| Lightweight virtualization,typically represented by container technology,is becoming an indispensable technology for cloud computing.The container integrates its resources and dependencies into the host operating system,reducing the hardware simulation which is required by traditional virtual machines.Meanwhile,the tighter integration also expands the attack surfaces and poses more threats to container security.Docker,as an open source container management engine,is developed by dotCloud,a PaaS provider.It leverages Linux kernel Namespace,Cgroup and other mechanisms to ensure effective isolation between containers.Its kernel-based architecture model on Linux achieves the operating system-level virtualization,but poses a lot of security issues.Attackers can exploit the kernel vulnerabilities in container,leading to kernel-crash,or even escaping to the host to obtain root privilege.These will affect the reliable operation of the entire system.With the popularity and widespread use of Docker,these security threats become the focus of container technology.The thesis focuses on the escape attack in Docker container,and proposes a defense method against it,then,designs and implements a supervising system for Docker container.The concrete contents are as follows:1.Firstly,this thesis Detailedly analyzes the security mechanism and attack surfaces of Docker,point out the relative security problems.And implement the exploit for the related vulnerabilities,which verifies the feasibility of the attack.2.Secondly,the study realizes the escape attack method in Docker container,proposes a defense method based on monitoring process' s Namespace,and verifies the effectiveness of the solution.3.Thirdly,this thesis Designs and implements a security supervising system for Docker container based on Zabbix with the graphical visualization of the container real-time status alarm functions,thus,to protect the security and reliable operation in Docker container. |
PDF Full Text Request