A Trusted Runtime Monitoring Method Based on eBPF for Container

doi:10.3969/j.issn.1671-1122.2025.02.011

Abstract

Abstract:

With the development of cloud service technology, more and more applications are migrated to the cloud in the form of containers, and the security monitoring of containers has become a research hotspot. Containers have the advantages of being lightweight, fast to deploy, and easy to transplant. However, their weak isolation makes them face many security problems: container escape attacks, container image poisoning, kernel vulnerability exploitation, etc. In response to these attack threats, this article used eBPF system monitoring technology, combined with BMC root of trust, image static analysis, general policy engine, and runtime proof, to propose a container runtime security monitoring solution. The monitoring program implemented based on eBPF in the solution can identify and monitor container behavior events such as processes, capabilities, files, and networks. The solution designed a fine-grained container security policy, combined the container system call whitelist obtained by static analysis of container images, detected abnormal container behavior, and protected container security from multiple dimensions. The solution also designed and implemented a runtime attestation protocol based on the BMC root of trust. The TPM integrated in the BMC is used as the root of trust, and its attestation can effectively ensure the integrity and authenticity of the alarm log based on eBPF monitoring events. It has been proven that the monitoring server can monitor the security status of various types of containers over a long period of time and take corresponding countermeasures for abnormal security events.

Key words: container security, eBPF, runtime monitoring, BMC root of trust, remote attestation

CLC Number:

TP309

HUANG Ke, LI Xuan, ZHOU Qingfei, SHANG Ketong, QIN Yu. A Trusted Runtime Monitoring Method Based on eBPF for Container[J]. Netinfo Security, 2025, 25(2): 306-326.

Figures/Tables 17

References 25

[1]	CNCF. CNCF 2022 ANNUAL SURVEY[EB/OL]. (2022-12-04)[2024-04-12]. https://www.cncf.io/reports/cncf-annual-survey-2022/.
[2]	SYSDIG. Sysdig 2023 Cloud-Native Security and Usage Report[EB/OL]. (2023-09-06)[2024-04-12]. https://sysdig.com/2023-cloud-native-security-and-usage-report/.
[3]	LINUX. eBPF Instruction Set Specification, v1.0[EB/OL]. (2023-09-08)[2024-04-12]. https://www.kernel.org/doc/html/next/bpf/instruction-set.html.
[4]	JONATHAN C. A JIT for Packet Filters[EB/OL]. (2011-04-08)[2024-04-12]. https://lwn.net/Articles/437981/.
[5]	LINUX. eBPF Verifier[EB/OL]. (2024-04-08)[2024-04-12]. https://docs.kernel.org/bpf/verifier.html.
[6]	GREGG B. BPF Performance Tools[M]. New York: Addison-Wesley Professional, 2019.
[7]	STEVEN R. Unified Tracing Platform[EB/OL]. (2019-10-28)[2024-04-12]. https://static.sched.com/hosted_files/osseu19/5f/unified-tracing-platform-oss-eu-2019.pdf.
[8]	JIM K. Kernel Probes (Kprobes)[EB/OL]. (2023-05-12)[2024-04-08]. https://docs.kernel.org/trace/kprobes.html.
[9]	MATHIEU D. Using the Linux Kernel Tracepoints[EB/OL]. (2024-01-08)[2024-04-12]. https://docs.kernel.org/trace/tracepoints.html#using-the-linux-kernel-tracepoints.
[10]	FOURNIER G, AFCHAIN S, BAUBEAU S. Runtime Security Monitoring with eBPF[EB/OL]. (2021-09-08)[2024-04-12]. https://www.semanticscholar.org/paper/Runtime-Security-Monitoring-with-eBPF-Fournier-Afchain/8a768ccb634f7527885cae4cd5348eba01065b80.
[11]	LINUX. Seccomp BPF (SECure COMPuting with Filters)[EB/OL]. (2024-01-18)[2024-04-12]. https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html.
[12]	JONATHAN C. KRSI — The Other BPF Security Module[EB/OL]. (2019-12-27)[2024-04-12]. https://lwn.net/Articles/808048/.
[13]	FINDLAY W, SOMAYAJI A, BARRERA D. Bpfbox: Simple Precise Process Confinement with Ebpf[C]// ACM. Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop. New York: ACM, 2020: 91-103.
[14]	TIAN D J, HERNANDEZ G, CHOI J I, et al. Lbm: A Security Framework for Peripherals within the Linux Kernel[C]// IEEE. 2019 IEEE Symposium on Security and Privacy (SP). New York: IEEE, 2019: 967-984.
[15]	AGMAN Y, HENDLER D. BPFroid: Robust Real Time Android Malware Detection Framework[EB/OL]. (2021-06-01)[2024-04-12]. https://arxiv.org/pdf/2105.14344v1.
[16]	FALCO. Falco[EB/OL]. (2024-01-21)[2024-03-21]. https://falco.org/.
[17]	LIM S Y, STELEA B, HAN X, et al. Secure Namespaced Kernel Audit for Containers[C]// ACM. Proceedings of the ACM Symposium on Cloud Computing. New York: ACM, 2021: 518-532.
[18]	FINDLAY W, BARRERA D, SOMAYAJI A. Bpfcontain: Fixing the Soft Underbelly of Container Security[EB/OL]. (2021-02-13)[2024-04-12]. https://arxiv.org/pdf/2102.06972.
[19]	BELAIR M, LANIEPCE S, MENAUD J M. SNAPPY: Programmable Kernel-Level Policies for Containers[C]// ACM. Proceedings of the 36th Annual ACM Symposium on Applied Computing. New York: ACM, 2021: 1636-1645.
[20]	ISOVALENT. Tetragon[EB/OL]. (2023-12-01)[2024-04-12]. https://github.com/cilium/tetragon.
[21]	GHAVAMNIA S, PALIT T, BENAMEUR A, et al. Confine: Automated System Call Policy Generation for Container Attack Surface Reduction[EB/OL]. (2020-09-03)[2024-04-12]. https://www.xueshufan.com/publication/3092506792.
[22]	SULTAN S, AHMAD I, DIMITRIOU T. Container Security: Issues, Challenges, and the Road Ahead[J]. IEEE access, 2019, 7: 52976-52996.
[23]	BOGAERTS P. Arp Spoofing Docker Containers[EB/OL]. (2024-02-07)[2024-03-26]. https://dockersec.blogspot.com/2017/01/arp-spoofing-docker-containers_26.html.
[24]	SPAHN N, HANKE N, HOLZ T, et al. Container Orchestration Honeypot: Observing Attacks in the Wild[C]// IEEE. Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses. New York: IEEE, 2023: 381-396.
[25]	Michael Larabel and Matthew Tippett. Phoronix Test Suite[EB/OL]. (2024-02-12)[2024-04-12]. http://www.phoronix-test-suite.com/.

