[go: up one dir, main page]

WO2019127399A1 - Fine-grained sandbox policy execution method for linux container - Google Patents

Fine-grained sandbox policy execution method for linux container Download PDF

Info

Publication number
WO2019127399A1
WO2019127399A1 PCT/CN2017/119930 CN2017119930W WO2019127399A1 WO 2019127399 A1 WO2019127399 A1 WO 2019127399A1 CN 2017119930 W CN2017119930 W CN 2017119930W WO 2019127399 A1 WO2019127399 A1 WO 2019127399A1
Authority
WO
WIPO (PCT)
Prior art keywords
system call
container
sandbox
linux
target container
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2017/119930
Other languages
French (fr)
Chinese (zh)
Inventor
万志远
蔡亮
王新宇
夏鑫
杨小虎
李善平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University ZJU
Original Assignee
Zhejiang University ZJU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University ZJU filed Critical Zhejiang University ZJU
Priority to PCT/CN2017/119930 priority Critical patent/WO2019127399A1/en
Publication of WO2019127399A1 publication Critical patent/WO2019127399A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine

Definitions

  • the invention patent belongs to the field of computer technology and relates to the security direction of cloud computing. More specifically, the present invention relates to a fine-grained sandbox policy execution method for a Linux container.
  • Linux container technology uses namespaces to isolate resources such as incoming files, devices, and other resources, providing users with a near-native performance experience, greatly reducing the overhead of virtualization.
  • the Docker container is one of the most representative Linux container technologies.
  • the security of Linux containers has become an important factor limiting their widespread use.
  • the security problem mainly comes from the fact that the system call interface does not implement the isolation of the namespace, and the container on the same host operating system shares the system call interface.
  • An attacker can use the kernel call to perform privilege escalation, arbitrary code execution, bypass access control, and escape from the isolation mechanism through the system call interface.
  • the present invention provides a fine-grained sandbox policy execution method for a Linux container.
  • a system call level implement fine-grained sandbox policy enforcement and securely harden Linux containers.
  • the fine-grained sandbox policy limits the system call types and parameters of the Linux container.
  • the invention adopts the following technical solutions: a fine-grained sandbox policy execution method of a Linux container; the fine-grained sandbox policy includes a system call type of a Linux container and access rights of parameters; the fine-grained sandbox policy execution method of the Linux container
  • the container tracking module and the system call interception module are included; the container tracking module includes a tracking process; the method includes the following steps:
  • Step 1 Start the tracking process.
  • Step 2 After the initial process of the target container is started, through the inter-process communication, the tracking process obtains the process number of the initial process of the target container from the container running environment; the tracking process attaches to the process number of the initial process of the target container.
  • the initial process of the target container; the tracking process reads the sandbox policy, obtains the filtering rules of the string type parameters called by the target container system, waits for the triggering event; meanwhile, the system calls the intercepting module to read the sandbox policy, and the sandbox policy Loaded into the system kernel.
  • Step 3 The system call interception module intercepts the system call access of the target container in real time; and limits the system call behavior of the target container according to the system call type of the Linux container and the access permission of the parameter, specifically:
  • the sandbox policy allows access by the system call; if the type and parameters of the system call access are in the sandbox policy defined tracking list, the target container is suspended. Run, trigger the container tracking module; in other cases, the system call access is prohibited;
  • the parameters accessed by the target container system are filtered according to the sandbox rules. Restart the filtered target container and wait for the next event to fire.
  • the initial process of attaching to the target container in step 2 specifically refers to: calling the Linux system call interface ptrace, and passing PTRACE_ATTACH as the first parameter.
  • system call interception module described in step 2 reads the sandbox policy and loads the sandbox policy into the system kernel, specifically: reads the sandbox policy configuration file, translates it into a seccomp/BPF program, and loads Runs in the Linux kernel to subsequently restrict the system call behavior of the target container.
  • system call access of the real-time interception target container in step 3 specifically refers to: the running seccomp/BPF program intercepts the system call access of the target container in real time.
  • step 3 according to the sandbox rule, the parameters of the target container system call access are filtered, specifically: calling the Linux system call interface ptrace, respectively inputting PTRACE_GETREGS and PTRACE_PEEKDATA as the first parameter, from the register and Reads the string type parameter accessed by the target container process system call in memory, and performs filtering on the parameter according to the sandbox policy.
  • restarting the filtered target container in step 3 specifically refers to: calling the Linux system call interface ptrace, and passing PTRACE_CONT as the first parameter.
  • (1) reducing the attack surface by executing the method of the present invention, the type and parameters of the system call access of the target container can be restricted, thereby limiting the behavior of the target container; further, if the container is intruded, the attacker can limit the underlying operating system and Hazards that may be caused by other containers on the same host operating system;
  • Figure 1 shows an architectural schematic of various embodiments of the present invention
  • FIG. 2 is a flow chart showing a method for executing a fine-grained sandbox policy according to an embodiment of the present invention
  • FIG. 3 is a schematic diagram showing an example code of a sandbox policy configuration file according to an embodiment of the present invention
  • Figure 4 shows a schematic diagram of the end-to-end performance TPS of the container.
  • the invention proposes a fine-grained sandbox policy execution method for a Linux container. Specifically, at the system call level, a fine-grained sandbox policy is implemented. Fine-grained refers to restricting the system call type and parameters of the container. The parameter types include strings and non-strings, thereby implementing security hardening of the Linux container.
  • the method includes a container tracking module and a system call intercepting module, as shown in FIG.
  • the container tracking module can track the target container by using the ptrace system call interface, and filter the system call access with parameters of the string type according to the rules defined by the sandbox policy.
  • the system call interception module can filter system call types and system call accesses with non-string type parameters by using the seccomp/BPF system call interception technique.
  • the method of the present invention includes the following steps:
  • Step 1 Start the tracking process of the container tracking module manually or automatically, and the tracking process waits for the startup of the target container; this step can realize the synchronization between the tracking process and the system call interception module process by adopting a Linux named pipe (FIFO).
  • FIFO Linux named pipe
  • FIFO Linux Named Pipes
  • the process number of the initial process the tracking process uses the process number of the initial process of the target container to attach to the initial process of the target container; specifically, the tracking process can call the ptrace system call interface and pass in the PTRACE_ATTACH and the initial process of the target container.
  • the process number is used as the first and second parameters; then, the tracking process loads the sandbox policy, and the sandbox policy contains the filtering rules for the parameters of the string type of the target container system call; finally, the tracking process calls waitpid to wait for the target container process. trigger event.
  • the system call interception module is started by the security-opt seccomp option of the docker run command; the system call interception module can read and parse the sandbox policy configuration file in the JSON format, as shown in FIG. 3; Converts all rules in the sandbox policy configuration file to seccomp/BPF and loads the Linux kernel.
  • Step 3 The system calls the execution of the interception module.
  • the specific implementation includes the following sub-steps:
  • Step 3.1 Using seccomp/BPF technology, in the target container's system call entry, intercepting the system call access of the target container in real time;
  • Step 3.2 The system call interception module limits the system call type and parameters of the target container according to the loaded sandbox policy; the sandbox policy can be described in the JSON format configuration file, as shown in FIG. 3; the sandbox policy specifically includes: The target container is allowed to access the access type and parameters, ie whitelist: the "action" of the sandbox rule in the whitelist is defined as the "SCMP_ACT_ALLOW” operation, ie the sandbox policy allows the defined system call access; 2) the target container The tracked system calls the access type and parameters, that is, the tracking list: the "action" of the sandbox rule in the tracking list is defined as "SCMP_ACT_TRACE", that is, the target container is suspended, and the ptrace event is sent to the tracking process, thereby triggering the container tracking module; 3) In other cases, follow the default “action” “SCMP_ACT_ERRNO” defined by the sandbox policy, which disables the system call access of the target container and returns an error
  • the tracking process filters the parameters of the target container system call access according to the sandbox rules, specifically: calling the Linux system call interface ptrace, respectively passing PTRACE_GETREGS and PTRACE_PEEKDATA as the first parameter, the slave register And reading the string type parameter of the target container process system call in the memory; performing a filtering operation on the parameter according to the sandbox policy.
  • the impact of the method on the performance of the Linux container is analyzed, and the method is used to limit the system call access of the Docker container.
  • Each container runs in two forms, that is, this method restricts the system call access of the container and does not restrict the system call access of the container.
  • TPS Transactions Per Second

