CN109828824A - Safety detecting method, device, storage medium and the electronic equipment of mirror image - Google Patents
Safety detecting method, device, storage medium and the electronic equipment of mirror image Download PDFInfo
- Publication number
- CN109828824A CN109828824A CN201811638930.4A CN201811638930A CN109828824A CN 109828824 A CN109828824 A CN 109828824A CN 201811638930 A CN201811638930 A CN 201811638930A CN 109828824 A CN109828824 A CN 109828824A
- Authority
- CN
- China
- Prior art keywords
- environment
- abnormal
- container application
- host system
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 110
- 230000002159 abnormal effect Effects 0.000 claims abstract description 148
- 230000008569 process Effects 0.000 claims abstract description 84
- 244000035744 Hura crepitans Species 0.000 claims abstract description 81
- 238000004458 analytical method Methods 0.000 claims abstract description 19
- 238000001514 detection method Methods 0.000 claims description 36
- 230000003068 static effect Effects 0.000 claims description 12
- 238000010276 construction Methods 0.000 claims description 10
- 238000012544 monitoring process Methods 0.000 claims description 10
- 238000004590 computer program Methods 0.000 claims description 6
- 238000004519 manufacturing process Methods 0.000 abstract description 6
- 238000004891 communication Methods 0.000 description 12
- 238000010586 diagram Methods 0.000 description 11
- 238000007906 compression Methods 0.000 description 4
- 230000006835 compression Effects 0.000 description 4
- 238000002347 injection Methods 0.000 description 4
- 239000007924 injection Substances 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 230000005236 sound signal Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 230000002547 anomalous effect Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000009472 formulation Methods 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000717 retained effect Effects 0.000 description 1
- 238000007789 sealing Methods 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 230000002194 synthesizing effect Effects 0.000 description 1
- 238000011144 upstream manufacturing Methods 0.000 description 1
Landscapes
- Computer And Data Communications (AREA)
Abstract
This disclosure relates to a kind of safety detecting method of mirror image, device, storage medium and electronic equipment, this method comprises: constructing sandbox environment in host system, which is the running paper environment for being isolated and being provided with network firewall with the kernel of the host system;Trial operation is carried out to the application of the image file corresponding container in the sandbox environment;The operating status of container application is monitored during the trial operation of container application, to obtain exception information, which is included at least: abnormal, abnormal process, exception exit network packet, security breaches and abnormal resource consumption;According to the exception information, the corresponding safety analysis report of the image file is generated.Trial operation can be carried out to the application of image file corresponding container by independent sandbox environment, and the abnormal state information of container application is monitored during trial operation, and then corresponding safety analysis report is generated, improve the safety during image file production deployment.
Description
Technical Field
The present disclosure relates to the field of virtualization technologies, and in particular, to a method and an apparatus for detecting security of a mirror image, a storage medium, and an electronic device.
Background
The mirror image or mirror image file is a file storage form, and is actually a read-only template of an application program comprising a plurality of read-only layers. In the process of developing a network application based on the Docker application container engine, the developed network application may be stored in an image repository in the form of an image file, for example, a Docker hub repository and a Docker port repository provided by the Docker engine. And then, the image file is deployed into the server system for use under the condition of ensuring the image security. In the process of deploying the image file, a layer of readable and writable layer needs to be added to a plurality of read-only layers included in the image file to generate an executable container application.
In the related art, the security detection method for the mirror image file generally includes: before deploying the image file, scanning and comparing information in each read-only layer in the image file by using static security scanning tools such as Clair, Anchore and Docker Scan, and the like, and further outputting a corresponding scanning report to developers or operators. Meanwhile, a network firewall is arranged in the server system to ensure the network security in the running process of the container application. However, static security scanning can only detect existing information in the image file, and cannot know problems and bugs that may occur in the actual running state of the container file corresponding to the image file, thereby reducing security in the image file production and deployment process.
Disclosure of Invention
To overcome the problems in the related art, it is an object of the present disclosure to provide a method, an apparatus, a storage medium, and an electronic device for security detection of an image.
