UPFAD: A Solution to Detect Unauthorized Privileged File-Access in Docker

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：62

、訪客IP：3.15.1.196

姓名

李佳穎(Jia-Ing Lee) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

(UPFAD: A Solution to Detect Unauthorized Privileged File-Access in Docker)

相關論文

★ USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm	★ Discoverer- Rootkit即時偵測系統
★ 一項Android手機上詐騙簡訊的偵測與防禦機制	★ SRA系統防禦ARP欺騙劫持路由器
★ A Solution for Detecting and Defending ARP Spoofing on Virtual Machines	★ 針對遠端緩衝區溢位攻擊之自動化即時反擊系統
★ 即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統	★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection
★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks	★ A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection
★ Shark: Phishing Information Recycling from Spam Mails	★ FFRTD: Beat Fast-Flux by Response Time Differences
★ Antivirus Software Shield against Antivirus Terminators	★ MAC-YURI : My ACcount, YoUr ResponsIbility
★ KKBB: Kernel Keylogger Bye-Bye	★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 (2025-6-30以後開放)

摘要(中)

隨著雲端運算的發展及需求，虛擬化的技術日漸成熟，也越來越廣為人所運用。在虛擬化技術之中，除了傳統的虛擬機器（Virtual Machine）之外，還有一個較為輕量化的技術，即為容器（Container）。容器技術不像虛擬機器一樣需仰賴超管理器（Hypervisor）的幫助，既不需要模擬硬體架構，也不必跑在分別的系統核心（Kernel）之上，而是同一台主機（Host）上的所有容器共同享有主機的系統核心。然而，由於容器的隔離並沒有虛擬機器完善，容器也較虛擬機器來得易受攻擊，雖然大部分的漏洞都在被發現後就立刻做了補救，但是針對容器的攻擊手法實在過多，容器的安全防不勝防。

本研究針對這樣的特點，提出了一套偵測系統，以判斷針對容器之未授權特權檔案存取。如此一來，即便容器上的漏洞造成了非法檔案存取，我們還是可以利用此系統，直接從主機的系統核心中得知這樣的非法行為，並加以攔截。實驗後，結果顯示本系統的確可以達成理想的防禦效果，並且效能表現良好，幾乎不會對程序造成效能上的損失。

隨著虛擬技術的蓬勃發展，如何有效保護容器之安全勢必成為未來資安的議題。本研究的目的是從根本保護容器造成的非法檔案存取，即使容器上有漏洞也不會因此侵害到主機的安全。

摘要(英)

With the development of cloud computing, virtualization technology is becoming more mature and widely used. In recent days, container technology has been increasingly adopted in various computation scenarios. Compared to virtual machines, the elimination of additional abstraction layers leads to better resource utilization and improved efficiency. However, since all containers share the same operating system kernel with their host, the container technology also introduced a number of security issues.

We propose a detection system that detects unauthorized privileged file-accesses to protect the security of the host. Even if there are vulnerabilities in the container, our system can protect the illegal file-accesses from the host fundamentally and thus would not infringe the security of the host. After experiments, we found that our system could detect illegal file-accesses successfully and the overhead introduced by our system is neglectable.

關鍵字(中)

★ 容器
★ 虛擬化
★ Linux作業系統

關鍵字(英)

