基于eBPF的容器运行时可信监控方案  

作　　者：黄轲 李璇 周庆飞 尚科彤 秦宇[1] HUANG Ke;LI Xuan;ZHOU Qingfei;SHANG Ketong;QIN Yu(Trusted Computing and Information Assurance Laboratory,Institute of Software Chinese Academy of Sciences,Beijing 100190,China;China Greatwall Technology Group Co.,Ltd.,Shenzhen 518028,China)

机构地区：[1]中国科学院软件研究所可信计算与信息保障实验室,北京100190 [2]中国长城科技集团股份有限公司,深圳518028

出　　处：《信息网络安全》2025年第2期306-326,共21页Netinfo Security

基　　金：工信部高质量专项B管理模块项目[2023-11];国家重点研发计划[2022YFB4501500,2022YFB4501501]。

摘　　要：随着云服务技术的发展,越来越多的应用以容器形式迁移到云端,容器的安全监控成为研究热点。虽然容器具有轻量级、部署快速、移植便捷的优点,但其较弱的隔离性却带来了诸多安全问题,如容器逃逸攻击、容器镜像投毒、内核漏洞利用等。针对这些威胁,文章采用eBPF系统监控技术,结合BMC信任根、镜像静态分析、通用策略引擎及运行时证明,提出了一种容器运行时安全监控方案。该方案利用eBPF实现的监控程序,能够识别并监控容器的进程、权能、文件、网络等行为事件。同时,该方案设计了细粒度的容器安全策略,并依据容器镜像静态分析所得的系统调用白名单,检测容器异常行为,多维度保障容器安全。此外,该方案还设计并实现了基于BMC信任根的运行时证明协议,利用BMC中集成的可信计算模块作为信任根,通过可信计算模块的证明确保eBPF监控事件报警日志的完整性和真实性。实验表明,监控服务器能够长期监控各类容器的运行状态,并针对安全异常事件及时采取应对措施。With the development of cloud service technology,more and more applications are migrated to the cloud in the form of containers,and the security monitoring of containers has become a research hotspot.Containers have the advantages of being lightweight,fast to deploy,and easy to transplant.However,their weak isolation makes them face many security problems:container escape attacks,container image poisoning,kernel vulnerability exploitation,etc.In response to these attack threats,this article used eBPF system monitoring technology,combined with BMC root of trust,image static analysis,general policy engine,and runtime proof,to propose a container runtime security monitoring solution.The monitoring program implemented based on eBPF in the solution can identify and monitor container behavior events such as processes,capabilities,files,and networks.The solution designed a fine-grained container security policy,combined the container system call whitelist obtained by static analysis of container images,detected abnormal container behavior,and protected container security from multiple dimensions.The solution also designed and implemented a runtime attestation protocol based on the BMC root of trust.The TPM integrated in the BMC is used as the root of trust,and its attestation can effectively ensure the integrity and authenticity of the alarm log based on eBPF monitoring events.It has been proven that the monitoring server can monitor the security status of various types of containers over a long period of time and take corresponding countermeasures for abnormal security events.

关 键 词：容器安全 eBPF 运行时监控 BMC信任根 远程证明 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]