Method for obtaining system call white list required by container

A whitelist and container technology, applied in the direction of instruments, multi-program devices, program control design, etc., can solve problems such as multiple disks and memory space

Active Publication Date: 2020-09-11
PEKING UNIV
View PDF4 Cites 5 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Of course, this requires more disk a

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method for obtaining system call white list required by container
  • Method for obtaining system call white list required by container
  • Method for obtaining system call white list required by container

Examples

Experimental program
Comparison scheme
Effect test

Embodiment

[0078] A user downloaded a container from Docker Hub, but it is not clear whether the application running in the container is credible and safe, so the user wants to limit the system calls that can be called by the container as much as possible without affecting the normal function of the container. Then the user can use the present invention to obtain the system calls needed by the container, and then add these system calls to the container's seccomp configuration file whitelist, and use the configuration file as the container's system call whitelist when the container is actually started.

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a method for obtaining a system call white list required by a container, which comprises the following steps of: 1) when the container is started, obtaining a system call set Arequired to be added into the system call white list and an ELF executable file set B called when the container runs, and adding the set A into the system call white list; and 2) based on the ELF executable file set B obtained in the step 1), carrying out static analysis on the container to obtain a system call set S required to be called in an application running process in the container, and adding the system call set S into a system call white list. According to the method, the system call white list is obtained through dynamic analysis and static analysis, compared with default configuration of Docker, system call is reduced by 69.27%-85.89%, and safety and operation efficiency are improved.

Description

technical field [0001] The invention belongs to the field of container security, and relates to a method for obtaining a system call whitelist required by a container, which can be statically analyzed and dynamically analyzed to obtain the system call whitelist required by the container. Background technique [0002] Container technology has been used to run multiple independent operating system distributions on a host computer or to deploy large-scale microservices-based applications. Compared with traditional virtual machines based on virtual machines, the container has faster startup speed, lower resource consumption and higher I / O throughput. Cloud computing vendors use container-based technologies to build Platform as a Service (PaaS) or provide customized container services directly to users. With the widespread application of cloud computing technology, container-based virtualization technology has been greatly developed in recent years. Academia and industry have p...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): G06F21/53G06F9/445G06F9/48G06F9/448G06F8/61
CPCG06F21/53G06F9/4451G06F9/4843G06F9/4482G06F8/61
Inventor 沈晴霓王旭豪罗武方跃坚杨雅辉
Owner PEKING UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap