隨著企業陸續將服務從本地端遷移至雲端,容器 (Container) 的使用數量也伴隨著雲原生 (Cloud native) 服務普及快速上升,容器不僅為開發環境與生產環境不一致的問題提供了解決方案,同時與虛擬機器 (Virtual Machine, VM) 相比具有快速啟動與輕量化等優勢。由於容器是使用作業系統所提供的功能建構隔離環境,因此容器之間共享作業系統核心 (Kernel) ,這也造成了容器逃逸攻擊 (Container escape attack) 利用核心漏洞瓦解容器的隔離性,使容器中運行的程式惡意存取主機(Host)環境內容甚至篡改。擴展柏克萊封包過濾器(extended Berkeley Packet Filter, eBPF) 是Linux作業系統核心中用於事件監控與追蹤的模組,並執行於Linux 核心中的Just In Time (JIT) 虛擬機,使過濾規則可以動態地注入內核並維持核心安全性。本論文將使用eBPF模組提出基於事件驅動的容器逃逸攻擊防禦系統ACES,從核心層級檢測並且即時封鎖容器逃脫攻擊,並提出階級化的容器逃逸事件以執性對應的防禦措施,實驗結果顯示ACES能夠對檔案系統與特權提升兩種容器逃逸攻擊有效防禦,並且攻擊的偵測與阻斷時間間隔最低為10 μs。ACES透過eBPF map記錄所偵測到的逃逸事件行程(Process),使同一行程在初次被偵測到容器逃逸事件後,其後續容器逃逸事件行為被偵測和阻斷的時間間隔最高降低了88.09%。;With enterprises gradually migrating their services from on-premises to the cloud, the usage of containers has surged alongside the growing popularity of cloud-native services. Containers not only provide solutions to the inconsistencies between development and production environments but also offer advantages such as rapid startup and lightweight nature compared to virtual machines (VMs). Since containers build isolated environments using the functionalities provided by the operating system, they share the operating system kernel among them. This shared kernel leads to container escape attacks exploiting kernel vulnerabilities to break the isolation of containers, allowing malicious programs running within a container to access or even tamper with the host environment. extended Berkeley Packet Filter (eBPF) is a module in the Linux operating system kernel used for event monitoring and tracing, executed in the Just In Time (JIT) virtual machine within the Linux kernel. It allows filtering rules to be dynamically injected into the kernel while maintaining kernel security. This paper proposes an event-driven container escape attack defense system, ACES, using the eBPF module to detect and block container escape attacks at the kernel level in real-time. It also presents hierarchical container escape events with corresponding defense mechanisms. Experimental results show that ACES can effectively defend against two types of container escape attacks—file system and privilege escalation. The detection and blocking time interval of the attacks is as low as 10 μs. ACES records the detected escape event processes through the eBPF map, allowing the time interval for subsequent detection and blocking of container escape events for the same process to be reduced by up to 88.09% after the initial detection.