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

A fine-grained sandbox policy execution method for a Linux container, for use in limiting system call behaviors of the Linux container, reducing attack surfaces, and implementing security reinforcement of the Linux container. The method comprises: a container tracking module tracks the running of a target container by using a system call interface ptrace, and filters system call access having string type parameters according to a rule defined by a sandbox policy. A system call interception module intercepts the system call access of the target container in real time by using a seccomp/BPF technology, and filters system call types and system call access having non-string type parameters according to the rule defined by the sandbox policy.

Description

Linux容器的细粒度沙盒策略执行方法Fine-grained sandbox policy execution method for Linux container 技术领域Technical field

本发明专利属于计算机技术领域,涉及云计算安全方向。更具体的讲,本发明专利涉及一种Linux容器的细粒度沙盒策略执行方法。The invention patent belongs to the field of computer technology and relates to the security direction of cloud computing. More specifically, the present invention relates to a fine-grained sandbox policy execution method for a Linux container.

背景技术Background technique

Linux容器技术采用命名空间将进、文件、设备等资源进行隔离,为用户提供几近原生的性能体验,极大降低了虚拟化的额外开销。Docker容器是最具代表性的Linux容器技术之一。Linux container technology uses namespaces to isolate resources such as incoming files, devices, and other resources, providing users with a near-native performance experience, greatly reducing the overhead of virtualization. The Docker container is one of the most representative Linux container technologies.

