Fine-grained sandbox policy mining method for Linux container

A container and sandbox technology applied in the computer field to achieve the effect of reducing the attack surface

Inactive Publication Date: 2018-06-15
ZHEJIANG UNIV
View PDF4 Cites 16 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Relevant research focuses on the specific implementation methods of sandbox technology and the security of system call

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Fine-grained sandbox policy mining method for Linux container
  • Fine-grained sandbox policy mining method for Linux container
  • Fine-grained sandbox policy mining method for Linux container

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0026] In order to facilitate those of ordinary skill in the art to understand and implement the present invention, the present invention will be further described in detail below in conjunction with the accompanying drawings and implementation examples. It should be understood that the described implementation examples are only used to illustrate and explain the present invention, and should not limit the scope of the present invention.

[0027] The invention proposes a fine-grained sandbox strategy mining method for Linux containers. Specifically, the sandbox policy mining method traverses the behavior of the target container through automated testing, monitors and records the system call behavior of the target container, extracts the system call behavior characteristics of the target container, and generates a fine-grained sandbox policy that restricts the system call access of the target container . The fine-grained sandbox policy restricts the system call types and param...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The present invention provides a fine-grained sandbox policy mining method for a Linux container, which automatically mines and generates a customized sandbox policy of a target container. The policycomplies with the principle of least privilege, and reduces the attack surface by limiting the system call type and parameters of the target container. The method comprises that: a container behaviormonitoring control module starts a Linux system monitoring tool, and monitors and records the system call behavior of the target container in real time; a container automation test module runs a testcase of the target container, and traverses the function of executing the target container; and a sandbox policy generation module extracts system call behavior characteristics of the target containerfrom the recorded monitoring data, and converts the system call behavior characteristics of the target container into a sandbox policy.

Description

technical field [0001] The invention patent belongs to the field of computer technology and relates to the direction of cloud computing security. More specifically, the patent of the present invention relates to a fine-grained sandbox strategy mining method for Linux containers. Background technique [0002] Linux container technology uses namespaces to isolate resources such as processes, files, and devices, providing users with an almost native performance experience and greatly reducing the additional overhead of virtualization. Docker container is one of the most representative Linux container technologies. [0003] The security issues of Linux containers have become an important factor limiting their widespread use. The main source of security problems is that the system call interface does not implement namespace isolation, and containers on the same host operating system share the system call interface. Attackers can use the system call interface to exploit kernel ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): G06F21/53G06F9/455
CPCG06F9/45558G06F21/53G06F2009/45591
Inventor 蔡亮万志远王新宇夏鑫杨小虎李善平
Owner ZHEJIANG UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap