基于异构观测链的容器逃逸检测方法

doi:10.11959/j.issn.1000-436x.2023008

Abstract

Abstract:

Aiming at the problem of high false negative rate in container escape detection technologies, a real-time detecting method of heterogeneous observation was proposed.Firstly, the container escape behavior utilizing kernel vulnerabilities was modeled, and the critical attributes of the process were selected as observation points.A heterogeneous observation method was proposed with “privilege escalation” as the detection criterion.Secondly, the kernel module was adopted to capture the attribute information of the process in real time, and the process provenance graph was constructed.The scale of the provenance graph was reduced through container boundary identification technology.Finally, a heterogeneous observation chain was built based on the process attribute information, and the prototype system HOC-Detector was implemented.The experiments show that HOC-Detector can successfully detect all container escapes using kernel vulnerabilities in the test dataset, and the increased runtime overhead is less than 0.8%.

Key words: container escape, kernel vulnerability, open provenance model, heterogeneous observation chain

CLC Number:

TP393.081

Yuntao ZHANG, Binxing FANG, Chunlai DU, Zhongru WANG, Zhijian CUI, Shouyou SONG. Container escape detection method based on heterogeneous observation chain[J]. Journal on Communications, 2023, 44(1): 49-63.

Figures/Tables 15

References 28

[1]	SOFIA Z . Container technologies[J]. Hypatia, 2000,15(2): 181-201.
[2]	BABU S A , HAREESH M J , MARTIN J P ,et al. System performance evaluation of Para virtualization,container virtualization,and full virtualization using xen,OpenVZ,and XenServer[C]// Proceedings of 2014 Fourth International Conference on Advances in Computing and Communications. Piscataway:IEEE Press, 2014: 247-250.
[3]	BERNSTEIN D . Containers and cloud:from LXC to docker to Kubernetes[J]. IEEE Cloud Computing, 2014,1(3): 81-84.
[4]	MARATHE N , GANDHI A , SHAH J M . Docker swarm and Kubernetes in cloud computing environment[C]// Proceedings of 2019 3rd International Conference on Trends in Electronics and Informatics(ICOEI). Piscataway:IEEE Press, 2019: 179-184.
[5]	SULTAN S , AHMAD I , DIMITRIOU T . Container security:issues,challenges,and the road ahead[J]. IEEE Access, 2019,7: 52976-52996.
[6]	COMBE T , MARTIN A , DI PIETRO R . To docker or not to docker:a security perspective[J]. IEEE Cloud Computing, 2016,3(5): 54-62.
[7]	SALAMERO J . Kubernetes runtime security with falco and sysdig[R]. 2019.
[8]	JIAN Z , CHEN L . A defense method against docker escape attack[C]// Proceedings of the 2017 International Conference on Cryptography,Security and Privacy. Piscataway:IEEE Press, 2017: 142-146.
[9]	ROSEN R . Resource management:Linux kernel namespacess and cgroups[R]. 2013.
[10]	BACARELLA M . Taking advantage of Linux capabilities[R]. 2002.
[11]	ROSEN R . Namespacess and cgroups,the basis of Linux containers[R]. 2016.
[12]	LIN X , LEI L G , WANG Y W ,et al. A measurement study on linux container security:attacks and countermeasures[C]// Proceedings of the 34th Annual Computer Security Applications Conference. New York:ACM Press, 2018: 418-429.
[13]	COOK K . Kernel address space layout randomization[R]. 2013.
[14]	CORBET J . Supervisor mode access prevention[R]. 2012.
[15]	WILFAHRT N . Dirtycow vulnerability details[R]. 2016.
[16]	CORBET J . On vsyscalls and the vDSO[R]. 2011.
[17]	MASON J , SMALL S , MONROSE F ,et al. English shellcode[C]// Proceedings of the 16th ACM Conference on Computer and Communications Security. New York:ACM Press, 2009: 524-533.
[18]	BONGARD M , ILLI D . Reverse shell via voice[D]. Zurich:HSR Hochschule für Technik Rapperswil, 2019.
[19]	RANDAZZO A , TINNIRELLO I . Kata containers:an emerging architecture for enabling MEC services in fast and secure way[C]// Proceedings of 2019 Sixth International Conference on Internet of Things:Systems,Management and Security (IOTSMS). Piscataway:IEEE Press, 2019: 209-214.
[20]	YOUNG E G , ZHU P , CARAZA-HARTER T ,et al. The true cost of containing:a gVisor case study[C]// Proceedings of 11th USENIX Workshop on Hot Topics in Cloud Computing. Berkeley:USENIX Association, 2019: 1-16.
[21]	MOREAU L , FREIRE J , FUTRELLE J ,et al. The open provenance model:an overview[C]// Provenance and Annotation of Data and Processes. Berlin:Springer, 2008: 323-326.
[22]	MORISSON B . Analysis of the linux audit system[D]. England:Royal Holloway,University of London, 2015.
[23]	GEHANI A , TARIQ D . SPADE:support for provenance auditing in distributed environments[C]// ACM/IFIP/USENIX International Conference on Distributed Systems Platforms and Open Distributed Processing. Berlin:Springer, 2012: 101-120.
[24]	LORCZAK P R , CAGLAYAN A K , ECKHARDT D E . A theoretical investigation of generalized voters for redundant systems[C]// Proceedings of the Nineteenth International Symposium on Fault-Tolerant Computing.Digest of Papers. Piscataway:IEEE Press, 1989: 444-451.
[25]	NETZER R H B , MILLER B P . What are race conditions?[J]. ACM Letters on Programming Languages and Systems, 1992,1(1): 74-88.
[26]	FáBREGA F J T , JAVIER F , GUTTMAN J D . Copy on write[R]. 1995.
[27]	CHEN X , IRSHAD H , CHEN Y ,et al. CLARION:sound and clear provenance tracking for microservice deployments[C]// Proceedings of 30th USENIX Security Symposium. Berkeley:USENIX Association, 2021: 3989-4006.
[28]	GOOGLE. Google microservice demo:online boutique[R]. 2019.

