摘要
容器是一种轻量级的虚拟机化技术,减少容器中可用的系统调用数可以有效的减少来自Linux内核的安全威胁,但是这种方式在保证容器安全性的同时,容器功能的可用性会受到很大的损伤.鉴于容器的安全性和可用性无法均衡的问题,本文提出了AutoSec,AutoSec使用动态训练与静态分析结合的方式提取容器的系统调用集合,依据容器运行的不同阶段进而生成不同的Seccomp BPF配置文件,从而按照容器运行时的程序需求,灵活配置容器中可用的系统调用集合.最后选取了Docker hub中最为流行的4款容器验证AutoSec在减少容器攻击面的有效性,证明AutoSec在可接受的性能损耗并不损害容器功能的前提下,能够减少暴露在容器中70%以上的系统调用,有效的保障容器的安全.
Container is a lightweight virtual machine technology.Reducing the number of system calls available in the container can effectively reduce the security threats from the Linux kernel.However,while ensuring the security of the container,container applications will suffer great functional damage.In view of the problem that the security and availability of the container cannot be measured,this paper proposes AutoSec,which uses a combination of dynamic training and static analysis to extract the container′s system call set,and then generates different Seccomp BPF configuration files according to the different stages of the container′s operation,so as to flexibly configure the available system call set in the container according to the program requirements during the container′s operation.Finally,we selected the four most popular containers in the Docker Hub to verify the effectiveness of AutoSec in reducing the attack surface of containers,and verified that AutoSec can reduce more than 70%of the system calls in containers and effectively ensure the security of containers without damaging the functions of containers within an acceptable performance loss.
作者
张新义
武泽慧
贾琼
陈志浩
ZHANG Xinyi;WU Zehui;JIA Qiong;CHEN Zhihao(State Key Laboratory of Mathematical Engineering and Advanced Computing,Zhengzhou 450001,China;Beijing Institute of Computer Technology and Application,Beijing 100000,China)
出处
《小型微型计算机系统》
CSCD
北大核心
2024年第4期951-959,共9页
Journal of Chinese Computer Systems
基金
国家重点研发计划项目(2017YFB0802901)资助.