中大機構典藏-NCU Institutional Repository-提供博碩士論文、考古題、期刊論文、研究計畫等下載:Item 987654321/95806
English  |  正體中文  |  简体中文  |  全文筆數/總筆數 : 80990/80990 (100%)
造訪人次 : 41642151      線上人數 : 1471
RC Version 7.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
搜尋範圍 查詢小技巧:
  • 您可在西文檢索詞彙前後加上"雙引號",以獲取較精準的檢索結果
  • 若欲以作者姓名搜尋,建議至進階搜尋限定作者欄位,可獲得較完整資料
  • 進階搜尋


    請使用永久網址來引用或連結此文件: http://ir.lib.ncu.edu.tw/handle/987654321/95806


    題名: 基於eBPF 對容器逃逸攻擊的防禦機制研究;A Study on Defense Mechanisms Against Container Escape Attacks Based on eBPF
    作者: 簡羅佑;Jian, Luo-You
    貢獻者: 資訊工程學系
    關鍵詞: 容器安全;容器逃逸攻擊;事件驅動
    日期: 2024-08-14
    上傳時間: 2024-10-09 17:17:47 (UTC+8)
    出版者: 國立中央大學
    摘要: 隨著企業陸續將服務從本地端遷移至雲端,容器 (Container) 的使用數量也伴隨著雲原生 (Cloud native) 服務普及快速上升,容器不僅為開發環境與生產環境不一致的問題提供了解決方案,同時與虛擬機器 (Virtual Machine, VM) 相比具有快速啟動與輕量化等優勢。由於容器是使用作業系統所提供的功能建構隔離環境,因此容器之間共享作業系統核心 (Kernel) ,這也造成了容器逃逸攻擊 (Container escape attack) 利用核心漏洞瓦解容器的隔離性,使容器中運行的程式惡意存取主機(Host)環境內容甚至篡改。擴展柏克萊封包過濾器(extended Berkeley Packet Filter, eBPF) 是Linux作業系統核心中用於事件監控與追蹤的模組,並執行於Linux 核心中的Just In Time (JIT) 虛擬機,使過濾規則可以動態地注入內核並維持核心安全性。本論文將使用eBPF模組提出基於事件驅動的容器逃逸攻擊防禦系統ACES,從核心層級檢測並且即時封鎖容器逃脫攻擊,並提出階級化的容器逃逸事件以執性對應的防禦措施,實驗結果顯示ACES能夠對檔案系統與特權提升兩種容器逃逸攻擊有效防禦,並且攻擊的偵測與阻斷時間間隔最低為10 μs。ACES透過eBPF map記錄所偵測到的逃逸事件行程(Process),使同一行程在初次被偵測到容器逃逸事件後,其後續容器逃逸事件行為被偵測和阻斷的時間間隔最高降低了88.09%。;With enterprises gradually migrating their services from on-premises to the cloud, the usage of containers has surged alongside the growing popularity of cloud-native services. Containers not only provide solutions to the inconsistencies between development and production environments but also offer advantages such as rapid startup and lightweight nature compared to virtual machines (VMs). Since containers build isolated environments using the functionalities provided by the operating system, they share the operating system kernel among them. This shared kernel leads to container escape attacks exploiting kernel vulnerabilities to break the isolation of containers, allowing malicious programs running within a container to access or even tamper with the host environment. extended Berkeley Packet Filter (eBPF) is a module in the Linux operating system kernel used for event monitoring and tracing, executed in the Just In Time (JIT) virtual machine within the Linux kernel. It allows filtering rules to be dynamically injected into the kernel while maintaining kernel security. This paper proposes an event-driven container escape attack defense system, ACES, using the eBPF module to detect and block container escape attacks at the kernel level in real-time. It also presents hierarchical container escape events with corresponding defense mechanisms. Experimental results show that ACES can effectively defend against two types of container escape attacks—file system and privilege escalation. The detection and blocking time interval of the attacks is as low as 10 μs. ACES records the detected escape event processes through the eBPF map, allowing the time interval for subsequent detection and blocking of container escape events for the same process to be reduced by up to 88.09% after the initial detection.
    顯示於類別:[資訊工程研究所] 博碩士論文

    文件中的檔案:

    檔案 描述 大小格式瀏覽次數
    index.html0KbHTML32檢視/開啟


    在NCUIR中所有的資料項目都受到原著作權保護.

    社群 sharing

    ::: Copyright National Central University. | 國立中央大學圖書館版權所有 | 收藏本站 | 設為首頁 | 最佳瀏覽畫面: 1024*768 | 建站日期:8-24-2009 :::
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - 隱私權政策聲明