信息网络安全 ›› 2020, Vol. 20 ›› Issue (7): 85-95.doi: 10.3969/j.issn.1671-1122.2020.07.010

• 理论研究 • 上一篇    下一篇

云环境下Docker容器隔离脆弱性分析与研究

边曼琳1,2, 王利明1()   

  1. 1. 中国科学院信息工程研究所,北京 100093
    2. 中国科学院大学,北京 100039
  • 收稿日期:2020-01-15 出版日期:2020-07-10 发布日期:2020-08-13
  • 通讯作者: 王利明 E-mail:wangliming@iie.ac.cn
  • 作者简介:边曼琳(1994—),女,吉林,硕士研究生,主要研究方向为云计算安全|王利明(1978—),男,北京,研究员,博士,主要研究方向为云计算安全、网络安全、大数据安全、5G安全、区块链安全
  • 基金资助:
    国家重点研发计划(2017YFB0801900)

Analysis and Research on Vulnerability of Docker Container Isolation in Cloud Environment

BIAN Manlin1,2, WANG Liming1()   

  1. 1. Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China
    2. University of Chinese Academy of Sciences, Beijing 100039, China
  • Received:2020-01-15 Online:2020-07-10 Published:2020-08-13
  • Contact: Liming WANG E-mail:wangliming@iie.ac.cn

摘要:

云计算是信息时代下继互联网、计算机后出现的又一革新概念,大数据、物联网、5G通信等新兴技术的发展均离不开云计算的支持。虚拟化技术是支撑云计算的一项关键技术,现有的虚拟化方式主要分为基于虚拟机的虚拟化和基于容器的虚拟化,容器技术随着Docker的出现在云服务领域备受青睐。Docker容器相较于传统虚拟机具有轻量级、高性能等显著优势,但是由于Docker容器采用软件隔离机制,与虚拟机相比隔离性较弱,面临的安全问题更加严重。隔离性差是Docker面临的主要安全挑战之一,严重影响了容器技术的进一步推广与发展,因此容器隔离性的安全研究具有重要意义。文章针对云环境下Docker容器隔离性弱引发的安全问题进行研究,分析Docker容器隔离机制,证明Docker中部分伪文件系统没有实现隔离,利用未隔离的伪文件系统可以获取宿主机相关信息,造成宿主机信息泄露。此外,通过实验证明,若泄露的信息被攻击者恶意利用,将引发恶意容器同驻、同驻容器DoS攻击等安全问题,对同驻合法容器服务构成严重的安全威胁。

关键词: 云计算, 容器安全, Docker, 隔离性

Abstract:

Cloud computing is another innovative concept that emerged after the Internet and computer in the information age. The future development of emerging technologies such as big data, the Internet of Things and 5G communications cannot be separated from the support of cloud computing.Virtualization is one of the key technologies supporting cloud computing.The existing virtualization methods are mainly divided into virtual machine-based virtualization and container-based virtualization. With the advent of Docker, container technology has become more popularin cloud services.Compared with traditional virtual machines, Docker containers are significantly more lightweight and high-performance. However, Docker use software to achieve isolation, which is weaker than virtual machines. As a result, Docker have to face more serious security issues. Poor isolation has become one of the main security challenges faced by Docker, which seriously affects the further promotion and development of container technology. As a result, the study on the security of container isolation is of great significance. This paper studies the security issues caused by the weak isolation of Docker in cloud environment. We analyze the Docker container isolation mechanism. And the results show that some pseudo file systems in Docker have not been isolated. We can obtain the host-related information through the non-isolated pseudo file system, which causes the host information leakage.In addition, through experiments, this paper further proves that once the host information leakage is maliciously used by an attacker, it can cause security issues such as co-existence of malicious containers and co-resident containers DoS attacks, which pose a serious security threat to co-resident legal container services.

Key words: cloud computing, container security, Docker, isolation

中图分类号: