Method for intercepting an encrypted communication stream

By injecting kernel-level instructions to intercept and copy encrypted data from containers to user space, the method addresses the challenge of monitoring encrypted communications in virtualized networks, enhancing security and detection capabilities.

FR3152690B1Active Publication Date: 2026-07-03ORANGE SA

Patent Information

Authority / Receiving Office
FR · FR
Patent Type
Patents
Current Assignee / Owner
ORANGE SA
Filing Date
2023-08-29
Publication Date
2026-07-03

AI Technical Summary

Technical Problem

The isolated nature of containers in virtualized communication networks limits the ability to analyze and inspect encrypted communications, making it difficult for operators to secure and monitor network functions, particularly when these functions are provided by different vendors as 'black boxes'.

Method used

A method and device that intercept encrypted communication streams by injecting program instructions into the host operating system kernel to access encrypted data without modifying the containers, using eBPF technology to instrument system calls and copy data from kernel to user space for analysis.

Benefits of technology

Enables secure and efficient interception of encrypted communications within containers without installing probes, allowing for monitoring and detection of cyberattacks or failures, while preserving system integrity.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 00000014_0000
    Figure 00000014_0000
  • Figure 00000015_0000
    Figure 00000015_0000
  • Figure 00000016_0000
    Figure 00000016_0000
Patent Text Reader

Abstract

The invention relates to a method for intercepting, by an analysis module, a communication stream destined for an application running in a container on a host environment comprising an operating system, the method comprising a configuration step (301) during which a set of code instructions is associated with a particular execution point of a data transfer system call, and an execution step (303) of said set of instructions in the kernel space of the host operating system when a system call triggered from at least one container reaches (302) the execution point, the execution of said set of instructions comprising at least the copying (304) of the contents of a memory area of ​​the kernel space modified by the system call to a memory area of ​​the user space. Figure 3.
Need to check novelty before this filing date? Find Prior Art

Description

Title of the invention: Method for intercepting an encrypted communication stream technical field

[0001] The invention belongs to the field of communications and relates more particularly to a method for intercepting an encrypted communication stream in a container-based virtualized execution environment. Previous art

[0002] Modern communication networks increasingly rely on virtualization mechanisms. Virtualization allows several systems or applications to run on the same physical system by defining isolated execution environments called containers. Virtualization can be complete or partial.

[0003] In the case of full virtualization, applications run on virtual machines whose input / output interfaces are abstractions of the corresponding physical interfaces provided by a hypervisor. In other words, the host machine emulates a machine on which a complete operating system and the desired applications are running. The applications then run in a complete environment, which may be of a different type than that of the host system.

[0004] In the case of partial virtualization, only the resources necessary for its execution are made available to an application. This is known as containerization. This virtualization method generally requires fewer resources than full virtualization, because applications running in containers use the operating system's native system call interface. Therefore, no emulation is necessary.

[0005] Virtualization provides great flexibility, which is particularly valued in the field of service platforms and networks. For example, 5G communication networks rely on the virtualization of VNF network functions (Virtual Network Functions, for example, Firewall, DNS, NAT, Authentication, etc.), thus making it possible to decouple a network function from its corresponding physical equipment or to define network slices.

[0006] However, the isolated nature of containers limits the possibilities for analysis and introspection of virtualized systems. For example, it can be tedious, or even impossible, for an operator of a virtualized communication network to deploy probes in the various containers that implement the network functions. For example, the network functions may be provided by different vendors. in the form of "black boxes" without the possibility of instrumentation. In such a situation, the operator of the virtualized network may encounter difficulties in securing and monitoring its network. In particular, the operator may have difficulty accessing the content of encrypted communications exchanged by network functions, for example, the content of signaling messages, which can lead to security or quality of service problems.

