一种基于虚拟机自省的安全容器管理方法  

作　　者：黄子龙 詹东阳 叶麟[1] 张宏莉[1] HUANG Zilong;ZHAN Dongyang;YE Lin;ZHANG Hongli(School of Cyberspace Science,Harbin Institute of Technology,Harbin 150001,China)

机构地区：[1]哈尔滨工业大学网络空间安全学院,哈尔滨150001

出　　处：《信息网络安全》2022年第11期55-61,共7页Netinfo Security

基　　金：国家自然科学基金(61872111);国家重点研发计划(2021YFB2012402)。

摘　　要：随着容器的发展,基于容器的云原生被广大云服务商应用。相较于虚拟机,容器更加轻量,但是容器面临着隔离能力不足的问题,如果攻击者从虚拟机内容器中逃逸,运行于虚拟机内的容器管理工具也可能受到攻击,不再可信。文章提出一种基于虚拟机自省的安全容器管理方法来管理虚拟机内容器,该方法可以在虚拟机外自动获取并更改虚拟机内容器的执行状态。由于管理工具在虚拟机管理层中运行,因此即使虚拟机被攻击者控制,虚拟机也是安全的。为了实现自动干预目标容器的执行状态,文章提出一种无客户端的系统调用注入方法,可以高效地重用目标虚拟机的系统调用。此外,文章提出一种高性能的内核保护和恢复方法,用于在不可信虚拟机操作系统中正确执行管理操作。实验结果表明,文章提出的方法可以执行常见的容器管理操作。With the development of containers,container-based cloud native has been popularized by cloud service providers.Compared with virtual machines,containers are lighter,but exists the problem of insufficient isolation capability.However,if the attacker escapes from the container inside the virtual machine,the container management tools running inside the virtual machine may also be attacked and can no longer be trusted.This paper proposed a secure container management method based on virtual machine introspection to manage the container in the virtual machine,which could automatically obtain and change the execution state of the container in the virtual machine from the hypervisor layer.Since the management tool run in the virtual machine monitor layer,it is secure even if the virtual machine is controlled by an attacker.In order to automatically control the execution state of the target container,this paper proposed a clientless system call injection method,which could efficiently reuse the system calls of the target virtual machine.Furthermore,a high-performance kernel protection and recovery method for performing management operations in untrusted virtual machine operating systems was proposed.Experimental results show that our approach can perform lots of common container management operations.

关 键 词：容器管理 基于虚拟机的容器 系统调用复用 虚拟机自省 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]