当前位置:
X-MOL 学术
›
IEEE Trans. Inform. Forensics Secur.
›
论文详情
Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)
Condo: Enhancing Container Isolation Through Kernel Permission Data Protection
IEEE Transactions on Information Forensics and Security ( IF 6.3 ) Pub Date : 6-10-2024 , DOI: 10.1109/tifs.2024.3411915 Shouyin Xu 1 , Yuewu Wang 2 , Lingguang Lei 3 , Kun Sun 4 , Jiwu Jing 3 , Siyuan Ma 3 , Jie Wang 5 , Heqing Huang 6
IEEE Transactions on Information Forensics and Security ( IF 6.3 ) Pub Date : 6-10-2024 , DOI: 10.1109/tifs.2024.3411915 Shouyin Xu 1 , Yuewu Wang 2 , Lingguang Lei 3 , Kun Sun 4 , Jiwu Jing 3 , Siyuan Ma 3 , Jie Wang 5 , Heqing Huang 6
Affiliation
Container technology is widely adopted due to its features such as light weight and ease of rapid deployment. However, as an OS-level virtualization mechanism, container isolation relies on the kernel’s security mechanisms and the kernel permission data (usually non-control flow data) used by these mechanisms. None of the existing mitigation schemes for non-control flow data attacks provide an effective and practical solution to container security since they either trigger too much overhead, have limited effectiveness over attacks launched in specific ways, or can only be used to protect some specific kernel data. In addition, none of them accurately identify the kernel data associated with container isolation. In this paper, we provide a solution called Condo that enhances container isolation by protecting the associated kernel permission data. We first present a generic non-control flow kernel data protection mechanism that protects different types of kernel data uniformly with low overhead and is not limited by attack methods or data types. We then demystify the models of various kernel access control mechanisms in the container environment, and identify the subject and object permission data that are critical to container isolation. Finally, we provide a solution named Condo to enhance container isolation, which is completely transparent to the existing container ecosystem, including containerized applications and container management/orchestration tools such as Docker. Experimental results show that Condo can effectively reduce the compromises of container isolation due to memory corruption attacks with an acceptable overhead.
中文翻译:
Condo:通过内核权限数据保护增强容器隔离
容器技术因其轻量、易于快速部署等特点而被广泛采用。然而,容器隔离作为操作系统级别的虚拟化机制,依赖于内核的安全机制以及这些机制所使用的内核权限数据(通常是非控制流数据)。现有的针对非控制流数据攻击的缓解方案都没有为容器安全提供有效且实用的解决方案,因为它们要么触发过多的开销,要么对以特定方式发起的攻击效果有限,要么只能用于保护某些特定的内核数据。此外,它们都无法准确识别与容器隔离相关的内核数据。在本文中,我们提供了一种名为 Condo 的解决方案,它通过保护关联的内核权限数据来增强容器隔离。我们首先提出了一种通用的非控制流内核数据保护机制,该机制以较低的开销统一保护不同类型的内核数据,并且不受攻击方法或数据类型的限制。然后,我们揭秘容器环境中各种内核访问控制机制的模型,并识别对容器隔离至关重要的主体和客体权限数据。最后,我们提供了一个名为Condo的解决方案来增强容器隔离,该解决方案对现有容器生态系统完全透明,包括容器化应用程序和Docker等容器管理/编排工具。实验结果表明,Condo能够以可接受的开销有效减少内存损坏攻击对容器隔离的损害。
更新日期:2024-08-22
中文翻译:
Condo:通过内核权限数据保护增强容器隔离
容器技术因其轻量、易于快速部署等特点而被广泛采用。然而,容器隔离作为操作系统级别的虚拟化机制,依赖于内核的安全机制以及这些机制所使用的内核权限数据(通常是非控制流数据)。现有的针对非控制流数据攻击的缓解方案都没有为容器安全提供有效且实用的解决方案,因为它们要么触发过多的开销,要么对以特定方式发起的攻击效果有限,要么只能用于保护某些特定的内核数据。此外,它们都无法准确识别与容器隔离相关的内核数据。在本文中,我们提供了一种名为 Condo 的解决方案,它通过保护关联的内核权限数据来增强容器隔离。我们首先提出了一种通用的非控制流内核数据保护机制,该机制以较低的开销统一保护不同类型的内核数据,并且不受攻击方法或数据类型的限制。然后,我们揭秘容器环境中各种内核访问控制机制的模型,并识别对容器隔离至关重要的主体和客体权限数据。最后,我们提供了一个名为Condo的解决方案来增强容器隔离,该解决方案对现有容器生态系统完全透明,包括容器化应用程序和Docker等容器管理/编排工具。实验结果表明,Condo能够以可接受的开销有效减少内存损坏攻击对容器隔离的损害。
京公网安备 11010802027423号