[0007] There is therefore a need for a solution enabling the interception of encrypted communications destined for applications running in containers without the need to intervene on the containers themselves. Summary of the invention

[0008] To this end, according to a first aspect of the invention, a method is proposed for intercepting, by an analysis module, a communication stream destined for an application running in a container on a host environment comprising an operating system, the method comprising the following steps: - A configuration step during which a set of code instructions is associated with a particular execution point of a data transfer system call, - A step of executing said instruction set in the kernel space of the host operating system environment when a data transfer system call triggered from at least one container reaches the execution point, the execution of said instruction set comprising at least the copying of the contents of a memory area in kernel space modified by the system call to a memory area in user space.

[0009] Program instructions are thus injected into the host operating system kernel to be executed in kernel space when a system call is made. Therefore, when an application running in a particular container makes a call to the host operating system to receive or transmit data, the injected program instructions are executed when the specific execution point to which they are associated is reached. Because the code instructions are executed in the kernel, it is possible to access the buffer used by the operating system for receiving or transmitting network data without having to interact with the containers receiving or originating these communications. It is no longer necessary to install probes in the containers to observe encrypted traffic.

[0010] In this way, an analysis module running on the host machine can access messages intended for applications running in containers, without the need to modify them.

[0011] According to a particular embodiment, the method includes a preliminary step of determining that a communication decryption function is performed by the kernel, the execution of the code instruction set being conditioned on the result of said determination step, the modified kernel space memory area comprising data decrypted by the kernel.

[0012] In this way, the instrumentation of the system call is only performed when necessary, for example, when the kernel implements encryption and decryption functions. For example, a Linux kernel can be configured to implement the TLS protocol to limit memory copies and improve performance. When such a configuration is determined, system calls relating to the reception of encrypted data can be instrumented by code instructions adapted to access the decrypted data from the kernel.

[0013] According to a particular embodiment, the method further includes a step of detecting an attack from the intercepted data.

[0014] In a particular embodiment, the method is such that the configuration step includes associating a first set of code instructions with a first execution point in the kernel space of the operating system and a second set of code instructions with a second execution point in the kernel space of the operating system, the first execution point being an entry point of the system call and the second execution point being an exit point of said system call, the first set of code instructions being configured to obtain an address of a buffer in the kernel space and store this address in a data structure stored in the kernel space, the second set of instructions being configured to obtain the stored address and copy data from a location pointed to by said address to a buffer accessible from user space.

[0015] According to another aspect, the invention relates to a device for intercepting a communication stream destined for an application running in a container on a host environment comprising an operating system, the device comprising a processor coupled to a memory in which computer program instructions are stored, configured to implement the following steps: - A configuration step during which a set of code instructions is associated with a particular execution point of a data transfer system call, - A step of executing said instruction set in the kernel space of the host operating system environment when a data transfer system call triggered from at least one container reaches the execution point, the execution of said instruction set comprising at minus the copying of the contents of a memory area in kernel space modified by the system call to a memory area in user space.

[0016] The invention also relates to a server comprising an interception device as described above.

[0017] In a particular embodiment, the different stages of the interception process are determined by computer program instructions.

[0018] Consequently, the invention also relates to a computer program comprising instructions adapted to the implementation of the steps of an interception process as described above, when the program is executed by a processor.

[0019] This program may use any programming language, and be in the form of source code, object code, or intermediate code between source code and object code, such as in a partially compiled form, or in any other desirable form.

[0020] The invention also relates to a computer-readable information medium on which is recorded a computer program comprising instructions for executing the steps of an interception process as described above.

[0021] The information medium can be any entity or device capable of storing the program. For example, the medium can include a storage means, such as a ROM, for example a CD ROM or a microelectronic circuit ROM, a flash memory, or a magnetic recording means, such as a hard drive.

[0022] On the other hand, the information medium can be a transmissible medium such as an electrical or optical signal, which can be transmitted via an electrical or optical cable, by radio, or by other means. The program according to the invention can, in particular, be downloaded onto an Internet-type network.

[0023] Alternatively, the information carrier may be an integrated circuit in which the program is incorporated, the circuit being adapted to execute or to be used in the execution of the process in question.

[0024] The various modes or embodiments mentioned above can be added independently or in combination with each other, to the stages of the interception process.

