基於eBPF 對容器逃逸攻擊的防禦機制研究

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：58

、訪客IP：18.220.200.33

姓名

簡羅佑(Luo-You Jian) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

基於eBPF 對容器逃逸攻擊的防禦機制研究
(A Study on Defense Mechanisms Against Container Escape Attacks Based on eBPF)

相關論文

★ 無線行動隨意網路上穩定品質服務路由機制之研究	★ 應用多重移動式代理人之網路管理系統
★ 應用移動式代理人之網路協同防衛系統	★ 鏈路狀態資訊不確定下QoS路由之研究
★ 以訊務觀察法改善光突發交換技術之路徑建立效能	★ 感測網路與競局理論應用於舒適性空調之研究
★ 以搜尋樹為基礎之無線感測網路繞徑演算法	★ 基於無線感測網路之行動裝置輕型定位系統
★ 多媒體導覽玩具車	★ 以Smart Floor為基礎之導覽玩具車
★ 行動社群網路服務管理系統－應用於發展遲緩兒家庭	★ 具位置感知之穿戴式行動廣告系統
★ 調適性車載廣播	★ 車載網路上具預警能力之車輛碰撞避免機制
★ 應用於無線車載網路上之合作式交通資訊傳播機制以改善車輛擁塞	★ 智慧都市中應用車載網路以改善壅塞之調適性虛擬交通號誌

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 ( 永不開放)

摘要(中)

隨著企業陸續將服務從本地端遷移至雲端，容器 (Container) 的使用數量也伴隨著雲原生 (Cloud native) 服務普及快速上升，容器不僅為開發環境與生產環境不一致的問題提供了解決方案，同時與虛擬機器 (Virtual Machine, VM) 相比具有快速啟動與輕量化等優勢。由於容器是使用作業系統所提供的功能建構隔離環境，因此容器之間共享作業系統核心 (Kernel) ，這也造成了容器逃逸攻擊 (Container escape attack) 利用核心漏洞瓦解容器的隔離性，使容器中運行的程式惡意存取主機(Host)環境內容甚至篡改。擴展柏克萊封包過濾器(extended Berkeley Packet Filter, eBPF) 是Linux作業系統核心中用於事件監控與追蹤的模組，並執行於Linux 核心中的Just In Time (JIT) 虛擬機，使過濾規則可以動態地注入內核並維持核心安全性。本論文將使用eBPF模組提出基於事件驅動的容器逃逸攻擊防禦系統ACES，從核心層級檢測並且即時封鎖容器逃脫攻擊，並提出階級化的容器逃逸事件以執性對應的防禦措施，實驗結果顯示ACES能夠對檔案系統與特權提升兩種容器逃逸攻擊有效防禦，並且攻擊的偵測與阻斷時間間隔最低為10 μs。ACES透過eBPF map記錄所偵測到的逃逸事件行程（Process），使同一行程在初次被偵測到容器逃逸事件後，其後續容器逃逸事件行為被偵測和阻斷的時間間隔最高降低了88.09%。

摘要(英)

With enterprises gradually migrating their services from on-premises to the cloud, the usage of containers has surged alongside the growing popularity of cloud-native services. Containers not only provide solutions to the inconsistencies between development and production environments but also offer advantages such as rapid startup and lightweight nature compared to virtual machines (VMs). Since containers build isolated environments using the functionalities provided by the operating system, they share the operating system kernel among them. This shared kernel leads to container escape attacks exploiting kernel vulnerabilities to break the isolation of containers, allowing malicious programs running within a container to access or even tamper with the host environment. extended Berkeley Packet Filter (eBPF) is a module in the Linux operating system kernel used for event monitoring and tracing, executed in the Just In Time (JIT) virtual machine within the Linux kernel. It allows filtering rules to be dynamically injected into the kernel while maintaining kernel security. This paper proposes an event-driven container escape attack defense system, ACES, using the eBPF module to detect and block container escape attacks at the kernel level in real-time. It also presents hierarchical container escape events with corresponding defense mechanisms. Experimental results show that ACES can effectively defend against two types of container escape attacks—file system and privilege escalation. The detection and blocking time interval of the attacks is as low as 10 μs. ACES records the detected escape event processes through the eBPF map, allowing the time interval for subsequent detection and blocking of container escape events for the same process to be reduced by up to 88.09% after the initial detection.

關鍵字(中)

★ 容器安全
★ 容器逃逸攻擊
★ 事件驅動

關鍵字(英)

論文目次

摘要 i
Abstract ii
誌謝 iii
目錄 iv
圖目錄 vii
表目錄 x
第一章緒論 1
1.1. 概要 1
1.2. 研究動機 2
1.3. 研究目的 3
1.4. 章節架構 3
第二章背景知識與相關研究 5
2.1. 容器 Container 5
2.2. 容器逃逸攻擊 Container Escape Attack 6
2.3. 擴展柏克萊封包過濾器 eBPF 7
2.4. 相關研究 12
第三章提出的ACES系統 15
3.1. 系統架構與設計 15
3.2. 系統運作流程與實作 17
3.2.1. 容器逃逸事件定義 18
3.2.2. 容器事件的捕獲 19
3.2.3. 事件驅動的防禦流程 20
3.2.4. Warning event的偵測與阻斷 21
3.2.5. Critical event的偵測與阻斷 25
3.2.6. Threat event的偵測與阻斷 28
3.2.7 事件追蹤 32
3.3. 系統環境與假設 35
第四章實驗與討論 36
4.1. 情境一：ACES 功能性驗證 36
4.1.1. 實驗一：使用Docker CVE漏洞對容器攻擊 36
4.1.2. 實驗二：使用Kubernetes CVE漏洞對容器攻擊 40
4.1.3. 實驗三：在不安全的容器配置下對容器攻擊 44
4.2. 情境二：ACES 的穩健性驗證 47
4.2.1. 實驗四：使用eBPF漏洞提升權限 47
4.2.1. 實驗五：使用特權容器讀取eBPF map 50
4.3. 情境三：ACES 的效能檢驗 52
4.3.1. 實驗六：ACES偵測容器逃逸事件的記憶體使用率 52
4.3.2. 實驗七：ACES偵測容器逃逸事件的CPU使用率 53
4.3.1. 實驗八：perf event取樣頻率對容器運作的影響 55
第五章結論與未來研究方向 58
5.1. 結論 58
5.2. 研究限制 59
5.3. 未來研究 59
參考文獻 61

參考文獻

[1] PricewaterhouseCoopers, “PwC’s 2023 Cloud Business Survey,” Accessed on Jun
12, 2024. [Online]. Available: https://www.pwc.com/us/en/techeffect/
cloud/cloud-business-survey.html
[2] Imtiaz Ahmad, Mohammad Gh. AlFailakawi, Asayel AlMutawa and Latifa
Alsalman, “Container scheduling techniques: A Survey and assessment,” Journal
of King Saud University - Computer and Information Sciences, Mar. 2021, doi:
https://doi.org/10.1016/j.jksuci.2021.03.002.
[3] Chao-Chun Chen, Min-Hsiung Hung, Kuan-Chou Lai and Yu-Chuan Lin, “Docker
and Kubernetes,” pp. 169–213, Aug. 2021, doi:
https://doi.org/10.1002/9781119739920.ch5.
[4] Sari Sultan, Imtiaz Ahmad and Tassos Dimitriou “Container Security: Issues,
Challenges, and the Road Ahead,” IEEE Access, vol. 7, pp. 52976–52996, 2019,
doi: https://doi.org/10.1109/access.2019.2911732.
[5] MITRE, “CVE - Common Vulnerabilities and Exposures (CVE),” Accessed on
Jun 12, 2024. [Online]. Available: https://cve.mitre.org/
[6] Container Breakout Vulnerabilities “Container Breakout Vulnerabilities,”
Accessed on Jun 12, 2024. [Online]. Available:
https://www.containersecurity.site/attackers/container_breakout_vulnerabilities.h
tml
[7] gvisor.dev “gVisor,” Accessed on Jun 12, 2024. [Online] https://gvisor.dev/
[8] Tom Goethals, Merlijn Sebrechts, Mays Al-Naday, Bruno Volckaert, and Filip De
Turck, “A functional and performance benchmark of lightweight virtualization platforms for edge computing,” biblio.ugent.be, 2022.
https://biblio.ugent.be/publication/8769638 (accessed Jun. 12, 2024)
[9] Ian Buchanan, “Containers vs Virtual Machines,” Atlassian. Accessed on Jun 12,
2024. [Online] https://www.atlassian.com/microservices/cloudcomputing/
containers-vs-vms
[10] Reeves Michael. “Investigating escape vulnerabilities in container runtimes”
Diss. Purdue University, 2021.
[11] Yi He, Roland Guo, Yunlong Xing, Xijia Che, Kun Sun, Zhuotao Liu, Ke Xu, and
Qi Li. (2023). Cross Container Attacks: The Bewildered {eBPF} on Clouds. In
32nd USENIX Security Symposium (USENIX Security 23) (pp. 5971-5988).
[12] Tengchao Ma, Changqiao Xu, Shujie Yang, Yiting Huang, Qingzhao An, Xiaohui
Kuang and Luigi Alfredo Grieco, “A Mutation-Enabled Proactive Defense Against
Service-Oriented Man-in-The-Middle Attack in Kubernetes,” I.E.E.E. transactions
on computers/IEEE transactions on computers, pp. 1–14, Jan. 2023, doi:
https://doi.org/10.1109/tc.2023.3238125.
[13] Xing Gao, Benjamin Steenkamer, Zhongshu Gu, Mehmet Kayaalp, Dimitrios
Pendarakis, Haining Wang, “A Study on the Security Implications of Information
Leakages in Container Clouds,” vol. 18, no. 1, pp. 174–191, Jan. 2021, doi:
https://doi.org/10.1109/tdsc.2018.2879605.
[14] Yang Luo, Wu Luo, Xiaoning Sun, Qingni Shen, Anbang Ruan, Zhonghai Wu
“Whispers between the Containers: High-Capacity Covert Channel Attacks in
Docker,” Aug. 2016, doi: https://doi.org/10.1109/trustcom.2016.0119.
[15] Nicholas Pecka, Lotfi Ben Othmane, and Altaz Valani, “Privilege Escalation
Attack Scenarios on the DevOps Pipeline Within a Kubernetes Environment,”
Proceedings of the International Conference on Software and System Processes and International Conference on Global Software Engineering, May 2022, doi:
https://doi.org/10.1145/3529320.3529325.
[16] MacLeod, Mairi. "Escaping from a virtualised environment: An evaluation of container breakout techniques." Escaping from a virtualised environment: An evaluation of container breakout techniques (2021).
[17] “NVD - CVE-2022-0492,” nvd.nist.gov. Accessed on Jun 12, 2024. [Online] https://nvd.nist.gov/vuln/detail/CVE-2022-0492
[18] “NVD - CVE-2024-21626,” nvd.nist.gov. Accessed on Jun 12, 2024. [Online] https://nvd.nist.gov/vuln/detail/CVE-2024-21626
[19] “eBPF - Introduction, Tutorials & Community Resources,” ebpf.io. Accessed on Jun 12, 2024. [Online] https://ebpf.io/
[20] “Live-patching security vulnerabilities inside the Linux kernel with eBPF Linux Security Module,” The Cloudflare Blog, Jun 12, 2024. [Online] https://blog.cloudflare.com/live-patch-security-vulnerabilities-with-ebpf-lsm
[21] Madhan Raj Kanagarathinam, Krishna M. Sivalingam, Gunjan Kumar Choudhary, “Application Prioritization Engine for Enhancing Real-Time Performance in Smartphones,” IEEE transactions on network and service management/IEEE eTransactions on network and service management, vol. 21, no. 1, pp. 773–788, Feb. 2024, doi: https://doi.org/10.1109/tnsm.2023.3291706.
