隨著虛擬技術的蓬勃發展,如何有效保護容器之安全勢必成為未來資安的議題。本研究的目的是從根本保護容器造成的非法檔案存取,即使容器上有漏洞也不會因此侵害到主機的安全。;With the development of cloud computing, virtualization technology is becoming more mature and widely used. In recent days, container technology has been increasingly adopted in various computation scenarios. Compared to virtual machines, the elimination of additional abstraction layers leads to better resource utilization and improved efficiency. However, since all containers share the same operating system kernel with their host, the container technology also introduced a number of security issues.
We propose a detection system that detects unauthorized privileged file-accesses to protect the security of the host. Even if there are vulnerabilities in the container, our system can protect the illegal file-accesses from the host fundamentally and thus would not infringe the security of the host. After experiments, we found that our system could detect illegal file-accesses successfully and the overhead introduced by our system is neglectable.
