以作者查詢圖書館館藏 、以作者查詢臺灣博碩士 、以作者查詢全國書目 、勘誤回報 、線上人數:81 、訪客IP:3.15.218.244
姓名 李佳穎(Jia-Ing Lee) 查詢紙本館藏 畢業系所 資訊工程學系 論文名稱
(UPFAD: A Solution to Detect Unauthorized Privileged File-Access in Docker)相關論文 檔案 [Endnote RIS 格式] [Bibtex 格式] [相關文章] [文章引用] [完整記錄] [館藏目錄] 至系統瀏覽論文 (2025-6-30以後開放) 摘要(中) 隨著雲端運算的發展及需求,虛擬化的技術日漸成熟,也越來越廣為人所運用。在虛擬化技術之中,除了傳統的虛擬機器(Virtual Machine)之外,還有一個較為輕量化的技術,即為容器(Container)。容器技術不像虛擬機器一樣需仰賴超管理器(Hypervisor)的幫助,既不需要模擬硬體架構,也不必跑在分別的系統核心(Kernel)之上,而是同一台主機(Host)上的所有容器共同享有主機的系統核心。然而,由於容器的隔離並沒有虛擬機器完善,容器也較虛擬機器來得易受攻擊,雖然大部分的漏洞都在被發現後就立刻做了補救,但是針對容器的攻擊手法實在過多,容器的安全防不勝防。
本研究針對這樣的特點,提出了一套偵測系統,以判斷針對容器之未授權特權檔案存取。如此一來,即便容器上的漏洞造成了非法檔案存取,我們還是可以利用此系統,直接從主機的系統核心中得知這樣的非法行為,並加以攔截。實驗後,結果顯示本系統的確可以達成理想的防禦效果,並且效能表現良好,幾乎不會對程序造成效能上的損失。
隨著虛擬技術的蓬勃發展,如何有效保護容器之安全勢必成為未來資安的議題。本研究的目的是從根本保護容器造成的非法檔案存取,即使容器上有漏洞也不會因此侵害到主機的安全。摘要(英) With the development of cloud computing, virtualization technology is becoming more mature and widely used. In recent days, container technology has been increasingly adopted in various computation scenarios. Compared to virtual machines, the elimination of additional abstraction layers leads to better resource utilization and improved efficiency. However, since all containers share the same operating system kernel with their host, the container technology also introduced a number of security issues.
We propose a detection system that detects unauthorized privileged file-accesses to protect the security of the host. Even if there are vulnerabilities in the container, our system can protect the illegal file-accesses from the host fundamentally and thus would not infringe the security of the host. After experiments, we found that our system could detect illegal file-accesses successfully and the overhead introduced by our system is neglectable.關鍵字(中) ★ 容器
★ 虛擬化
★ Linux作業系統關鍵字(英) ★ Container
★ Virtualization
★ LinuxOS論文目次 摘要.................................................................................... i
Abstract .............................................................................. ii
誌謝.................................................................................... iii
目錄.................................................................................... iv
圖目錄................................................................................. vi
表目錄................................................................................. vii
第 1 章 緒論 ........................................................................ 1
第 2 章 背景介紹 .................................................................. 4
2.1 容器 ........................................................................ 4
2.2 容器之隔離機制 ......................................................... 5
2.2.1 命名空間 ......................................................... 5
2.2.2 控制組 ............................................................ 6
2.2.3 其他保護機制 ................................................... 7
2.3 Docker 之檔案共享機制 ............................................... 8
2.3.1 特權容器 ......................................................... 8
2.3.2 Volume............................................................ 8
2.4 OverlayFS................................................................. 9
第 3 章 相關研究 .................................................................. 11
3.1 Docker 對於檔案系統的保護機制 ................................... 11
第 4 章 系統架構與實作 ......................................................... 13
4.1 設計理念 .................................................................. 13
4.2 系統架構 .................................................................. 14
4.3 系統元件 .................................................................. 16
4.3.1 容器檢查器 ...................................................... 16
4.3.2 Overlay 檢查器 ................................................. 17
4.3.3 警告器 ............................................................ 18
第 5 章 實驗結果及分析 ......................................................... 19
5.1 實驗平台 .................................................................. 19
5.2 實驗結果 .................................................................. 19
5.3 效能評估 .................................................................. 20
5.3.1 Micro Benchmark .............................................. 20
5.3.2 Macro Benchmark.............................................. 20
第 6 章 討論 ........................................................................ 23
6.1 目前限制 .................................................................. 23
6.2 未來展望 .................................................................. 23
第 7 章 總結 ........................................................................ 24
參考文獻.............................................................................. 25參考文獻 [1] Linux containers, https://linuxcontainers.org/, Last Accessed: July, 2020.
[2] Docker, https://www.docker.com/, Last Accessed: July, 2020.
[3] Dockercvedetails,https://www.cvedetails.com/product/28125/Docker-Docker.html? vendorid = 13534, Last Accessed: July, 2020.
[4] Cgroups(7) — linuxmanualpage,https://man7.org/linux/man-pages/man7/cgroups. 7.html, Last Accessed: July, 2020.
[5] X. Gao, Z. Gu, Z. Li, H. Jamjoom, and C. Wang, “Houdini’s escape: Breaking the resource rein of linux control groups,” in Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, 2019, pp. 1073–1086.
[6] Capabilities(7) — linux manual page, https://man7.org/linux/man-pages/man7/ capabilities.7.html, Last Accessed: July, 2020.
[7] Dockerrunreference-runtimeprivilegeandlinuxcapabilities,https://docs.docker.com/ engine/reference/run/#runtime-privilege-and-linux-capabilities,LastAccessed:July, 2020.
[8] Usevolumes,https://docs.docker.com/storage/volumes/,LastAccessed:July,2020.
[9] Use the overlayfs storage driver, https://docs.docker.com/storage/storagedriver/ overlayfs-driver/, Last Accessed: July, 2020.
[10] Overlay_constructs, https://docs.docker.com/storage/storagedriver/images/overlay_constructs.jpg, Last Accessed: July, 2020.
[11] J.Hertz,“Abusingprivilegedandunprivilegedlinuxcontainers,”Whitepaper, NCC Group, vol. 48, 2016.
[12] X. Lin, L. Lei, Y. Wang, J. Jing, K. Sun, and Q. Zhou, “A measurement study on linux container security: Attacks and countermeasures,” in Proceedings of the 34th Annual Computer Security Applications Conference, 2018, pp. 418–429.
[13] F. Loukidis-Andreou, I. Giannakopoulos, K. Doka, and N. Koziris, “Docker-sec: A fully automated container security enhancement mechanism,” in 2018 IEEE 38th InternationalConferenceonDistributedComputingSystems(ICDCS),IEEE,2018, pp. 1561–1564.
[14] W.Luo,Q.Shen,Y.Xia,andZ.Wu,“Container-ima:Aprivacy-preservingintegrity measurement architecture for containers,” in 22nd International Symposium on Research in Attacks, Intrusions and Defenses ({RAID} 2019), 2019, pp. 487–500.
[15] T. Bui, “Analysis of docker security,” CoRR, vol. abs/1501.02967, 2015.指導教授 許富皓 審核日期 2020-7-21 推文 facebook plurk twitter funp google live udn HD myshare reddit netvibes friend youpush delicious baidu 網路書籤 Google bookmarks del.icio.us hemidemi myshare