[0025] Devices, servers, programs and information media have advantages similar to those of the process to which they correspond. Brief description of the figures

[0026] Other features and advantages will become apparent upon reading a preferred embodiment described with reference to the accompanying drawings, among which: - Figure 1 is a diagram representing an architecture in which cryptographic functions are implemented in the user space of a host system. - Figure 2 is a diagram representing an architecture in which cryptographic functions are implemented in the kernel space of a host system. - Figure 3 is a flowchart showing the main steps of an interception process according to a particular embodiment, and - Fig. 4 illustrates an architecture of a device adapted to implement an interception process according to a particular embodiment. Detailed description

[0027] TLS is a widely used communication protocol for securing digital communications. For example, TLS is used to secure connections to an HTTP server or to encrypt video-on-demand content, but also for encrypting network signaling data, for example to secure control traffic between entities implementing the different functions of a 5G network.

[0028] Typically, the TLS protocol can be implemented in an application as a library. Open-source libraries such as openssl are well-known for this purpose. In such a scenario, an application running in a container within a host environment uses the services of a library to encrypt and decrypt user-space traffic.

[0029] In the following description, user space refers to a memory address space used to store and execute user programs. This memory address space is distinct from kernel space, which is used to store the operating system's code and data. User space provides an isolated environment that protects the system against malicious programs. Thus, memory access possibilities are limited in user space, as are the permitted instructions.

[0030] Figure 1 illustrates an implementation of a communication encryption system using a library. An application 100 runs in a container 101 of a host environment 102. The application 100 uses the services of a TLS library 103 in user space to establish the TLS connection, perform authentication, and encrypt / decrypt data. Thus, to transmit encrypted data to a recipient, the application 100 encrypts a data packet using the TLS library 103 and makes a system call 104 to command the The kernel sends the encrypted data. The kernel uses a 105 protocol stack to transmit the data.

[0031] In such a configuration, data passing between user space and kernel space via system calls is encrypted.

[0032] Figure 2 illustrates a second implementation mode of the TLS protocol. In this second mode, the implementation of the TLS protocol is shared between, on the one hand, the application 100 which uses a TLS 103 library solely for establishing communication and, on the other hand, the kernel which uses a KTLS 106 module dedicated to the encryption / decryption of communications as well as authentication.

[0033] In this second configuration, the data that passes between user space and kernel space via system calls is not encrypted.

[0034] Fig. 3 is a flowchart illustrating the main steps of an interception process implemented, according to a particular embodiment, by an analysis module in a host execution environment on which at least one application in a container is running.

[0035] The method includes an optional first step 300 in which the environment is tested to determine whether cryptographic functions necessary for establishing secure communications are implemented in the kernel of the host operating system or whether these functions are implemented in user space. To this end, in a particular embodiment, the analysis module instruments a system call designed to configure the network functions used by applications running in one or more containers in order to identify the applications that request the use of cryptographic functions in the kernel. More specifically, the analysis module associates a particular sequence of instructions with a particular execution point of a system call designed to configure access to the network communication layers of the host operating system.This sequence of instructions is configured to store process identifiers, network transport service access point identifiers, and the configuration requested by the application in a kernel data structure, specifically the configuration regarding the use of cryptographic functions provided by the kernel. For example, on a POSIX-compliant host system, step 300 can instrument the "setsockopt" system call so that the sequence of instructions is executed whenever an application running in a container configures network access. The instructions in the sequence associated with the system call include a test to determine whether the application is attempting to configure the use of cryptographic functions in the kernel, for example, by determining whether the TLS_RX option is requested by the application. If so, the instructions are configured accordingly. The process identifier (PID, for process identifier in a POSIX system) is stored in association with the identifier of the relevant socket. This association is stored in a data structure in the kernel.

[0036] System call instrumentation can be implemented in various ways. For example, it is possible to use a BPF (Berkley Packet Filter) or eBPF (Extended BPF) virtual machine.

[0037] eBPF is a Linux kernel technology that allows programs to be executed in kernel space without having to modify the kernel source code or add additional modules. It is a virtual machine with a limited number of instructions, on which developers can run a program using specific kernel resources.

[0038] When it is determined, at the end of step 300, that the cryptographic functions necessary for establishing secure communications are implemented in the kernel, the analysis module implements a step 301 in which at least one set of program instructions is associated with a system call execution point related to a network data transfer. More specifically, particular instructions are injected into the operating system kernel, for example using eBPF technology, and one or more system functions for receiving and / or sending data over a network are instrumented so that the injected instructions are executed when said system functions are called by an application running in user space.For example, on a Posix-type system, the sendmsg, sendto, recvmsg and / or recvfrom functions can be instrumented in this way, so that each call to one of these functions by an application triggers the execution of a sequence of instructions injected into the kernel by the analysis module.

[0039] In step 302, a system call instrumented in step 301 is invoked by an application running in a container on the host machine. This is, for example, a system call intended to receive data transmitted by a device to the application, for example, signaling data.

[0040] When the system call reaches a particular execution point to which an instruction sequence has been associated during the configuration step 301, the interception process includes a step 303 during which the instruction sequence is executed in kernel space.

[0041] When the system call invoked in step 302 relates to the reception of encrypted data, execution step 303 includes a substep 304 of accessing a memory area of ​​the operating system kernel in which the data received via the network interface and decrypted by the kernel's cryptographic functions are temporarily stored, and of copying the contents of that area memory to another memory area, for example a circular buffer allocated in user space.

[0042] When the invoked system call relates to sending data to a device, step 304 is a step of accessing a memory area of ​​the operating system kernel in which the data that the application in question wishes to send is temporarily stored, before it has been transformed by the cryptographic functions of the kernel, and of copying the contents of this memory area to another memory area, for example a circular buffer allocated in user space.

[0043] In a particular embodiment, access to the kernel memory area containing unencrypted data is performed in two steps. In such a case, a first sequence of instructions is injected into the kernel and associated with the input of a network receive or transmit system call, and a second sequence of instructions is associated with the output of the system call. In other words, a first "hook" is configured at an execution point located at the beginning of the instrumented system call, that is, after the system call is invoked by the application but before it is actually executed.This first "hook" is associated with code instructions configured to obtain the address of the kernel memory area in which unencrypted data, received or to be transmitted, is written, and to store this memory address obtained in a kernel data structure, for example a table or a dictionary, in association with an identifier of the system call concerned by the system call, for example a socket identifier.

[0044] A second sequence of instructions is injected into the kernel and associated with the output of the system call. This second sequence includes instructions configured to obtain the address of the buffer that was stored in the data structure during the execution of the instructions injected at the input of the system call, and to copy the contents of this memory area into memory allocated in user space, for example, a circular buffer. The intercepted unencrypted data is thus accessible by an analysis module running in the user space of the host environment.

[0045] The method finally includes a step 305 of analyzing the intercepted data. The analysis step includes, for example, the application of a predictive model to the intercepted data. The predictive model can be an artificial neural network previously trained on messages characteristic of a cyberattack, intrusion, or network equipment failure.

[0046] Although the description of the process is based on eGMP technology, other technologies can be used to implement the process. By For example, the invention can be implemented by a dedicated module loaded into the kernel, or by instructions introduced into the kernel during its compilation.

[0047] Fig. 4 represents an architecture of a device 400 adapted to implement the interception method according to a particular embodiment of the invention.

[0048] The device 400 includes a data processing module comprising a storage space 401, for example a memory (MEM), a processing unit 402, equipped for example with a microprocessor (PROC), and controlled by a computer program (PGR) 403 whose instructions are configured to implement the interception method as described above in relation to [Fig.3].

[0049] At initialization, the code instructions of the computer program 403 are, for example, loaded into memory 401 before being executed by the processor of the processing unit 402. The microprocessor of the processing unit 402 implements, according to the instructions of the computer program 403, the steps of the interception process described above with reference to [Fig.3].

[0050] For this purpose, the device 400 includes communication means 404, for example a network card, enabling the device to connect to a communication network and exchange data with other devices.

[0051] The 404 communication means are controlled by an operating system of the device offering in particular cryptographic functions allowing to encrypt and decrypt communications in the kernel space for the benefit of applications running in a user space, for example in containers.

[0052] The device also includes a configuration module 405 adapted to instrument at least one network function of the operating system by associating a set of instructions with a particular execution point of said function. For this purpose, the configuration module can be implemented by computer program instructions and use eBPF functions to inject code instructions into the kernel and associate the execution of these instructions with the input and / or output of a particular system call.

[0053] The device 400 also includes a network data interception module 406. The module is implemented, for example, by a sequence of code instructions injected into the kernel and associated with a particular execution point of a system call. The instruction sequence in question is configured to access a memory area allocated in kernel space intended to temporarily store data exchanged by a local application with one or more remote devices, including signaling messages exchanged between different network functions. The data contained in the memory area is data decrypted by cryptographic functions of the operating system kernel or data awaiting encryption by cryptographic functions. In other words, the module The interception module is configured to access plaintext, that is, unencrypted data stored in an operating system memory area that is not directly accessible by applications running in user space. The interception module also includes instructions configured to copy data from the memory area allocated in kernel space to a memory area accessible from user space.

[0054] The device also includes a diagnostic module 407 adapted to read the data copied into the memory area accessible from the user space by the interception module 406 and analyze this data to determine whether or not it is characteristic of a cyberattack or a failure. To this end, module 407 can implement a predictive analysis model such as an artificial neural network, a regression model, a classification model, or a decision tree. The analysis model can be trained beforehand using messages characteristic of cyberattacks or failures and messages characteristic of normal operation.

[0055] According to a particular embodiment, the device 400 is integrated into a server of a communication network.

Claims

Demands

1. A method for intercepting, by an analysis module, a communication stream destined for an application running in a container on a host environment comprising an operating system, the method comprising the following steps: - A step of instrumenting a system call intended to configure the network functions used by at least one application running in said container, to identify applications that request the use of cryptographic functions implemented by the kernel of said operating system, - A configuration step during which a set of code instructions is associated with a particular execution point of a data transfer system call, - A step of executing said set of instructions in the kernel space of the host environment's operating system when a data transfer system call,triggered by an application identified as requesting the use of kernel cryptographic functions, reaches said execution point, the execution of said instruction set comprising at least the copying of the contents of a kernel space memory area modified by the system call to a user space memory area.

2. A method according to claim 1 further comprising a step of detecting an attack from the intercepted data.

3. A method according to any one of the preceding claims, wherein the configuration step comprises associating a first set of code instructions with a first execution point in the kernel space of the operating system and a second set of code instructions with a second execution point in the kernel space of the operating system, the first execution point being an entry point of the system call and the second execution point being an exit point of said system call, the first set of code instructions being configured to obtain an address of a buffer in the kernel space

4.

5.

6. and store this address in a data structure stored in kernel space, the second set of instructions being configured to get the stored address and copy data from a location pointed to by said address to a buffer accessible from user space. A device for intercepting a communication stream destined for an application running in a container on a host environment comprising an operating system, the device comprising a processor coupled to a memory in which computer program instructions are stored, configured to implement the following steps: - A step of instrumenting a system call intended to configure the network functions used by at least one application running in said container, in order to identify applications that request the use of cryptographic functions implemented by the kernel of said operating system, - A configuration step during which a set of code instructions is associated with a particular execution point of a data transfer system call, - A step of executing said instruction set in the kernel space of the host operating system environment when a data transfer system call, triggered by an application identified as requesting the use of cryptographic kernel functions, reaches said execution point, the execution of said instruction set comprising at least the copying of the contents of a memory area in kernel space modified by the system call to a memory area in user space. Server comprising an interception device according to claim 4. Computer program comprising instructions adapted to carry out the steps of a process according to any one of claims 1 to 3, when the program is executed by a processor.

7. Computer-readable information carrier on which is recorded a computer program comprising instructions for carrying out the steps of an interception method according to any one of claims 1 to 3.