基于系统调用限制的容器安全防护方案  被引量：2

作　　者：邢云龙 严飞[1] 刘彦孝 张立强[1] XING Yunlong;YAN Fei;LIU Yanxiao;ZHANG Liqiang(Key Laboratory of Aerospace Information Security and Trusted Computing,Ministry of Education,School of Cyber Science and Engineering,Wuhan University,Wuhan 430072,Hubei,China)

机构地区：[1]空天信息安全与可信计算教育部重点实验室武汉大学国家网络安全学院,湖北武汉430072

出　　处：《武汉大学学报（理学版）》2022年第1期35-43,共9页Journal of Wuhan University:Natural Science Edition

基　　金：国家自然科学基金(61272452);国家重点基础发展计划(2014CB340601);湖北省重点研发计划(2020BAA003);苏州市前瞻性应用研究项目(SYG201845)。

摘　　要：针对现有解决方案在限制容器系统调用方面存在系统调用列表不完整和自动化程度差等问题,提出了基于系统调用限制的容器安全防护方案,旨在为任意给定Docker镜像自动化地定制所需系统调用白名单,减小攻击平面。针对镜像层级文件系统组织结构复杂和层间关系难以获取等问题,通过分析配置文件,建立了dockerfile命令和镜像层的一一对应关系,并提取镜像中目标二进制程序;针对标准库中因系统调用号传值模式复杂造成系统调用识别困难问题,通过定义匹配模式,提出利用回溯法确定指定寄存器的值;针对映射表构建时因调用关系复杂引起的路径爆炸和调用节点回环问题,提出基于邻接矩阵的函数映射关系提取算法表示调用关系。为评估该方案的有效性,选取了50个广泛使用的Docker镜像,然后分别为其定制所需系统调用白名单。实验结果表明,所有镜像均可正常运行,且平均所需系统调用数为127。通过选取近6年系统调用相关的软件漏洞,设置白名单后,约70%的通用漏洞披露(common vulnerabilities and exposures,CVEs)可以直接被拦截。In view of the incomplete system call list and poor automation of existing solutions in restricting system calls,a container security protection scheme based on system call restrictions is proposed,which aims to automatically customize the required system call white list for any given Docker image and reduce the attack surface.In view of the complex organizational structure of the image-level file system and the difficulty of obtaining the relationship between layers,through analysis of the configuration file,a one-to-one correspondence between the dockerfile command and the image layer is established,and the target binary in the image can be extracted.For the factors in the standard library,the system call number passing value pattern is complex,which causes difficulty in system call identification.By defining the matching pattern,a backtracking method is proposed to determine the value of the specified register.In order to solve the problem of path explosion and call node loopback caused by complex call relation in mapping table construction,a function mapping relation extraction algorithm based on adjacency matrix is proposed to represent call relation.To evaluate the effectiveness of the scheme,50 widely used Docker images were selected,and then the required system call whitelists were customized for them.The experimental results show that all images can run normally,and the average number of system calls required is 127.By selecting software vulnerabilities related to system calls in the past 6 years,after setting the whitelist,about 70%of common vulnerabilities and exposures(CVEs)can be directly blocked.

关 键 词：容器安全 系统调用限制 白名单技术 攻击平面 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]