Metrics

Recommended 0

No Suggested Reading articles found!

实验	内核漏洞信息			实验环境				实验结果
实验	CVE-ID	漏洞类型	影响版本	操作系统版本	内核版本	Docker版本	容器逃逸方式	HOCDetector	NSDetector
1	CVE-2017-7308	整型溢出漏洞	～4.10.6				直接	√	√
2	CVE-2017-18344	整型溢出漏洞	～4.14.8	64 位	4.8.0-34-generic	18.09.0	间接	√	×
	CVE-2017-1000112	堆溢出漏洞	～4.13.9	Ubuntu 16.04
3	CVE-2016-5195	内核条件竞争漏洞	2.x～4.8.3		4.4.0-43-generic		间接	√	×

pid	fs_root	uid	gid	cap_permitted	mnt_ns	pid_ns	net_ns
1	host	0	0	0000003fffffffff	4026531840	4026531836	4026531957
3045	container	5000	5000	0000000000000000	4026532688	4026532691	4026532693
3046	host	0	0	0000003fffffffff	4026531840	4026531836	4026531957

pid	fs_root	uid	gid	cap_permitted	mnt_ns	pid_ns	net_ns
1	host	0	0	0000003fffffffff	4026531840	4026531836	4026531957
2784	container	5000	5000	0000000000000000	4026532462	4026532465	4026532467
2798	host	0	0	0000003fffffffff	4026532462	4026532465	4026532523

pid	fs_root	uid	gid	cap_permitted	mnt_ns	pid_ns	net_ns
1	host	0	0	0000003fffffffff	4026531840	4026531836	4026531957
1729	container	5000	5000	0000000000000000	4026532458	4026532461	4026532463
1739	None	5000	5000	0000000000000000	None	None	None

微服务	基础测试/s	Linux Audit/s	SPADE/s	HOC-Detector/s	增量开销	总体开销
adservice	47	51	53	57	7.5%	21.3%
cartservice	31	35	43	48	11.6%	54.8%
checkoutservice	35	38	48	53	10.4%	51.4%
currencyservice	28	31	37	40	8.1%	42.9%
emailservice	35	40	44	49	11.4%	40.0%
frontend	33	36	45	49	8.9%	48.5%
loadgenerator	33	37	41	43	4.9%	30.3%
paymentservice	38	44	46	49	6.5%	28.9%
Productcatalog	37	40	45	50	11.1%	35.1%
Recommendation	33	37	41	44	7.3%	33.3%
shippingservice	30	33	35	37	5.7%	23.3%

Container escape detection method based on heterogeneous observation chain

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 15

References 28

Related Articles 0

Metrics

Recommended 0