Execution method for fine-grained sandbox strategy of Linux containers

A policy enforcement, fine-grained technology applied in the computer field to reduce the attack surface and reduce additional performance overhead

Active Publication Date: 2018-05-11
ZHEJIANG UNIV
View PDF3 Cites 1 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0005] However, based on the sandbox technology of system interception technology, it is still extremely challenging to realize the fine-grained sandbox policy execution of Linux containers, that is, to filter system call parameters of string type.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Execution method for fine-grained sandbox strategy of Linux containers
  • Execution method for fine-grained sandbox strategy of Linux containers
  • Execution method for fine-grained sandbox strategy of Linux containers

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0026] In order to facilitate those of ordinary skill in the art to understand and implement the present invention, the present invention will be further described in detail below in conjunction with the accompanying drawings and implementation examples. It should be understood that the described implementation examples are only used to illustrate and explain the present invention, and should not limit the scope of the present invention.

[0027] The invention proposes a fine-grained sandbox policy execution method for a Linux container. Specifically, at the system call level, a fine-grained sandbox policy is implemented. Fine-grainedness refers to limiting the system call type and parameters of the container. The parameter types include strings and non-strings, so as to achieve security reinforcement for Linux containers.

[0028] This method includes a container tracking module and a system call interception module, such as figure 1 shown. The container tracking module can...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention provides an execution method for the fine-grained sandbox strategy of Linux containers. System calling behaviors of the Linux containers are limited, attack surfaces are reduced, and safe reinforcing of the Linux containers is achieved. The method includes the steps that a container tracking module calls an interface by calling a ptrace system, running of target containers is tracked, and according to the rule defined by the sandbox strategy, system calling access with character-string-type parameters is filtered. A system calling intercepting module intercepts the system callingaccess of the garget containers in real time by employing the seccomp/BPF technology, and according to the rule defined by the sandbox strategy, the system calling types and system calling access with non-character-string-type parameters are filtered.

Description

technical field [0001] The invention patent belongs to the field of computer technology and relates to the direction of cloud computing security. More specifically, the patent of the present invention relates to a fine-grained sandbox policy execution method for Linux containers. Background technique [0002] Linux container technology uses namespaces to isolate resources such as processes, files, and devices, providing users with an almost native performance experience and greatly reducing the additional overhead of virtualization. Docker container is one of the most representative Linux container technologies. [0003] The security issues of Linux containers have become an important factor limiting their widespread use. The main source of security problems is that the system call interface does not implement namespace isolation, and containers on the same host operating system share the system call interface. Attackers can use the system call interface to exploit kernel...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/53
CPCG06F21/53
Inventor 万志远蔡亮王新宇夏鑫杨小虎李善平
Owner ZHEJIANG UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap