{"title":"为容器化的应用程序及时打补丁","authors":"Olufogorehan Tunde-Onadele, Yuhang Lin, Jingzhu He, Xiaohui Gu","doi":"10.1145/3384217.3384225","DOIUrl":null,"url":null,"abstract":"Containers have become increasingly popular in distributed computing environments. However, recent studies have shown that containerized applications are susceptible to various security attacks. Traditional pre-scheduled software update approaches not only become ineffective under dynamic container environments but also impose high overhead to containers. In this paper, we propose a new on-demand targeted patching framework for containerized applications. OPatch combines dynamic vulnerability exploit identification and targeted vulnerability patching to achieve more efficient security attack containment. We have implemented a prototype of OPatch and evaluated our schemes over 31 real world security vulnerability exploits in 23 commonly used server applications. Results show that OPatch can accurately detect and classify 81% vulnerability exploits and reduce security patching overhead by up to 84% for memory and 40% for disk.","PeriodicalId":205173,"journal":{"name":"Proceedings of the 7th Symposium on Hot Topics in the Science of Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-08-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":"{\"title\":\"Toward just-in-time patching for containerized applications\",\"authors\":\"Olufogorehan Tunde-Onadele, Yuhang Lin, Jingzhu He, Xiaohui Gu\",\"doi\":\"10.1145/3384217.3384225\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Containers have become increasingly popular in distributed computing environments. However, recent studies have shown that containerized applications are susceptible to various security attacks. Traditional pre-scheduled software update approaches not only become ineffective under dynamic container environments but also impose high overhead to containers. In this paper, we propose a new on-demand targeted patching framework for containerized applications. OPatch combines dynamic vulnerability exploit identification and targeted vulnerability patching to achieve more efficient security attack containment. We have implemented a prototype of OPatch and evaluated our schemes over 31 real world security vulnerability exploits in 23 commonly used server applications. Results show that OPatch can accurately detect and classify 81% vulnerability exploits and reduce security patching overhead by up to 84% for memory and 40% for disk.\",\"PeriodicalId\":205173,\"journal\":{\"name\":\"Proceedings of the 7th Symposium on Hot Topics in the Science of Security\",\"volume\":\"1 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2020-08-25\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"2\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 7th Symposium on Hot Topics in the Science of Security\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3384217.3384225\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 7th Symposium on Hot Topics in the Science of Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3384217.3384225","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Toward just-in-time patching for containerized applications
Containers have become increasingly popular in distributed computing environments. However, recent studies have shown that containerized applications are susceptible to various security attacks. Traditional pre-scheduled software update approaches not only become ineffective under dynamic container environments but also impose high overhead to containers. In this paper, we propose a new on-demand targeted patching framework for containerized applications. OPatch combines dynamic vulnerability exploit identification and targeted vulnerability patching to achieve more efficient security attack containment. We have implemented a prototype of OPatch and evaluated our schemes over 31 real world security vulnerability exploits in 23 commonly used server applications. Results show that OPatch can accurately detect and classify 81% vulnerability exploits and reduce security patching overhead by up to 84% for memory and 40% for disk.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
