8.9%	48.5%
loadgenerator	33	37	41	43	4.9%	30.3%
paymentservice	38	44	46	49	6.5%	28.9%
Productcatalog	37	40	45	50	11.1%	35.1%
Recommendation	33	37	41	44	7.3%	33.3%
shippingservice	30	33	35	37	5.7%	23.3%

基于异构观测链的容器逃逸检测方法

Container escape detection method based on heterogeneous observation chain

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 15

参考文献 28

相关文章 0

Metrics

推荐阅读 0