Linux容器的安全问题已成为限制其广泛使用的重要影响因素。安全问题主要来源于,系统调用接口未实现命名空间的隔离,同一宿主操作系统上的容器共享系统调用接口。攻击者可通过系统调用接口,利用内核漏洞进行权限提升、任意代码执行、绕过访问控制、实现隔离机制的逃逸。The security of Linux containers has become an important factor limiting their widespread use. The security problem mainly comes from the fact that the system call interface does not implement the isolation of the namespace, and the container on the same host operating system shares the system call interface. An attacker can use the kernel call to perform privilege escalation, arbitrary code execution, bypass access control, and escape from the isolation mechanism through the system call interface.

如何提高容器的安全性?一种直观的方法是将容器放在沙盒中,限制容器访问系统调用接口的行为。当可信容器被攻击者攻占后,沙盒的存在一定程度上可以限制攻击者对底层操作系统的影响。系统调用拦截技术是一种限制程序系统调用行为的有效技术,基于系统调用拦截技术的沙盒技术得到研究界及工业界的广泛关注。其中,seccomp/BPF技术是自Linux 3.5开始引入的一种高效的系统调用拦截技术。How to improve the safety of the container? An intuitive way is to place the container in a sandbox and restrict the behavior of the container accessing the system call interface. When the trusted container is captured by the attacker, the existence of the sandbox can limit the impact of the attacker on the underlying operating system to some extent. System call interception technology is an effective technique to limit the behavior of program system calls. The sandbox technology based on system call interception technology has received extensive attention from the research community and industry. Among them, seccomp/BPF technology is an efficient system call interception technology introduced since Linux 3.5.

然而,基于系统拦截技术的沙盒技术,实现Linux容器的细粒度沙盒策略执行,即过滤字符串类型的系统调用参数,仍然极具挑战。However, based on the sandbox technology of the system interception technology, it is still very challenging to implement the fine-grained sandbox policy execution of the Linux container, that is, to filter the string call type system call parameters.

发明内容Summary of the invention

针对上述问题,本发明提出一种Linux容器的细粒度沙盒策略执行方法。在系统调用层面,实现细粒度沙盒策略执行,对Linux容器进行安全加固。细粒度沙盒策略限制Linux容器的系统调用类型及参数。In view of the above problems, the present invention provides a fine-grained sandbox policy execution method for a Linux container. At the system call level, implement fine-grained sandbox policy enforcement and securely harden Linux containers. The fine-grained sandbox policy limits the system call types and parameters of the Linux container.

本发明采用如下技术方案:一种Linux容器的细粒度沙盒策略执行方法;细粒度沙盒策略包含了Linux容器的系统调用类型及参数的访问权限;该Linux容器的细粒度沙盒策略执行方法包括容器追踪模块和系统调用拦截模块;所述容器追踪模块包括追踪进程;该方法包括以下步骤:The invention adopts the following technical solutions: a fine-grained sandbox policy execution method of a Linux container; the fine-grained sandbox policy includes a system call type of a Linux container and access rights of parameters; the fine-grained sandbox policy execution method of the Linux container The container tracking module and the system call interception module are included; the container tracking module includes a tracking process; the method includes the following steps:

步骤1:启动追踪进程。Step 1: Start the tracking process.

步骤2:当目标容器的初始进程启动之后,通过进程间通信,追踪进程从容器运行环境获取目标容器的初始进程的进程号;追踪进程根据目标容器的初始进程的进程号,附着(attach)到目标容器的初始进程;追踪进程读取沙盒策略,获得目标容器系统调用的字符串类型的参数的过滤规则,等待触发事件;同时,系统调用拦截模块读取沙盒策略,并将沙盒策略载入到系统内核。Step 2: After the initial process of the target container is started, through the inter-process communication, the tracking process obtains the process number of the initial process of the target container from the container running environment; the tracking process attaches to the process number of the initial process of the target container. The initial process of the target container; the tracking process reads the sandbox policy, obtains the filtering rules of the string type parameters called by the target container system, waits for the triggering event; meanwhile, the system calls the intercepting module to read the sandbox policy, and the sandbox policy Loaded into the system kernel.

