计算机科学

计算机科学 ›› 2024, Vol. 51 ›› Issue (6): 399-408.doi: 10.11896/jsjkx.230200099

• 信息安全 • 上一篇    下一篇

面向容器运行时安全威胁的N变体架构

刘道清1, 扈红超1,2, 霍树民1,2   

  1. 1 信息工程大学信息技术研究所 郑州 450000
    2 紫金山实验室 南京 210000
  • 收稿日期:2023-02-15 修回日期:2023-06-14 出版日期:2024-06-15 发布日期:2024-06-05
  • 通讯作者: 扈红超(13633833568@139.com)
  • 作者简介:(qlink_yiye@163.com)
  • 基金资助:
    国家自然科学基金(62072467,62002383);国家重点研发计划(2021YFB1006200,2021YFB1006201)

N-variant Architecture for Container Runtime Security Threats

LIU Daoqing1, HU Hongchao1,2, HUO Shumin1,2   

  1. 1 Institute of Information Technology,University of Information Engineering,Zhengzhou 450000,China
    2 Purple Mountain Laboratories,Nanjing 210000,China
  • Received:2023-02-15 Revised:2023-06-14 Online:2024-06-15 Published:2024-06-05
  • About author:LIU Daoqing,born in 1996,postgra-duate.His main research interests include container cloud and active defense.
    HU Hongchao,born in 1982,professor. His main research interests include cloud computing and network security.
  • Supported by:
    National Natural Science Foundation of China(62072467,62002383) and National Key Research and Development Program of China(2021YFB1006200,2021YFB1006201).

PDF (PC)

481

摘要: 容器技术以其轻量级和可伸缩性的优点促进了云计算的发展,但容器运行时安全威胁日益严重。现有的入侵检测和访问控制等技术无法有效应对利用容器运行时实现容器逃逸的攻击行为。针对上述安全威胁,结合N变体系统的冗余及多样性方法提出了一种面向容器运行时安全威胁的N变体架构,同时通过基于历史信息的投票算法以提高投票的准确率,并通过两阶段投票和调度策略优化容器应用服务质量。最后构建了原型系统,测试结果表明原型系统性能损失在可接受的范围内,并一定程度上减小了系统攻击面,进而达到了增强容器应用安全性的目的。

关键词: 容器安全, 云计算, N变体, 容器运行时, 调度

Abstract: It is container technology that has promoted the development of cloud computing with its lightweight and scalability advantages,but the security threat of container runtime is increasingly serious.The existing intrusion detection and access control technology can’t effectively deal with the attack behavior of using container runtime to achieve container escape.First of all,this paper proposes an N-variant architecture for container runtime security threats combined with the redundancy and diversity me-thods of N-variant system.Secondly,through the redundancy and diversity methods of the N-variant system and the combination of the voting algorithm based on historical information,the accuracy of the voting is improved.Besides,service quality of container applications is optimized through two-stage voting and scheduling strategies.Finally,a prototype system is built.The test results show that the performance loss of the prototype system is within an acceptable range,and the attack surface of the system is reduced to a certain extent,thus achieving the purpose of enhancing the security of container applications.

Key words: Container safety, Cloud computing, N variant, Container runtime, Dispatch

中图分类号: 

