基于eBPF的容器运行时可信监控方案

doi:10.3969/j.issn.1671-1122.2025.02.011

摘要/Abstract

摘要：

随着云服务技术的发展，越来越多的应用以容器形式迁移到云端，容器的安全监控成为研究热点。虽然容器具有轻量级、部署快速、移植便捷的优点，但其较弱的隔离性却带来了诸多安全问题，如容器逃逸攻击、容器镜像投毒、内核漏洞利用等。针对这些威胁，文章采用eBPF系统监控技术，结合BMC信任根、镜像静态分析、通用策略引擎及运行时证明，提出了一种容器运行时安全监控方案。该方案利用eBPF实现的监控程序，能够识别并监控容器的进程、权能、文件、网络等行为事件。同时，该方案设计了细粒度的容器安全策略，并依据容器镜像静态分析所得的系统调用白名单，检测容器异常行为，多维度保障容器安全。此外，该方案还设计并实现了基于BMC信任根的运行时证明协议，利用BMC中集成的可信计算模块作为信任根，通过可信计算模块的证明确保eBPF监控事件报警日志的完整性和真实性。实验表明，监控服务器能够长期监控各类容器的运行状态，并针对安全异常事件及时采取应对措施。

关键词: 容器安全, eBPF, 运行时监控, BMC信任根, 远程证明

Abstract:

With the development of cloud service technology, more and more applications are migrated to the cloud in the form of containers, and the security monitoring of containers has become a research hotspot. Containers have the advantages of being lightweight, fast to deploy, and easy to transplant. However, their weak isolation makes them face many security problems: container escape attacks, container image poisoning, kernel vulnerability exploitation, etc. In response to these attack threats, this article used eBPF system monitoring technology, combined with BMC root of trust, image static analysis, general policy engine, and runtime proof, to propose a container runtime security monitoring solution. The monitoring program implemented based on eBPF in the solution can identify and monitor container behavior events such as processes, capabilities, files, and networks. The solution designed a fine-grained container security policy, combined the container system call whitelist obtained by static analysis of container images, detected abnormal container behavior, and protected container security from multiple dimensions. The solution also designed and implemented a runtime attestation protocol based on the BMC root of trust. The TPM integrated in the BMC is used as the root of trust, and its attestation can effectively ensure the integrity and authenticity of the alarm log based on eBPF monitoring events. It has been proven that the monitoring server can monitor the security status of various types of containers over a long period of time and take corresponding countermeasures for abnormal security events.

Key words: container security, eBPF, runtime monitoring, BMC root of trust, remote attestation

中图分类号:

TP309

黄轲, 李璇, 周庆飞, 尚科彤, 秦宇. 基于eBPF的容器运行时可信监控方案[J]. 信息网络安全, 2025, 25(2): 306-326.

HUANG Ke, LI Xuan, ZHOU Qingfei, SHANG Ketong, QIN Yu. A Trusted Runtime Monitoring Method Based on eBPF for Container[J]. Netinfo Security, 2025, 25(2): 306-326.