步骤3:系统调用拦截模块实时拦截目标容器的系统调用访问;并根据Linux容器的系统调用类型及参数的访问权限,限制目标容器的系统调用行为,具体为:Step 3: The system call interception module intercepts the system call access of the target container in real time; and limits the system call behavior of the target container according to the system call type of the Linux container and the access permission of the parameter, specifically:

如果系统调用访问的类型和参数在沙盒策略定义的白名单中,则沙盒策略允许此次系统调用访问;如果系统调用访问的类型和参数在沙盒策略定义的追踪名单中,暂停目标容器运行,触发容器追踪模块;其他情况下,禁止此次系统调用访问;If the type and parameters of the system call access are in the whitelist defined by the sandbox policy, the sandbox policy allows access by the system call; if the type and parameters of the system call access are in the sandbox policy defined tracking list, the target container is suspended. Run, trigger the container tracking module; in other cases, the system call access is prohibited;

当容器追踪模块被触发后,根据沙盒规则,对目标容器系统调用访问的参数进行过滤。重启该过滤后的目标容器,等待下次事件的触发。After the container tracking module is triggered, the parameters accessed by the target container system are filtered according to the sandbox rules. Restart the filtered target container and wait for the next event to fire.

进一步地,步骤2所述的附着(attach)到目标容器的初始进程,具体是指:调用Linux系统调用接口ptrace,传入PTRACE_ATTACH作为第一个参数。Further, the initial process of attaching to the target container in step 2 specifically refers to: calling the Linux system call interface ptrace, and passing PTRACE_ATTACH as the first parameter.

进一步地,步骤2所述的系统调用拦截模块读取沙盒策略,并将沙盒策略载入到系统内核,具体是指:读取沙盒策略配置文件,翻译成seccomp/BPF程序并载入Linux内核中运行,用于后续限制目标容器的系统调用行为。Further, the system call interception module described in step 2 reads the sandbox policy and loads the sandbox policy into the system kernel, specifically: reads the sandbox policy configuration file, translates it into a seccomp/BPF program, and loads Runs in the Linux kernel to subsequently restrict the system call behavior of the target container.

进一步地,步骤3所述的实时拦截目标容器的系统调用访问,具体是指:运行中的seccomp/BPF程序实时拦截目标容器的系统调用访问。Further, the system call access of the real-time interception target container in step 3 specifically refers to: the running seccomp/BPF program intercepts the system call access of the target container in real time.

进一步地,步骤3所述的根据沙盒规则,对目标容器系统调用访问的参数进行过滤,具体是指:调用Linux系统调用接口ptrace,分别传入PTRACE_GETREGS和PTRACE_PEEKDATA作为第一个参数,从寄存器及内存中读取目标容器进程系统调用访问的字符串类型参数,并根据沙盒策略,对参数执行过滤操作。Further, in step 3, according to the sandbox rule, the parameters of the target container system call access are filtered, specifically: calling the Linux system call interface ptrace, respectively inputting PTRACE_GETREGS and PTRACE_PEEKDATA as the first parameter, from the register and Reads the string type parameter accessed by the target container process system call in memory, and performs filtering on the parameter according to the sandbox policy.

进一步地,步骤3所述的重启该过滤后的目标容器,具体是指:调用Linux系统调用接口ptrace,传入PTRACE_CONT作为第一个参数。Further, the restarting the filtered target container in step 3 specifically refers to: calling the Linux system call interface ptrace, and passing PTRACE_CONT as the first parameter.

本发明下有益效果在于:The beneficial effects of the present invention are as follows:

(1)减少攻击面:通过执行本发明方法,可限制目标容器的系统调用访问的类型和参数,从而限制目标容器的行为;进一步地,如容器被入侵,可限制攻击者对底层操作系统及同一宿主操作系统上的其他容器可能造成的危害;(1) reducing the attack surface: by executing the method of the present invention, the type and parameters of the system call access of the target container can be restricted, thereby limiting the behavior of the target container; further, if the container is intruded, the attacker can limit the underlying operating system and Hazards that may be caused by other containers on the same host operating system;

(2)额外性能开销小:Linux容器的细粒度沙盒策略执行引发的目标容器端到端额外性能开销几乎可以忽略。(2) The extra performance overhead is small: the end-to-end additional performance overhead of the target container caused by the fine-grained sandbox policy execution of the Linux container is almost negligible.

附图说明DRAWINGS

图1示出本发明的各种实施例的架构原理图;Figure 1 shows an architectural schematic of various embodiments of the present invention;

图2示出本发明一种实施例的细粒度沙盒策略执行方法流程图;2 is a flow chart showing a method for executing a fine-grained sandbox policy according to an embodiment of the present invention;

图3示出本发明一种实施例的沙盒策略配置文件示例代码示意图;3 is a schematic diagram showing an example code of a sandbox policy configuration file according to an embodiment of the present invention;

图4示出容器的端到端性能TPS示意图。Figure 4 shows a schematic diagram of the end-to-end performance TPS of the container.

具体实施方法Specific implementation method

为便于本领域普通技术人员理解和实施本发明,下面结合附图及实施示例对本发明作进一步的详细描述。应当理解,所述的实施示例仅用于说明和解释本发明,并不应该限制本发明的范围。The present invention will be further described in detail below in conjunction with the accompanying drawings and embodiments. It is to be understood that the described embodiments are merely illustrative of the invention and are not intended to limit the scope of the invention.

