| Compared with the traditional virtualization technology,the container has higher resource utilization and faster response speed.The container technology is currently the most popular operating system virtualization technology,which has been widely deployed.But the container technology also has security problems,such as the leakage of the sensitive system information,the attacks on directory and the unsafe transmission of file descriptor across the containers.To solve these problems,this paper carried out the study including:(1)UTS namespace randomization technology.UTS namespace packs system information associated with the host version,and it is fixed.Anyone can get real host information without permission check.When there are vulnerabilities in the Linux kernel,the container user could carry on the targeted attack based on the host information.This paper proposed UTS namespace randomization technology to randomize the host information,and set up roles and white list based on user requirements and credible degree,which makes a credible role able to get real information(e.g.,system version),while the untrusted role can only obtain the random information.Experiments prove that UTS randomization can improve the container security by limiting the ability of accessing to the host information.(2)MNT namespace randomization technology.MNT namespace is an important technology to achieve the file system isolation,but there are still some security risks,such as sensitive information leakage,attacks based on of the file/directory.In view of the insufficiency of MNT name space,this paper proposed a MNT namespace randomization technology.Firstly,the creating and working process of Linux MNT namespace are modified,and then we encrypt the file name of directory name with AES algorithm.In this way,the directory tree is randomlized,so that the untrusted users could only see the use of fuzzy file directory tree.By setting up a role and white list,we map their roles and determine their capabilities according to the needs and credibility of users in the container,which not only meets requirements of different users,but also guarantee the principle of least privilege.The experimental results show that the method can effective scanning software protection attacks on enumeration directory and specific sensitive files,while the performance degradated little that the operating expenses only increases about 1.82%.(3)The protection technology on transmission of file descriptor across the containers.The users in the container can use the open file descriptors with low permissions which are in the host or other containers.In this way,the users in the container could breakthrough MNT namespace constraints,and access the files which do not own the right to access.Aiming at this problem,this paper proposed a protection technology on transmission of file descriptor across the containers.The LSM module is firstly used to intercept the system call fchdir system calls,and then the file descriptor is compared with the process has the absolute path name of security to determine fchdir operating legitimacy.Finally,the simulation test of the above technology has been carried on in the Qemu virtual machine,and the results show that the technology can effectively reduce the risk of MNT namespace breakthrough when transfering file descriptor across the containers,which enhances the safety of MNT namespace. |
PDF Full Text Request