图/表 17

图1

图2

图3

图4

表1

表2

图5

图6

图7

表3

表4

表5

表6

图8

图9

表7

图10

参考文献 25

[1]	CNCF. CNCF 2022 ANNUAL SURVEY[EB/OL]. (2022-12-04)[2024-04-12]. https://www.cncf.io/reports/cncf-annual-survey-2022/.
[2]	SYSDIG. Sysdig 2023 Cloud-Native Security and Usage Report[EB/OL]. (2023-09-06)[2024-04-12]. https://sysdig.com/2023-cloud-native-security-and-usage-report/.
[3]	LINUX. eBPF Instruction Set Specification, v1.0[EB/OL]. (2023-09-08)[2024-04-12]. https://www.kernel.org/doc/html/next/bpf/instruction-set.html.
[4]	JONATHAN C. A JIT for Packet Filters[EB/OL]. (2011-04-08)[2024-04-12]. https://lwn.net/Articles/437981/.
[5]	LINUX. eBPF Verifier[EB/OL]. (2024-04-08)[2024-04-12]. https://docs.kernel.org/bpf/verifier.html.
[6]	GREGG B. BPF Performance Tools[M]. New York: Addison-Wesley Professional, 2019.
[7]	STEVEN R. Unified Tracing Platform[EB/OL]. (2019-10-28)[2024-04-12]. https://static.sched.com/hosted_files/osseu19/5f/unified-tracing-platform-oss-eu-2019.pdf.
[8]	JIM K. Kernel Probes (Kprobes)[EB/OL]. (2023-05-12)[2024-04-08]. https://docs.kernel.org/trace/kprobes.html.
[9]	MATHIEU D. Using the Linux Kernel Tracepoints[EB/OL]. (2024-01-08)[2024-04-12]. https://docs.kernel.org/trace/tracepoints.html#using-the-linux-kernel-tracepoints.
[10]	FOURNIER G, AFCHAIN S, BAUBEAU S. Runtime Security Monitoring with eBPF[EB/OL]. (2021-09-08)[2024-04-12]. https://www.semanticscholar.org/paper/Runtime-Security-Monitoring-with-eBPF-Fournier-Afchain/8a768ccb634f7527885cae4cd5348eba01065b80.
[11]	LINUX. Seccomp BPF (SECure COMPuting with Filters)[EB/OL]. (2024-01-18)[2024-04-12]. https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html.
[12]	JONATHAN C. KRSI — The Other BPF Security Module[EB/OL]. (2019-12-27)[2024-04-12]. https://lwn.net/Articles/808048/.
[13]	FINDLAY W, SOMAYAJI A, BARRERA D. Bpfbox: Simple Precise Process Confinement with Ebpf[C]// ACM. Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop. New York: ACM, 2020: 91-103.
[14]	TIAN D J, HERNANDEZ G, CHOI J I, et al. Lbm: A Security Framework for Peripherals within the Linux Kernel[C]// IEEE. 2019 IEEE Symposium on Security and Privacy (SP). New York: IEEE, 2019: 967-984.
[15]	AGMAN Y, HENDLER D. BPFroid: Robust Real Time Android Malware Detection Framework[EB/OL]. (2021-06-01)[2024-04-12]. https://arxiv.org/pdf/2105.14344v1.
[16]	FALCO. Falco[EB/OL]. (2024-01-21)[2024-03-21]. https://falco.org/.
[17]	LIM S Y, STELEA B, HAN X, et al. Secure Namespaced Kernel Audit for Containers[C]// ACM. Proceedings of the ACM Symposium on Cloud Computing. New York: ACM, 2021: 518-532.
[18]	FINDLAY W, BARRERA D, SOMAYAJI A. Bpfcontain: Fixing the Soft Underbelly of Container Security[EB/OL]. (2021-02-13)[2024-04-12]. https://arxiv.org/pdf/2102.06972.
[19]	BELAIR M, LANIEPCE S, MENAUD J M. SNAPPY: Programmable Kernel-Level Policies for Containers[C]// ACM. Proceedings of the 36th Annual ACM Symposium on Applied Computing. New York: ACM, 2021: 1636-1645.
[20]	ISOVALENT. Tetragon[EB/OL]. (2023-12-01)[2024-04-12]. https://github.com/cilium/tetragon.
[21]	GHAVAMNIA S, PALIT T, BENAMEUR A, et al. Confine: Automated System Call Policy Generation for Container Attack Surface Reduction[EB/OL]. (2020-09-03)[2024-04-12]. https://www.xueshufan.com/publication/3092506792.
[22]	SULTAN S, AHMAD I, DIMITRIOU T. Container Security: Issues, Challenges, and the Road Ahead[J]. IEEE access, 2019, 7: 52976-52996.
[23]	BOGAERTS P. Arp Spoofing Docker Containers[EB/OL]. (2024-02-07)[2024-03-26]. https://dockersec.blogspot.com/2017/01/arp-spoofing-docker-containers_26.html.
[24]	SPAHN N, HANKE N, HOLZ T, et al. Container Orchestration Honeypot: Observing Attacks in the Wild[C]// IEEE. Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses. New York: IEEE, 2023: 381-396.
[25]	Michael Larabel and Matthew Tippett. Phoronix Test Suite[EB/OL]. (2024-02-12)[2024-04-12]. http://www.phoronix-test-suite.com/.