[22] “Cilium - Linux Native, API-Aware Networking and Security for Containers,” Accessed on Jun 12, 2024. [Online] cilium.io. https://cilium.io/
[23] “What is eBPF? An Introduction and Deep Dive into the eBPF Technology,” Accessed on Jun 12, 2024. [Online] www.ebpf.io. https://ebpf.io/what-is-ebpf/
[24] Chris Wright, Crispin Cowan, James Morris, Stephen Smalley and Greg Kroah-Hartman (2002). Linux security modules: General security support for the linux 64 kernel. In 11th USENIX Security Symposium (USENIX Security 02).
[25] Perf Wiki. perf.wiki.kernel.org. Accessed on Jun 12, 2024. [Online] https://perf.wiki.kernel.org/index.php/Main_Page.
[26] Kehe Wu, Dan Yang, Xue Gao, Wen Yang, Mingyan Li and Dong Wang “Process based container escape monitoring and resource isolation scheme,” Jun. 2022, doi: https://doi.org/10.1109/icics55353.2022.9811204.
[27] MOUW Erik (2001). Linux kernel procfs guide. Delft University of Technology.
[28] “NVD - CVE-2016-5195,” nvd.nist.gov. Accessed on Jun 12, 2024. [Online] https://nvd.nist.gov/vuln/detail/CVE-2016-5195
[29] Mashal Abbas, Shahpar Khan, Abdul Monum, Fareed Zaffar, Rashid Tahir, David Eyers, Hassaan Irshad, and Ashish Gehani, Vinod Yegneswaran and Thomas Pasquier, “PACED: Provenance-based Automated Container Escape Detection,” Sep. 2022, doi: https://doi.org/10.1109/ic2e55432.2022.00035.
[30] Thomas F. J.-M. Pasquier, Jatinder Singh, David Eyers and Jean Bacon, “Camflow: Managed Data-Sharing for Cloud Services,” IEEE Transactions on Cloud Computing, vol. 5, no. 3, pp. 472–484, Jul. 2017, doi: https://doi.org/10.1109/tcc.2015.2489211.
[31] Igor Kotenko, Igor Saenko, Andrey Chechulin, Lidia Vitkova, Maxim Kolomeec, Igor Zelichenok, Maxim Melnik, Denis Makrushin and Nikita Petrevich. "Detection of Anomalies and Attacks in Container Systems: An Integrated Approach Based on Black and White Lists." International Conference on Intelligent Information Technologies for Industry. Cham: Springer International Publishing, 2022.
[32] “Falco,” Falco. Accessed on Jun 12, 2024. [Online] https://falco.org/
[33] Revuelta Martinez, Á. (2023). Study of Security Issues in Kubernetes (K8s)Architectures; Tradeoffs and Opportunities.
[34] “aya-rs,” Accessed on Jun 12, 2024. [Online] https://github.com/aya-rs/aya
[35] “bpf-linker,” Accessed on Jun 12, 2024. [Online] https://github.com/aya-rs/bpflinker
[36] “The LLVM Compiler Infrastructure Project,” Llvm.org, Accessed on Jun 12, 2024. [Online] https://llvm.org/
[37] Sebastiano Miano, Fulvio Risso, Mauricio Vásquez Bernal, Matteo Bertrone and Yunsong Lu, “A Framework for eBPF-Based Network Functions in an Era of Microservices,” IEEE Transactions on Network and Service Management, vol. 18, no. 1, pp. 133–151, Mar. 2021, doi: https://doi.org/10.1109/TNSM.2021.3055676.
[38] can-ctr-escape-cve-2022-0492. Accessed on Jun 12, 2024. [Online] GitHub. https://github.com/PaloAltoNetworks/can-ctr-escape-cve-2022-0492/tree/main
[39] “Exploit: rewrite cgroup devices,” GitHub. Accessed on Jun 12, 2024. [Online] https://github.com/cdk-team/CDK/wiki/Exploit:-rewrite-cgroup-devices
[40] “chompie1337/Linux_LPE_eBPF_CVE-2021-3490,” GitHub. Accessed on Jun 12, 2024. [Online] https://github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490
[41] Vincent M. Weaver, "Self-monitoring overhead of the Linux perf_ event performance counter interface," 2015 IEEE International Symposium on Performance Analysis of Systems and Software (ISPASS), Philadelphia, PA, USA, 2015, pp. 102-111, doi: 10.1109/ISPASS.2015.7095789.
[42] Exploring BPF LSM support on aarch64 with ftrace. Exein. Accessed on Jun 12,2024. [Online] https://blog.exein.io/exploring-bpf-lsm-support-on-aarch64-withftrace/
[43] “toml-rs/toml,” Accessed on Jun 12, 2024. [Online] GitHub, Jun. 12, 2024. https://github.com/toml-rs/toml.git
[44] “NVIDIA/nvidia-docker,” GitHub, Accessed on Jun 12, 2024. [Online]. https://github.com/NVIDIA/nvidia-docker
[45] S. Sekigawa, C. Sasaki, and A. Tagami, “Web Application-Based WebAssembly Container Platform for Extreme Edge Computing,” Dec. 2023, doi: https://doi.org/10.1109/globecom54140.2023.10437269.

指導教授

周立德

審核日期

2024-8-14

推文