{"title":"一种针对Docker逃逸攻击的防御方法","authors":"Zhiqiang Jian, Long Chen","doi":"10.1145/3058060.3058085","DOIUrl":null,"url":null,"abstract":"As one of the main technologies to support the virtualization of cloud computing, Docker has the characteristics of fast and lightweight virtualization on operating system-level,and is widely used in a variety of cloud platforms. Docker is faced with the risk of attacks that exploit kernel vulnerability by malicious users, once the exploit program in the container launches an effective escape attack can gain root privilege of the host, which will affect the reliability of other containers and the entire system. This paper discusses the existing security mechanism and security issues of Docker, summarize the methods and characteristics of Docker escape attack. And propose a defense method based on status inspection of namespaces, which is proved to be able to detect anomalous processes and prevent escape behaviors.","PeriodicalId":152599,"journal":{"name":"International Conference on Cryptography, Security and Privacy","volume":"10 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-03-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"36","resultStr":"{\"title\":\"A Defense Method against Docker Escape Attack\",\"authors\":\"Zhiqiang Jian, Long Chen\",\"doi\":\"10.1145/3058060.3058085\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"As one of the main technologies to support the virtualization of cloud computing, Docker has the characteristics of fast and lightweight virtualization on operating system-level,and is widely used in a variety of cloud platforms. Docker is faced with the risk of attacks that exploit kernel vulnerability by malicious users, once the exploit program in the container launches an effective escape attack can gain root privilege of the host, which will affect the reliability of other containers and the entire system. This paper discusses the existing security mechanism and security issues of Docker, summarize the methods and characteristics of Docker escape attack. And propose a defense method based on status inspection of namespaces, which is proved to be able to detect anomalous processes and prevent escape behaviors.\",\"PeriodicalId\":152599,\"journal\":{\"name\":\"International Conference on Cryptography, Security and Privacy\",\"volume\":\"10 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2017-03-17\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"36\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"International Conference on Cryptography, Security and Privacy\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3058060.3058085\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Conference on Cryptography, Security and Privacy","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3058060.3058085","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
As one of the main technologies to support the virtualization of cloud computing, Docker has the characteristics of fast and lightweight virtualization on operating system-level,and is widely used in a variety of cloud platforms. Docker is faced with the risk of attacks that exploit kernel vulnerability by malicious users, once the exploit program in the container launches an effective escape attack can gain root privilege of the host, which will affect the reliability of other containers and the entire system. This paper discusses the existing security mechanism and security issues of Docker, summarize the methods and characteristics of Docker escape attack. And propose a defense method based on status inspection of namespaces, which is proved to be able to detect anomalous processes and prevent escape behaviors.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