本发明提出了一种Linux容器的细粒度沙盒策略执行方法。具体来讲,在系统调用层面,执行细粒度沙盒策略,细粒度是指限制容器的系统调用类型及参数,参数类型包括字符串和非字符串,从而实现对Linux容器的安全加固。The invention proposes a fine-grained sandbox policy execution method for a Linux container. Specifically, at the system call level, a fine-grained sandbox policy is implemented. Fine-grained refers to restricting the system call type and parameters of the container. The parameter types include strings and non-strings, thereby implementing security hardening of the Linux container.

该方法包含容器追踪模块和系统调用拦截模块,如图1所示。容器追踪模块可以通过采用ptrace系统调用接口,追踪目标容器,根据沙盒策略定义的规则,对具有字符串类型的参数的系统调用访问进行过滤。系统调用拦截模块可以通过采用seccomp/BPF系统调用拦截技术,对系统调用类型及具有非字符串类型参数的系统调用访问进行过滤。The method includes a container tracking module and a system call intercepting module, as shown in FIG. The container tracking module can track the target container by using the ptrace system call interface, and filter the system call access with parameters of the string type according to the rules defined by the sandbox policy. The system call interception module can filter system call types and system call accesses with non-string type parameters by using the seccomp/BPF system call interception technique.

如图2所示,本发明方法包括如下步骤:As shown in FIG. 2, the method of the present invention includes the following steps:

步骤1:采用手动或自动方式启动容器追踪模块的追踪进程,追踪进程等待目标容器的启动;该步骤可通过采用Linux命名管道(FIFO),实现追踪进程与系统调用拦截模块进程间的同步。Step 1: Start the tracking process of the container tracking module manually or automatically, and the tracking process waits for the startup of the target container; this step can realize the synchronization between the tracking process and the system call interception module process by adopting a Linux named pipe (FIFO).

步骤2:在命令行输入“docker run--security-opt seccomp=”启动目标容器的初始进程后,追踪进程通过进程间通信,比如采用Linux命名管道(FIFO),从容器运行环境获取目标容器的初始进程的进程号;追踪进程利用目标容器的初始进程的进程号,附着到目标容器的初始进程;具体而言,追踪进程可调用ptrace系统调用接口,并传入PTRACE_ATTACH和目标容器的初始进程的进程号作为第一个和第二个参数;然后,追踪进程载入沙盒策略,沙盒策略包含目标容器系统调用的字符串类型的参数的过滤规则;最后,追踪进程调用waitpid等待目标容器进程触发事件。Step 2: After entering the initial process of the target container by entering "docker run--security-opt seccomp=" on the command line, the tracking process obtains the target container from the container running environment through inter-process communication, such as using Linux Named Pipes (FIFO). The process number of the initial process; the tracking process uses the process number of the initial process of the target container to attach to the initial process of the target container; specifically, the tracking process can call the ptrace system call interface and pass in the PTRACE_ATTACH and the initial process of the target container. The process number is used as the first and second parameters; then, the tracking process loads the sandbox policy, and the sandbox policy contains the filtering rules for the parameters of the string type of the target container system call; finally, the tracking process calls waitpid to wait for the target container process. trigger event.

在容器追踪模块启动的同时,通过docker run命令的security-opt seccomp选项,启动系统调用拦截模块;系统调用拦截模块可读入并解析JSON格式的沙盒策略配置文件,如图3所示;然后,将沙盒策略配置文件中的所有规则转化为seccomp/BPF程序,并载入Linux内核。At the same time that the container tracking module is started, the system call interception module is started by the security-opt seccomp option of the docker run command; the system call interception module can read and parse the sandbox policy configuration file in the JSON format, as shown in FIG. 3; Converts all rules in the sandbox policy configuration file to seccomp/BPF and loads the Linux kernel.

步骤3:系统调用拦截模块的执行,其具体实现包括以下子步骤:Step 3: The system calls the execution of the interception module. The specific implementation includes the following sub-steps:

步骤3.1:采用seccomp/BPF技术,在目标容器的系统调用入口,实时拦截目标容器的系统调用访问;Step 3.1: Using seccomp/BPF technology, in the target container's system call entry, intercepting the system call access of the target container in real time;