日志类别	日志内容
安全事件	2024/03/18 18:22:56 [NORMAL] Event:{host:iscas, syscall: openat}, Container:{image: ubuntu, id: 7c963ca76858}, Process:{proc: cat, pid: 1964179, args: cat a.txt}
非安全事件	2024/03/18 18:23:26 [INSECURE] Unsafe:[execve shell], Event:{host:iscas, syscall: execve, args:filename=/usr/bin/sh, time: 1710757407140027468},Container:{image: ubuntu, id: 7c963ca76858, name: pedantic_joliot},Process:{proc: exe, pid: 1964363, parent: exe, args: exe, caps: CAP_CHOWN …}

符号	类型	描述
EK	平台背书密钥	证明BMC信任根身份的凭证密钥，私钥永久保存在BMC信任根内部
AIK	RSA 2048	受监控主机上BMC信任根生成的AIK的公钥
AIK^-1	RSA 2048	受监控主机上BMC信任根生成的AIK的私钥
SIK	RSA 2048	监控服务器的服务器身份密钥的公钥
SIK^-1	RSA 2048	监控服务器的服务器身份密钥的私钥
K_Policy	RSA 2048	监控服务器用于安全策略签名密钥的公钥
K^-1_Policy	RSA 2048	监控服务器用于安全策略签名密钥的私钥

日志类别	日志内容
进程	2023/10/11 11:37:34 [INSECURE] Unsafe:[execve shell], Event:[host:iscas, syscall: execve, args:filename-/usr/bin/sh, time: 1696995457372813650}, Container:{image: ubuntu, id: b4863b267450, name: zealous booth), Process:(proc: bash, pid: 586640, parent: bash, args: bash, caps:CHOWN…}
权能	2023/10/11 11:57:09 [INSECURE] Unsafe:[illegal capability], Event:{host:iscas, syscall: openat, args:dirfd=-100(AT_FDCWD) name= /etc/inputrc flags=1(O_RDONLY) mode=0, time:1696996632007667434}, Container:{image:ubuntu, id: 19d1a223351c, name: bold_cartwright}, Process:{proc: bash, pid: 590051, parent: null, args: bash, caps: CHOWN…}
文件	2023/10/11 15:11:56 [INSECURE] Unsafe:[opening passwd], Event:{host:iscas, syscall: openat, args:dirfd=-100(AT_FDCWD) name=passwd(/etc/passwd) flags=1(O_RDONLY) mode=0, time:1697008319216479547}, Container:{image: ubuntu, id: a3da9f2deb4b, name: vigilant_carv er}, Process:{proc: cat, pid: 593176, parent: bash, args: cat passwd, caps: CHOWN…}
网络	2023/10/11 15:45:15 [INSECURE] Unsafe:[connect outside], Event:{host:iscas, syscall: connect, args:fd=3(<4>) addr=192.168.190.133:8888, time: 1697010318361221228}, Container:{image: ubuntu, id: a3da9f2deb4b, name: vigilant_carver}, Process:{proc: client, pid: 596930, parent: bash, args: client, caps: CHOWN…}

TPM 2.0命令	平均执行时间/ms
tpm2_createprimary	118.16
tpm2_create	111.35
tpm2_load	89.53
tpm2_sign	88.17
tpm2_verifysignature	87.89
tpm2_getrandom	86.96

基准测试	描述
Apache服务器	测量运行Apache服务器提供静态HTML网页服务时，每秒应答的请求数
内核编译	测量编译内核的时间开销
文件创建	测量创建、写入、删除文件的时间开销
线程创建	测量创建线程的时间开销
进程创建	测量创建进程（fork）的时间开销
进程执行	测量创建进程（fork）并执行（execlp）空白程序的时间开销
内存分配	测量分配内存块的时间开销
磁盘读写	测量磁盘读写的时间开销