★ Container
★ Virtualization
★ LinuxOS

論文目次

摘要.................................................................................... i
Abstract .............................................................................. ii
誌謝.................................................................................... iii
目錄.................................................................................... iv
圖目錄................................................................................. vi
表目錄................................................................................. vii
第 1 章緒論 ........................................................................ 1
第 2 章背景介紹 .................................................................. 4
2.1 容器 ........................................................................ 4
2.2 容器之隔離機制 ......................................................... 5
2.2.1 命名空間 ......................................................... 5
2.2.2 控制組 ............................................................ 6
2.2.3 其他保護機制 ................................................... 7
2.3 Docker 之檔案共享機制 ............................................... 8
2.3.1 特權容器 ......................................................... 8
2.3.2 Volume............................................................ 8
2.4 OverlayFS................................................................. 9
第 3 章相關研究 .................................................................. 11
3.1 Docker 對於檔案系統的保護機制 ................................... 11
第 4 章系統架構與實作 ......................................................... 13
4.1 設計理念 .................................................................. 13
4.2 系統架構 .................................................................. 14
4.3 系統元件 .................................................................. 16
4.3.1 容器檢查器 ...................................................... 16
4.3.2 Overlay 檢查器 ................................................. 17
4.3.3 警告器 ............................................................ 18
第 5 章實驗結果及分析 ......................................................... 19
5.1 實驗平台 .................................................................. 19
5.2 實驗結果 .................................................................. 19
5.3 效能評估 .................................................................. 20
5.3.1 Micro Benchmark .............................................. 20
5.3.2 Macro Benchmark.............................................. 20
第 6 章討論 ........................................................................ 23
6.1 目前限制 .................................................................. 23
6.2 未來展望 .................................................................. 23
第 7 章總結 ........................................................................ 24
參考文獻.............................................................................. 25

參考文獻

[1] Linux containers, https://linuxcontainers.org/, Last Accessed: July, 2020.
[2] Docker, https://www.docker.com/, Last Accessed: July, 2020.
[3] Dockercvedetails,https://www.cvedetails.com/product/28125/Docker-Docker.html? vendorid = 13534, Last Accessed: July, 2020.
[4] Cgroups(7) — linuxmanualpage,https://man7.org/linux/man-pages/man7/cgroups. 7.html, Last Accessed: July, 2020.
[5] X. Gao, Z. Gu, Z. Li, H. Jamjoom, and C. Wang, “Houdini’s escape: Breaking the resource rein of linux control groups,” in Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, 2019, pp. 1073–1086.
[6] Capabilities(7) — linux manual page, https://man7.org/linux/man-pages/man7/ capabilities.7.html, Last Accessed: July, 2020.
[7] Dockerrunreference-runtimeprivilegeandlinuxcapabilities,https://docs.docker.com/ engine/reference/run/#runtime-privilege-and-linux-capabilities,LastAccessed:July, 2020.
[8] Usevolumes,https://docs.docker.com/storage/volumes/,LastAccessed:July,2020.
[9] Use the overlayfs storage driver, https://docs.docker.com/storage/storagedriver/ overlayfs-driver/, Last Accessed: July, 2020.
[10] Overlay_constructs, https://docs.docker.com/storage/storagedriver/images/overlay_constructs.jpg, Last Accessed: July, 2020.
[11] J.Hertz,“Abusingprivilegedandunprivilegedlinuxcontainers,”Whitepaper, NCC Group, vol. 48, 2016.
[12] X. Lin, L. Lei, Y. Wang, J. Jing, K. Sun, and Q. Zhou, “A measurement study on linux container security: Attacks and countermeasures,” in Proceedings of the 34th Annual Computer Security Applications Conference, 2018, pp. 418–429.
[13] F. Loukidis-Andreou, I. Giannakopoulos, K. Doka, and N. Koziris, “Docker-sec: A fully automated container security enhancement mechanism,” in 2018 IEEE 38th InternationalConferenceonDistributedComputingSystems(ICDCS),IEEE,2018, pp. 1561–1564.
[14] W.Luo,Q.Shen,Y.Xia,andZ.Wu,“Container-ima:Aprivacy-preservingintegrity measurement architecture for containers,” in 22nd International Symposium on Research in Attacks, Intrusions and Defenses ({RAID} 2019), 2019, pp. 487–500.
[15] T. Bui, “Analysis of docker security,” CoRR, vol. abs/1501.02967, 2015.

指導教授

許富皓

審核日期

2020-7-21

推文