  • TP393.08
[1]JIN H,LI Z,ZOU D,et al.Dseom:A framework for dynamic se-curity evaluation and optimization of mtd in container-based cloud[J].IEEE Transactions on Dependable and Secure Computing,2019,18(3):1125-1136.
[2]KAUR K,DHAND T,KUMAR N,et al.Container-as-a-service at the edge:Trade-off between energy efficiency and serviceavailability at fog nano data centers[J].IEEE Wireless Communications,2017,24(3):48-56.
[3]KHAZAEI H,BANNAZADEH H,LEON-GARCIA A.Savi-iot:A self-managing containerized iot platform[C]//IEEE 5th International Conference on Future Internet of Things and Cloud(FiCloud).2017:227-234.
[4]CELESTI A,MULFARI D,FAZIO M,et al.Exploring contai-ner virtualization in IoT clouds[C]//IEEE International Confe-rence on Smart Computing(SMARTCOMP).2016:1-6.
[5]MORABITO R,PETROLO R,LOSCRÌ V,et al.Lightweightvirtualization as enabling technology for future smart cars[C]//IFIP/IEEE Symposium on Integrated Network and Service Management(IM).2017:1238-1245.
[6]JAMSHIDI P,PAHL C,MENDONÇA N C,et al.Microser-vices:The journey so far and challenges ahead[J].IEEE Software,2018,35(3):24-35.
[7]VAUCHER S,PIRES R,FELBER P,et al.SGX-aware contai-ner orchestration for heterogeneous clusters[C]//2018 IEEE 38th International Conference on Distributed Computing Systems(ICDCS).IEEE,2018:730-741.
[8]JITHIN R,CHANDRAN P.Virtual machine isolation[C]//International Conference on Security in Computer Networks and Distributed Systems.Berlin,Heidelberg:Springer,2014:91-102.
[9]SULTAN S,AHMAD I,DIMITRIOU T.Container security:Issues,challenges,and the road ahead[J].IEEE Access,2019,7:52976-52996.
[10]SHRINGARPUTALE S,MCDANIEL P,BUTLER K,et al.Co-residency attacks on containers are real[C]//Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop.2020:53-66.
[11]REEVES M,TIAN D J,BIANCHI A,et al.Towards Improving Container Security by Preventing Runtime Escapes[C]//2021 IEEE Secure Development Conference(SecDev).IEEE,2021:38-46.
[12]YANG Y,SHEN W,RUAN B,et al.Security challenges in the container cloud[C]//2021 Third IEEE International Conference on Trust,Privacy and Security in Intelligent Systems and Applications(TPS-ISA).IEEE,2021:137-145.
[13]BÉLAIR M,LANIEPCE S,MENAUD J M.Leveraging kernel security mechanisms to improve container security:a survey[C]//Proceedings of the 14th International Conference on Availability,Reliability and Security.2019:1-6.
[14]LI X,CHEN Y,LIN Z,et al.Automatic Policy Generation for Inter-Service Access Control of Microservices[C]//USENIX Security Symposium.2021:3971-3988.
[15]PAN R J,WANG G C,HUANG H Y.Attribute access control based on dynamic User trust in cloud computing[J].Computer Science,2021,48(5):313-319.
[16]ZHONG Z,XU M,RODRIGUEZ M A,et al.Machine learning-based orchestration of containers:A taxonomy and future directions[J].ACM Computing Surveys(CSUR),2022,54(10s):1-35.
[17]EL KHAIRI A,CASELLI M,KNIERIM C,et al.Contextua-lizing System Calls in Containers for Anomaly-Based Intrusion Detection[C]//Proceedings of the 2022 on Cloud Computing Security Workshop.2022:9-21.
[18]YAO D,ZHANG Z,ZHANG G F,et al.Review of multi-variantexecution Security defense technology[J].Journal of Cyber Security,2020,5(5):77-94.
[19]COX B,EVANS D,FILIPI A,et al.N-Variant Systems:A Secretless Framework for Security through Diversity[C]//USENIX Security Symposium.2006:105-120.
[20]VOULIMENEAS A,SONG D,PARZEFALL F,et al.DMON:A Distributed Heterogeneous N-Variant System[J].arXiv:1903.03643,2019.
[21]BRUSCHI D,CAVALLARO L,LANZI A.Diversified process replicae for defeating memory error exploits[C]//2007 IEEE International Performance,Computing,and Communications Conference.IEEE,2007:434-441.
