| Container technology is widely used by developers and organizations because of its convenience and high performance.However,unlike virtual machines,different containers share the same host OS kernel,which makes the isolation of containers weaker.Although host OS has provided some strict software isolation mechanisms,such as Namespaces,malicious tenants can still access the kernel through system calls and bypass these isolation mechanisms by exploiting kernel vulnerabilities.At the same time,as the kernel code is constantly updated,the kernel functions are also increasing.Most applications only use part of the kernel functions when working,and do not need to access the whole OS kernel.These unused kernel functions are likely to be used by other malicious containers,which endanger the normal containers.In order to solve the above problems,this paper designs and implements a minimal kernel customization system based on container images.Firstly,this system will analyze the set of system calls required by container through dynamic analysis and static analysis.Secondly,the system will generate a dedicated kernel module for the container based on the analysis result,and restrict the container to call system calls only through the system call table maintained in the kernel module,in this way,the system call behavior of the container is restricted,and the purpose of restricting its access to unnecessary kernel functions is achieved.As the experimental results show that,compared with the default Seccomp configuration file,the system can analyze and disable more system calls,the number is more than twice the default.Compared with using the Seccomp mechanism,our system uses loadable kernel module(LKM)to restrict system calls,which reduces the performance overhead of system calls by 14%.Meanwhile,in the QPS test on nginx container,the additional performance overhead brought by the LKM is less than 2%,which means that the use of LKM to limit the system call brings less performance overhead to the host. |
PDF Full Text Request