检索规则说明:AND代表“并且”;OR代表“或者”;NOT代表“不包含”;(注意必须大写,运算符两边需空一格)
检 索 范 例 :范例一: (K=图书馆学 OR K=情报学) AND A=范并思 范例二:J=计算机应用与软件 AND (U=C++ OR U=Basic) NOT M=Visual
作 者:胥柯 张新有[1] 栗晓晗 Xu Ke;Zhang Xinyou;Li Xiaohan(School of Computing and Artificial Intelligence Southwest Jiaotong University,Chengdu 611756)
机构地区:[1]西南交通大学计算机与人工智能学院,成都611756
出 处:《信息安全研究》2022年第8期768-776,共9页Journal of Information Security Research
基 金:国家自然科学基金项目(61802319)。
摘 要:Docker的使用越来越普及,但是对于影响Docker安全的容器逃逸问题缺少对应的防护措施.为降低Docker容器逃逸问题所带来的危害,提出CFMAC(containers based on fuzzy mandatory access control)模型对Docker容器进行安全加固.该模型使用强制访问控制限制逃逸后可疑进程的访问,同时为解决强制访问控制中实体安全级别难确定和主观性较强问题,采用模糊聚类分析与风险矩阵分析法相结合,将主客体分为secret,general,public这3个等级,利用LSM(Linux security model)进行安全校验.测试结果表明:该模型可成功限制可疑进程对文件的访问.Docker is widely used in network application systems.However,there are not enough corresponding protection measures for the relatively low frequency but fatal escape problem.In order to reduce the harm of the docker escape problems,CFMAC(container based on fuzzy mandatory access control)model is proposed to reinforce the security of the Docker container.The model uses mandatory access control to restrict the attacker’s access after Evasion Attacks.As well as,in order to solve the problem of hard to determine the entity security level and strong subjectivity in mandatory access control,fuzzy clustering analysis and risk matrix analysis are combined to divide the subject and object into three levels:secret,general and public,to intercept access and enter security verification by LSM(Linux security model).The test results show that the model can successfully restrict suspicious processes to access files.
关 键 词:Docker容器逃逸 强制访问控制 模糊聚类 风险矩阵分析 Linux安全模型
分 类 号:TP316.1[自动化与计算机技术—计算机软件与理论]
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在链接到云南高校图书馆文献保障联盟下载...
云南高校图书馆联盟文献共享服务平台 版权所有©
您的IP:3.144.84.11
