摘要
近年来,Docker技术因其部署灵活、可扩展性强,获得了大规模应用。Docker采用模块化设计,在降低开发和维护的复杂性的同时引入了针对组件间通信的拒绝服务(DoS)攻击。在Docker容器内频繁进行stdout输出会引起Docker组件消耗大量CPU,造成DoS攻击。经过分析,可发现容器实例中的stdout输出会触发Docker各个组件的goroutine,进行频繁输出复制。为系统化地找出可被DoS攻击的goroutine创建的路径,提出使用静态分析的方法来分析Docker各组件,设计并实现了Docker组件静态分析框架,最后在Docker上进行了测试,成功分析得到了34条此类路径,其中22条路径经验证,可成功被动态触发。
In recent years,Docker has been widely deployed due to its flexibility and high scalability.However,its modular design leads to the DoS attacks on inter-component communication.A new DoS attack that outputs to stdout,causing high CPU usages among different Docker components.Analysis shows that the stdout output triggers the goroutines of Docker components.To find all goroutines setup paths,using the static analysis method to analyze the Docker components systematically was proposed.A static analysis framework was designed and implemented,and evaluated on Docker source code.The results show that static analysis framework finds 34 paths successfully,while 22 of them are confirmed by runtime verification.
作者
周天昱
申文博
杨男子
李金库
秦承刚
喻望
ZHOU Tianyu;SHEN Wenbo;YANG Nanzi;LI Jinku;QIN Chenggang;YU Wang(Zhejiang University NGICS Platform,Hangzhou 310027,China;School of Cyber Science and Technology,Zhejiang University,Hangzhou 310027,China;School of Cyber Engineering,Xidian University,Xi'an 710071,China;Ant Financial Services Group,Hangzhou 310000,China)
出处
《网络与信息安全学报》
2020年第6期45-56,共12页
Chinese Journal of Network and Information Security
基金
浙江省引进培育领军型创新创业团队(2018R01005)
陕西省重点研发计划基金(2019ZDLGY12-06)
中央高校基本科研业务费专项基金(浙江大学NGICS大平台)。
