Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Call path analysis method for security container

A path analysis, security-oriented technology, applied in the field of container security, can solve problems such as breaking through sandbox isolation, and achieve the effect of ensuring accuracy, triggerability, high availability, and reliable analysis technology

Pending Publication Date: 2022-05-27
ZHEJIANG UNIV
View PDF0 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Although some related work has found some attacks on gVisor security containers, limited by the complex system call implementation process and related function call paths in the gVisor application kernel sentry, no work has been able to systematically analyze and break through the sandbox isolation way of

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Call path analysis method for security container
  • Call path analysis method for security container
  • Call path analysis method for security container

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0022] The invention discloses a call path analysis method oriented to a security container, and the steps are as follows:

[0023] Step 1: Use the kernel performance analysis tool perf to insert a probe point at the system call entry function in the kernel of the host operating system.

[0024] Step 2: Use the fuzzing tool syzkaller to continuously create and execute a large number of test cases inside the gVisor container sandbox.

[0025] Step 3: At the same time as Step 2, use the performance analysis tool perf to monitor the triggering of the detection point in Step 1 by the container sandbox process.

[0026] Step 4: Filter the path collection collected in step 3, and filter out the paths triggered by the application system calls in the container sandbox.

[0027] In step 1, the host operating system kernel is the Linux kernel, and the kernel function placed at the probe point is the Linux system call entry function. This function will be called when the process in the ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a security container-oriented call path analysis method, which comprises the following steps of: inserting a detection point at a system call entry function in a host operating system kernel by using a kernel performance analysis tool perf, and continuously creating and executing a large number of test cases in a gVisor container sandbox by using a fuzzy test tool syzkaller; at the beginning, a performance analysis tool perf is used for monitoring the triggering condition of the container sandbox process on the detection point in the first step; according to the method, a fuzzy test tool syzkaller and a kernel performance analysis tool perf are combined, so that the method has the advantages that the method is simple and easy to implement; according to the method, a dynamic analysis technology is used for automatically analyzing a path which can trigger system calling of an application kernel sense in a gVisor container so as to break through sandbox isolation, the problem of analysis difficulty caused by calling of a complex function in the gVisor is solved, and the accuracy and the triggering performance of the obtained path are ensured.

Description

technical field [0001] The invention relates to the field of container security, in particular to a call path analysis method oriented to a security container. Background technique [0002] gVisor secure container is a new container technology solution designed for security. It builds a container sandbox and runs the application in it. The system calls generated by the application in the sandbox will be redirected to the sentry of the program also running in the sandbox for processing and return. Sentry is a component of gVisor, which is essentially an application kernel. It implements a subset of the Linux kernel system call interface (basically meeting the running needs of mainstream applications). By redirecting and implementing application system calls in the container sandbox, gVisor adds an extra layer of protection between the container application and the host operating system. If an application in a container wants to attack the host, it must First break through t...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/53G06F11/36G06F9/455
CPCG06F21/53G06F11/3696G06F11/3684G06F11/3688G06F9/45558G06F2009/45591G06F2009/45587
Inventor 申文博周天昱任奎
Owner ZHEJIANG UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com