步骤3.2:系统调用拦截模块根据载入的沙盒策略,限制目标容器的系统调用类型和参数;沙盒策略可以用JSON格式的配置文件描述,如图3所示;沙盒策略具体包含:1)目标容器被允许的系统调用访问类型和参数,即白名单:白名单中的沙盒规则的“action”定义为“SCMP_ACT_ALLOW”操作,即沙盒策略允许定义的系统调用访问;2)目标容器被追踪的系统调用访问类型和参数,即追踪名单:追踪名单中的沙盒规则的“action”定义为“SCMP_ACT_TRACE”,即暂停目标容器运行,发送ptrace事件给追踪进程,从而触发容器追踪模块;3)其他情况下,遵循沙盒策略定义的默认“action”“SCMP_ACT_ERRNO”,即禁止目标容器的系统调用访问,并返回错误值。Step 3.2: The system call interception module limits the system call type and parameters of the target container according to the loaded sandbox policy; the sandbox policy can be described in the JSON format configuration file, as shown in FIG. 3; the sandbox policy specifically includes: The target container is allowed to access the access type and parameters, ie whitelist: the "action" of the sandbox rule in the whitelist is defined as the "SCMP_ACT_ALLOW" operation, ie the sandbox policy allows the defined system call access; 2) the target container The tracked system calls the access type and parameters, that is, the tracking list: the "action" of the sandbox rule in the tracking list is defined as "SCMP_ACT_TRACE", that is, the target container is suspended, and the ptrace event is sent to the tracking process, thereby triggering the container tracking module; 3) In other cases, follow the default "action" "SCMP_ACT_ERRNO" defined by the sandbox policy, which disables the system call access of the target container and returns an error value.

当容器追踪模块被触发后,追踪进程根据沙盒规则,对目标容器系统调用访问的参数进行过滤,具体为:调用Linux系统调用接口ptrace,分别传入PTRACE_GETREGS和PTRACE_PEEKDATA作为第一个参数,从寄存器及内存中读取目标容器进程系统调用的字符串类型参数;根据沙盒策略,对参数执行过滤操作。After the container tracking module is triggered, the tracking process filters the parameters of the target container system call access according to the sandbox rules, specifically: calling the Linux system call interface ptrace, respectively passing PTRACE_GETREGS and PTRACE_PEEKDATA as the first parameter, the slave register And reading the string type parameter of the target container process system call in the memory; performing a filtering operation on the parameter according to the sandbox policy.

然后调用Linux系统调用接口ptrace,传入PTRACE_CONT作为第一个参数,重启暂停的目标容器,等待下次事件的触发。Then call the Linux system call interface ptrace, pass PTRACE_CONT as the first parameter, restart the suspended target container, and wait for the trigger of the next event.

为验证上述细粒度沙盒策略执行方法的性能,分析该方法对Linux容器性能的影响,将该方法用于限制Docker容器的系统调用访问。每一个容器分别以两种形式运行,即采用本方法限制容器的系统调用访问、以及不限制容器的系统调用访问。在容器的两种形式运行过程中,分别测量容器的端到端性能TPS(Transactions Per Second),结果如图4所示。采用本方法限制目标容器的系统调用访问时,产生的额外性能开销几乎可以忽略(1.22%-3.76%)。In order to verify the performance of the above-mentioned fine-grained sandbox policy enforcement method, the impact of the method on the performance of the Linux container is analyzed, and the method is used to limit the system call access of the Docker container. Each container runs in two forms, that is, this method restricts the system call access of the container and does not restrict the system call access of the container. During the two forms of operation of the container, the end-to-end performance TPS (Transactions Per Second) of the container was measured, and the results are shown in FIG. When this method is used to limit the system call access of the target container, the additional performance overhead is almost negligible (1.22%-3.76%).

Claims (6)

一种Linux容器的细粒度沙盒策略执行方法,其特征在于,所述细粒度沙盒策略包含了Linux容器的系统调用类型及参数的访问权限;该Linux容器的细粒度沙盒策略执行方法包括容器追踪模块和系统调用拦截模块;所述容器追踪模块包括追踪进程;该方法包括以下步骤:A fine-grained sandbox policy execution method for a Linux container, characterized in that the fine-grained sandbox policy includes a system call type of a Linux container and access rights of parameters; the fine-grained sandbox policy execution method of the Linux container includes a container tracking module and a system call interception module; the container tracking module includes a tracking process; the method includes the following steps: 步骤1:启动追踪进程;Step 1: Start the tracking process; 步骤2:当目标容器的初始进程启动之后,通过进程间通信,追踪进程从容器运行环境获取目标容器的初始进程的进程号;追踪进程根据目标容器的初始进程的进程号,附着(attach)到目标容器的初始进程;追踪进程读取沙盒策略,获得目标容器系统调用的字符串类型的参数的过滤规则,等待触发事件;同时,系统调用拦截模块读取沙盒策略,并将沙盒策略载入到系统内核;Step 2: After the initial process of the target container is started, through the inter-process communication, the tracking process obtains the process number of the initial process of the target container from the container running environment; the tracking process attaches to the process number of the initial process of the target container. The initial process of the target container; the tracking process reads the sandbox policy, obtains the filtering rules of the string type parameters called by the target container system, waits for the triggering event; meanwhile, the system calls the intercepting module to read the sandbox policy, and the sandbox policy Load into the system kernel; 步骤3:系统调用拦截模块实时拦截目标容器的系统调用访问;并根据Linux容器的系统调用类型及参数的访问权限,限制目标容器的系统调用访问,具体为:Step 3: The system call interception module intercepts the system call access of the target container in real time; and limits the system call access of the target container according to the system call type of the Linux container and the access permission of the parameter, specifically: 如果系统调用访问的类型和参数在沙盒策略定义的白名单中,则沙盒策略允许此次系统调用访问;如果系统调用访问的类型和参数在沙盒策略定义的追踪名单中,暂停目标容器运行,触发容器追踪模块;其他情况下,禁止此次系统调用访问;If the type and parameters of the system call access are in the whitelist defined by the sandbox policy, the sandbox policy allows access by the system call; if the type and parameters of the system call access are in the sandbox policy defined tracking list, the target container is suspended. Run, trigger the container tracking module; in other cases, the system call access is prohibited; 当容器追踪模块被触发后,根据沙盒规则,对目标容器系统调用访问的参数进行过滤。重启该过滤后的目标容器,等待下次事件的触发。After the container tracking module is triggered, the parameters accessed by the target container system are filtered according to the sandbox rules. Restart the filtered target container and wait for the next event to fire. 根据权利要求1所述Linux容器的细粒度沙盒策略执行方法,其特征在于,步骤2所述的附着到目标容器的初始进程,具体是指:调用Linux系统调用接口ptrace,传入PTRACE_ATTACH作为第一个参数。The fine-grained sandbox policy execution method of the Linux container according to claim 1, wherein the initial process attached to the target container in step 2 specifically refers to: calling a Linux system call interface ptrace, and passing PTRACE_ATTACH as the first One parameter. 根据权利要求1所述Linux容器的细粒度沙盒策略执行方法,其特征在于,步骤2所述的系统调用拦截模块读取沙盒策略,并将沙盒策略载入到系统内核,具体是指:读取沙盒策略配置文件,翻译成seccomp/BPF程序并载入Linux内核中运行,用于后续限制目标容器的系统调用行为。The fine-grained sandbox policy execution method for a Linux container according to claim 1, wherein the system call interception module described in step 2 reads a sandbox policy and loads the sandbox policy into the system kernel, specifically : Reads the sandbox policy configuration file, translates it into seccomp/BPF program and loads it into the Linux kernel for subsequent system call behavior limiting the target container. 根据权利要求1所述Linux容器的细粒度沙盒策略执行方法,其特征在于,步骤3所述的实时拦截目标容器的系统调用访问,具体是指:运行中的seccomp/BPF程序实时拦截目标容器的系统调用访问。The fine-grained sandbox policy execution method of the Linux container according to claim 1, wherein the system call access of the real-time interception target container in step 3 is specifically: the seccomp/BPF program in operation intercepts the target container in real time. System call access. 根据权利要求1所述Linux容器的细粒度沙盒策略执行方法,其特征在于,步骤3所述的根据沙盒规则,对目标容器系统调用访问的参数进行过滤, 具体是指:调用Linux系统调用接口ptrace,分别传入PTRACE_GETREGS和PTRACE_PEEKDATA作为第一个参数,从寄存器及内存中读取目标容器进程系统调用访问的字符串类型参数,并根据沙盒策略,对参数执行过滤操作。The fine-grained sandbox policy execution method of the Linux container according to claim 1, wherein the parameter of the target container system call access is filtered according to the sandbox rule, which is specifically: calling the Linux system call. The interface ptrace, respectively, passes PTRACE_GETREGS and PTRACE_PEEKDATA as the first parameter, reads the string type parameter accessed by the target container process system call from the register and the memory, and performs filtering operation on the parameter according to the sandbox policy. 根据权利要求1所述Linux容器的细粒度沙盒策略执行方法,其特征在于,步骤3所述的重启该过滤后的目标容器,具体是指:调用Linux系统调用接口ptrace,传入PTRACE_CONT作为第一个参数。The fine-grained sandbox policy execution method of the Linux container according to claim 1, wherein the restarting the filtered target container according to step 3 specifically refers to: calling a Linux system call interface ptrace, and transmitting PTRACE_CONT as the first One parameter.
PCT/CN2017/119930 2017-12-29 2017-12-29 Fine-grained sandbox policy execution method for linux container Ceased WO2019127399A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2017/119930 WO2019127399A1 (en) 2017-12-29 2017-12-29 Fine-grained sandbox policy execution method for linux container

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2017/119930 WO2019127399A1 (en) 2017-12-29 2017-12-29 Fine-grained sandbox policy execution method for linux container

Publications (1)

Publication Number Publication Date
WO2019127399A1 true WO2019127399A1 (en) 2019-07-04

Family

ID=67064387

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/119930 Ceased WO2019127399A1 (en) 2017-12-29 2017-12-29 Fine-grained sandbox policy execution method for linux container

Country Status (1)