日志类别	日志内容
安全事件	2024/03/18 18:22:56 [NORMAL] Event:{host:iscas, syscall: openat}, Container:{image: ubuntu, id: 7c963ca76858}, Process:{proc: cat, pid: 1964179, args: cat a.txt}
非安全事件	2024/03/18 18:23:26 [INSECURE] Unsafe:[execve shell], Event:{host:iscas, syscall: execve, args:filename=/usr/bin/sh, time: 1710757407140027468},Container:{image: ubuntu, id: 7c963ca76858, name: pedantic_joliot},Process:{proc: exe, pid: 1964363, parent: exe, args: exe, caps: CAP_CHOWN …}

符号	类型	描述
EK	平台背书密钥	证明BMC信任根身份的凭证密钥，私钥永久保存在BMC信任根内部
AIK	RSA 2048	受监控主机上BMC信任根生成的AIK的公钥
AIK^-1	RSA 2048	受监控主机上BMC信任根生成的AIK的私钥
SIK	RSA 2048	监控服务器的服务器身份密钥的公钥
SIK^-1	RSA 2048	监控服务器的服务器身份密钥的私钥
K_Policy	RSA 2048	监控服务器用于安全策略签名密钥的公钥
K^-1_Policy	RSA 2048	监控服务器用于安全策略签名密钥的私钥

日志类别	日志内容
进程	2023/10/11 11:37:34 [INSECURE] Unsafe:[execve shell], Event:[host:iscas, syscall: execve, args:filename-/usr/bin/sh, time: 1696995457372813650}, Container:{image: ubuntu, id: b4863b267450, name: zealous booth), Process:(proc: bash, pid: 586640, parent: bash, args: bash, caps:CHOWN…}
权能	2023/10/11 11:57:09 [INSECURE] Unsafe:[illegal capability], Event:{host:iscas, syscall: openat, args:dirfd=-100(AT_FDCWD) name= /etc/inputrc flags=1(O_RDONLY) mode=0, time:1696996632007667434}, Container:{image:ubuntu, id: 19d1a223351c, name: bold_cartwright}, Process:{proc: bash, pid: 590051, parent: null, args: bash, caps: CHOWN…}
文件	2023/10/11 15:11:56 [INSECURE] Unsafe:[opening passwd], Event:{host:iscas, syscall: openat, args:dirfd=-100(AT_FDCWD) name=passwd(/etc/passwd) flags=1(O_RDONLY) mode=0, time:1697008319216479547}, Container:{image: ubuntu, id: a3da9f2deb4b, name: vigilant_carv er}, Process:{proc: cat, pid: 593176, parent: bash, args: cat passwd, caps: CHOWN…}
网络	2023/10/11 15:45:15 [INSECURE] Unsafe:[connect outside], Event:{host:iscas, syscall: connect, args:fd=3(<4>) addr=192.168.190.133:8888, time: 1697010318361221228}, Container:{image: ubuntu, id: a3da9f2deb4b, name: vigilant_carver}, Process:{proc: client, pid: 596930, parent: bash, args: client, caps: CHOWN…}

TPM 2.0命令	平均执行时间/ms
tpm2_createprimary	118.16
tpm2_create	111.35
tpm2_load	89.53
tpm2_sign	88.17
tpm2_verifysignature	87.89
tpm2_getrandom	86.96

基准测试	描述
Apache服务器	测量运行Apache服务器提供静态HTML网页服务时，每秒应答的请求数
内核编译	测量编译内核的时间开销
文件创建	测量创建、写入、删除文件的时间开销
线程创建	测量创建线程的时间开销
进程创建	测量创建进程（fork）的时间开销
进程执行	测量创建进程（fork）并执行（execlp）空白程序的时间开销
内存分配	测量分配内存块的时间开销
磁盘读写	测量磁盘读写的时间开销