云环境下Docker容器隔离脆弱性分析与研究

doi:10.3969/j.issn.1671-1122.2020.07.010

摘要/Abstract

摘要：

云计算是信息时代下继互联网、计算机后出现的又一革新概念,大数据、物联网、5G通信等新兴技术的发展均离不开云计算的支持。虚拟化技术是支撑云计算的一项关键技术,现有的虚拟化方式主要分为基于虚拟机的虚拟化和基于容器的虚拟化,容器技术随着Docker的出现在云服务领域备受青睐。Docker容器相较于传统虚拟机具有轻量级、高性能等显著优势,但是由于Docker容器采用软件隔离机制,与虚拟机相比隔离性较弱,面临的安全问题更加严重。隔离性差是Docker面临的主要安全挑战之一,严重影响了容器技术的进一步推广与发展,因此容器隔离性的安全研究具有重要意义。文章针对云环境下Docker容器隔离性弱引发的安全问题进行研究,分析Docker容器隔离机制,证明Docker中部分伪文件系统没有实现隔离,利用未隔离的伪文件系统可以获取宿主机相关信息,造成宿主机信息泄露。此外,通过实验证明,若泄露的信息被攻击者恶意利用,将引发恶意容器同驻、同驻容器DoS攻击等安全问题,对同驻合法容器服务构成严重的安全威胁。

关键词: 云计算, 容器安全, Docker, 隔离性

Abstract:

Cloud computing is another innovative concept that emerged after the Internet and computer in the information age. The future development of emerging technologies such as big data, the Internet of Things and 5G communications cannot be separated from the support of cloud computing.Virtualization is one of the key technologies supporting cloud computing.The existing virtualization methods are mainly divided into virtual machine-based virtualization and container-based virtualization. With the advent of Docker, container technology has become more popularin cloud services.Compared with traditional virtual machines, Docker containers are significantly more lightweight and high-performance. However, Docker use software to achieve isolation, which is weaker than virtual machines. As a result, Docker have to face more serious security issues. Poor isolation has become one of the main security challenges faced by Docker, which seriously affects the further promotion and development of container technology. As a result, the study on the security of container isolation is of great significance. This paper studies the security issues caused by the weak isolation of Docker in cloud environment. We analyze the Docker container isolation mechanism. And the results show that some pseudo file systems in Docker have not been isolated. We can obtain the host-related information through the non-isolated pseudo file system, which causes the host information leakage.In addition, through experiments, this paper further proves that once the host information leakage is maliciously used by an attacker, it can cause security issues such as co-existence of malicious containers and co-resident containers DoS attacks, which pose a serious security threat to co-resident legal container services.

Key words: cloud computing, container security, Docker, isolation

中图分类号:

TP309

边曼琳, 王利明. 云环境下Docker容器隔离脆弱性分析与研究[J]. 信息网络安全, 2020, 20(7): 85-95.

BIAN Manlin, WANG Liming. Analysis and Research on Vulnerability of Docker Container Isolation in Cloud Environment[J]. Netinfo Security, 2020, 20(7): 85-95.