[22]VOLCKAERT S,COPPENS B,VOULIMENEAS A,et al.Se-cure and efficient application monitoring and replication[C]//2016 USENIX Annual Technical Conference(USENIX ATC 16).2016:167-179.
[23]LU K,XU M,SONG C,et al.Stopping memory disclosures via diversification and replicated execution[J].IEEE Transactions on Dependable and Secure Computing,2018,18(1):160-173.
[24]VOLCKAERT S,COPPENS B,DE SUTTER B.Cloning your gadgets:Complete ROP attack immunity with multi-variant execution[J].IEEE Transactions on Dependable and Secure Computing,2015,13(4):437-450.
[25]VOLCKAERT S,COPPENS B,VOULIMENEAS A,et al.Secure and efficient application monitoring and replication[C]//2016 USENIX Annual Technical Conference(USENIX ATC 16).2016:167-179.
[26]XU M,LU K,KIM T,et al.Bunshin:compositing securitymechanisms through diversification[C]//2017 USENIX AnnualTechnical Conference(USENIX ATC 17).2017:271-283.
[27]SILBERMAN G M,EBCIOGLU K.An architectural framework for supporting heterogeneous instruction-set architectures[J].Computer,1993,26(6):39-56.
[28]CERF V G.On heterogeneous computing[J].Communications of the ACM,2021,64(12):9.
[29]BARBALACE A,KARAOUI M L,WANG W,et al.Edge computing:the case for heterogeneous-isa container migration[C]//Proceedings of the 16th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments.2020:73-87.
[30]LI T,BRETT P,KNAUERHASE R,et al.Operating systemsupport for overlapping-ISA heterogeneous multi-core architectures[C]//HPCA-16 2010 The Sixteenth International Symposium on High-Performance Computer Architecture.IEEE,2010:1-12.
[31]ZHONG Z,BUYYA R.A cost-efficient container orchestration strategy in Kubernetes based cloud computing infrastructures with heterogeneous resources[J].ACM Transactions on Internet Technology(TOIT),2020,20(2):1-24.
[32]HU Y,DE LAAT C,ZHAO Z.Multi-objective container de-ployment on heterogeneous clusters[C]//2019 19th IEEE/ACM International Symposium on Cluster,Cloud and Grid Computing(CCGRID).IEEE,2019:592-599.
[33]ALYAS T,ALI S,KHAN H U,et al.Container Performance and Vulnerability Management for Container Security Using Docker Engine[J].Security and Communication Networks,2022:5-5.
[34]HUSSEIN M K,MOUSA M H,ALQARNI M A.A placement architecture for a container as a service(CaaS) in a cloud environment[J].Journal of Cloud Computing,2019,8(1):1-15.
[35]ALLODI L,MASSACCI F.Comparing vulnerability severityand exploits using case-control studies[J].ACM Transactions on Information and System Security(TISSEC),2014,17(1):1-20.
[36]WANG Y,WANG Q,CHEN X,et al.Containerguard:A real-time attack detection system in container-based big data platform[J].IEEE Transactions on Industrial Informatics,2020,18(5):3327-3336.
[37]GAO X,STEENKAMER B,GU Z,et al.A study on the security implications of information leakages in container clouds[J].IEEE Transactions on Dependable and Secure Computing,2018,18(1):174-191.
[38]GAO X,GU Z,LI Z,et al.Houdini’s escape:Breaking the re-source rein of linux control groups[C]//Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security.2019:1073-1086.
[39]MCALLISTER D F,SUN C E,VOUK M A.Reliability of vo-ting in fault-tolerant software systems for small output-spaces[J].IEEE Transactions on Reliability,1990,39(5):524-534.
[40]JAMALI N,SAMMUT C.Majority voting:Material classification by tactile sensing using surface texture[J].IEEE Transactions on Robotics,2011,27(3):508-521.
[41]GARCIA M,BESSANI A,GASHI I,et al.Analysis of operating system diversity for intrusion tolerance[J].Software:Practice and Experience,2014,44(6):735-770.
[42]ZHOU D,CHEN H,CHENG G,et al.SecIngress:An API gateway framework to secure cloud applications based on N-variant system[J].China Communications,2021,18(8):17-34.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发