Country Link
WO (1) WO2019127399A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021234267A1 (en) * 2020-05-20 2021-11-25 Orange Method for securing a system call, method for implementing an associated security policy and devices for carrying out such methods
CN119357947A (en) * 2024-09-30 2025-01-24 上海零数众合信息科技有限公司 Data usage control method, device, equipment and medium
US12332995B2 (en) 2020-10-23 2025-06-17 Red Hat, Inc. Containers system auditing through system call emulation

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102439564A (en) * 2011-10-24 2012-05-02 华为技术有限公司 Method and system for starting application program in linux container
CN102521537A (en) * 2011-12-06 2012-06-27 北京航空航天大学 Detection method and device for hidden process based on virtual machine monitor
WO2013142948A1 (en) * 2012-03-30 2013-10-03 Irdeto Canada Corporation Method and system for preventing and detecting security threats
CN103345604A (en) * 2013-07-16 2013-10-09 湘潭大学 Sandbox system based on light-weight virtual machine monitor and method for monitoring OS with sandbox system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102439564A (en) * 2011-10-24 2012-05-02 华为技术有限公司 Method and system for starting application program in linux container
CN102521537A (en) * 2011-12-06 2012-06-27 北京航空航天大学 Detection method and device for hidden process based on virtual machine monitor
WO2013142948A1 (en) * 2012-03-30 2013-10-03 Irdeto Canada Corporation Method and system for preventing and detecting security threats
CN103345604A (en) * 2013-07-16 2013-10-09 湘潭大学 Sandbox system based on light-weight virtual machine monitor and method for monitoring OS with sandbox system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
WAN, ZHIYUAN ET AL.: "Mining Sandboxes for Linux Containers", 10TH IEEE INTERNATIONAL CONFERENCE ON SOFTWARE TESTING, VERIFICATION AND VALIDATION, March 2017 (2017-03-01) - 18 May 2017 (2017-05-18), pages 92 - 102, XP055622397 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021234267A1 (en) * 2020-05-20 2021-11-25 Orange Method for securing a system call, method for implementing an associated security policy and devices for carrying out such methods
FR3110726A1 (en) * 2020-05-20 2021-11-26 Orange Method for securing a system call, method for implementing an associated security policy and devices implementing these methods.
US20230195884A1 (en) * 2020-05-20 2023-06-22 Orange Method for securing a system call, method for implementing an associated security policy and devices for carrying out such methods
US12332995B2 (en) 2020-10-23 2025-06-17 Red Hat, Inc. Containers system auditing through system call emulation
CN119357947A (en) * 2024-09-30 2025-01-24 上海零数众合信息科技有限公司 Data usage control method, device, equipment and medium

Similar Documents

Publication Publication Date Title
Schrammel et al. Jenny: Securing syscalls for {PKU-based} memory isolation systems
US10417424B2 (en) Method of remediating operations performed by a program and system thereof
US9774568B2 (en) Computer security architecture and related computing method
EP3123311B1 (en) Malicious code protection for computer systems based on process modification
CN108021807B (en) Fine-grained sandbox strategy execution method of Linux container
EP4095724B1 (en) Method of remediating operations performed by a program and system thereof
EP2902937B1 (en) Method, apparatus, and system for triggering virtual machine introspection
CN111919198B (en) Kernel function callback method and system
CN102521531B (en) Password protection system based on hardware virtualization
CN106055385A (en) System and method for monitoring virtual machine process, and method for filtering page fault anomaly
CN108154032A (en) It is a kind of that the computer system root of trust construction method of memory integrity ensuring is had the function of based on credible performing environment
CN101872400A (en) Establishing a computer information security protection method for judging the security of computer operation requests based on the association relationship of computing system operation requests
CN106228078A (en) A Safe Operation Method Based on Enhanced ROST under Linux
US12380210B2 (en) Analyzing files using a kernel mode of a virtual machine
CN103970574B (en) The operation method and device of office programs, computer system
WO2019127399A1 (en) Fine-grained sandbox policy execution method for linux container
CN103425563B (en) Based on online I/O electronic evidence-collecting system and the evidence collecting method thereof of Intel Virtualization Technology
CN105550574A (en) Side-channel attack evidence collecting system and method based on memory activity
RU2460133C1 (en) System and method of protecting computer applications
CN106778258A (en) A kind of host safety protecting method and device
CN105791221A (en) Method and device for issuing rules
US11663333B2 (en) Cloud-based systems and methods for detecting and removing rootkit
Zhang et al. Reviving Discarded Vulnerabilities: Exploiting Previously Unexploitable Linux Kernel Bugs Through Control Metadata Fields
CN111274582B (en) Transparency-based evidence obtaining effect evaluation method, evidence obtaining analysis device and method
CN110347517A (en) The communication means and computer readable storage medium of dual system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17936127

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17936127

Country of ref document: EP

Kind code of ref document: A1