图/表 6

图1

表1

图2

图3

图4

图5

参考文献 19

[1]	WANG Xiong. The History and Advantages of Cloud Computing[J]. Computer & Network, 2019,45(2):44.
	王雄. 云计算的历史和优势[J]. 计算机与网络, 2019,45(2):44.
[2]	LI Wenjun. Analysis of Computer Cloud Computing Andits Implementation Technology[J]. Dual Use Technologies & Products, 2018,18(22):57-58.
	李文军. 计算机云计算及其实现技术分析[J]. 军民两用技术与产品, 2018,18(22):57-58.
[3]	NSFOCUS Xingyunlab. ContainerSecurity Technical Report of NSFOCUS in 2018[EB/OL]. https://www.nsfocus.com.cn/upload/contents/2018/11/20181109100414_79051.pdf, 2018-11-9.
[4]	FORNI A A, MEULEN R. Gartner Identifies the Top Technologies for Security in 2017[EB/OL]. https://www.gartner.com/en/newsroom/press-releases/2017-06-14-gartner-identifies-the-top-technologies-for-security-in-2017, 2017-6-14.
[5]	YUNDING Lab, GEEK P. Report of Cloud Security in 2019[[EB/OL]. http://www.cbdio.com/image/site2/20191231/f42853157e261f75544321.pdf, 2019-12-31.
[6]	JUNAID K. Iron: Isolating Network-based CPU in Container Environments[C]// USENIX. 15th USENIX Symposium on Networked Systems Design and Implementation(NSDI 18), April 9-11, 2018, Renton, WA, USA. Berkeley: USENIX, 2018:312-328.
[7]	GAO Xing, GUZhongshu , KAYAALP M, et al. Container Leaks: Emerging Security Threats of Information Leakages in Container Clouds[C]// IEEE. 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks(DSN), June 26-29, 2017, Denver, CO, USA. New York: IEEE, 2017: 237-248.
[8]	MA Shiyao, JIANG Jingjie, LI Bo, et al. Maximizing Container-based Network Isolation in Parallel Computing Clusters[C]// IEEE. 2016 IEEE 24th International Conference onNetwork Protocols(ICNP), November 8-11, 2016, Singapore. New York: IEEE, 2016: 1-10.
[9]	XAVIERMG, NEVES M V, ROSSIF D, et al. Performance Evaluation of Container-based Virtualization for High Performance Computing Environments[C]// IEEE. 2013 21st Euromicro International Conference on Parallel, Distributed and Network-Based Processing(PDP), February 27-March 1, 2013, Belfast, UK. New York: IEEE, 2013: 233-240.
[10]	ARNAUTOV S, TRACH B, GREGOR F, et al. SCONE: Secure Linux Containers with Intel SGX[C]// USENIX. 12th USENIXSymposium on Operating Systems Design and Implementation(OSDI 16), November 2-4, 2016, Savannah, GA, USA. Berkeley: USENIX, 2016: 689-703.
[11]	MIRKOVIC J, REIHER P. A Taxonomy of DDoS Attack and DDoS Defense Mechanisms[J]. ACM SIGCOMM Computer Communication Review, 2004,34(2):39-53.
[12]	HUANG Jingwei, NICOL D M, CAMPELL R H. Denial-of-service Threat to Hadoop/YARN Clusters with Multi-tenancy[C]// IEEE. 2014 IEEE International Congress on Big Data, June 27-July 2, 2014, Anchorage, AK, USA. New York: IEEE, 2014: 48-55.
[13]	CHEN Fei, BI Xiaohong, WANG Jingjing, et al. Survey of DDoS Defense: Challenges and Directions[J]. Network and Information Security, 2017,3(10):16-24.
	陈飞, 毕小红, 王晶晶, 等. DDoS攻击防御技术发展综述[J]. 网络与信息安全学报, 2017,3(10):16-24.
[14]	CROSBY S A, WALLACH D S. Denial of Service via Algorithmic Complexity Attacks[C]// USENIX. 12th Conferenceon USENIX Security Symposium, August 4-8, 2003, Washington, DC, USA. Berkeley: USENIX, 2003: 29-44.
[15]	CHELLADHURA J, CHELLIAH P R, KUMAR S A. Securing Docker Containers from Denial of Service(DoS) Attacks[C]// IEEE. 2016 IEEE International Conference on Services Computing(SCC), June 27-July 2, 2016, SanFrancisco, CA, USA. New York: IEEE, 2016: 856-859.
[16]	YAROM Y, FALKNER K. Flush Reload: A High Resolution, Low Noise, L3 Cache Side-channel Attack[C]// USENIX. 23rd USENIX Security Symposium(USENIX Security 14), June 20-22, 2014, Diego, CA, USA. Berkeley: USENIX, 2014: 719-732.
[17]	WU Zhenyu, XU Zhang, WANG Haining. Whispers in the Hyper-space: High-bandwidth and Reliable Covert Channel Attacks Inside the Cloud[J]. IEEE/ACM Transactions on Networking, 2014,23(2):603-615.
[18]	DELIMITROU C, KOZYRAKIS C. Bolt: I Know What You did Last Summer in the Cloud[J]. ACM SIGARCH Computer Architecture News, 2017,45(1):599-613.
[19]	DELIMITROU C, KOZYRAKIS C. iBench: Quantifying Interference for Datacenter Applications[C]// IEEE. 2013 IEEE International Symposium on Workload Characterization(IISWC), September 22-24, 2013, Portland, OR, USA. New York: IEEE, 2013: 23-33.

未被隔离的文件	泄露的宿主机信息
/proc/meminfo	内存相关信息
/proc/cpuinfo	处理器相关信息
/proc/modules	系统中加载模块相关信息
/proc/sys/kernel/random/boot_id	宿主机引导阶段产生的随机字符串
/proc/uptime	从宿主机引导阶段开始计时,宿主机启动时间和空闲时间
/proc/interrupts	系统中断请求相关信息