In order to achieve the above object, according to a first aspect of embodiments of the present disclosure, there is provided a security detection method for an image, the method including:
constructing a sandbox environment in a host system, wherein the sandbox environment is a file operation environment which is isolated from a kernel of the host system and is provided with a network firewall;
performing trial operation on the container application corresponding to the mirror image file in the sandbox environment;
monitoring the running state of the container application in the trial running process of the container application to acquire abnormal information, wherein the abnormal information at least comprises: an abnormal port, an abnormal process, an abnormal exit network packet, a security vulnerability and abnormal resource consumption;
and generating a security analysis report corresponding to the image file according to the abnormal information.
Optionally, the building of a sandbox environment for commissioning the image file in the host system includes:
constructing a target file running environment isolated from a kernel of a host system in the host system based on physical resources of the host;
and configuring a network firewall with a preset security access strategy for the target file operation environment to acquire the sandbox environment.
Optionally, the constructing, in the host system, a target file execution environment isolated from a kernel of the host system based on the physical resource of the host includes:
when the physical resources of the host machine accord with the operating conditions of the virtual machine, a file operating environment is constructed through virtualization equipment and a virtualization kernel provided by the virtual machine and is used as the target file operating environment; or,
when the physical resources of the host do not accord with the running conditions of the virtual machine, a file running environment with a preset kernel access rule is built through actual physical equipment in the host system and serves as the target file running environment, and the preset kernel access rule is used for limiting the calling of the container application to the kernel of the host system.
Optionally, the trying to run the container application corresponding to the image file in the sandbox environment includes:
carrying out security scanning on the image file in a preset static security scanning mode;
adding a readable and writable layer to the image file subjected to the security scanning in the sandbox environment to generate the container application;
and performing commissioning on the container application in the sandbox environment.
Optionally, the detecting the abnormal operation state of the container application in the trial operation process of the container application to generate the abnormal information corresponding to the container application includes:
detecting all ports applied to the container according to a preset high-risk port list to obtain the abnormal ports;
detecting real-time running data of a process generated by the container application to acquire the abnormal process, wherein the abnormal process at least comprises the following steps: the non-working process with the abnormal resource utilization rate and the non-working process with the abnormal network input/output I/O quantity;
intercepting an egress network packet of the container application to obtain the abnormal egress network packet, where the abnormal egress network at least includes: an egress network packet with abnormal egress bandwidth and an egress network packet with abnormal destination address;
detecting a security vulnerability existing in the container application, wherein the security vulnerability at least comprises: code injection vulnerabilities, session fixing vulnerabilities, path access vulnerabilities, weak password vulnerabilities, and hard-coded encryption key vulnerabilities;
detecting abnormal resource consumption of the container application, wherein the abnormal resource consumption at least comprises: memory leakage and overflow, abnormal CPU utilization rate, abnormal communication protocol compression rate and abnormal system call response time;
and synthesizing the abnormal port, the abnormal process, the abnormal exit network packet, the security vulnerability and the abnormal resource consumption as the abnormal information.
According to a second aspect of embodiments of the present disclosure, there is provided an mirrored security detection apparatus, the apparatus comprising:
the system comprises a sandbox construction module, a network firewall and a database management module, wherein the sandbox construction module is used for constructing a sandbox environment in a host system, and the sandbox environment is a file operation environment which is isolated from a kernel of the host system and is provided with the network firewall;
the container commissioning module is used for performing commissioning on the container application corresponding to the mirror image file in the sandbox environment;
an anomaly detection module, configured to monitor an operation state of the container application in a commissioning process of the container application to obtain anomaly information, where the anomaly information at least includes: an abnormal port, an abnormal process, an abnormal exit network packet, a security vulnerability and abnormal resource consumption;
and the report generating module is used for generating a security analysis report corresponding to the image file according to the abnormal information.
Optionally, the sandbox building module includes:
the environment construction sub-module is used for constructing a target file operation environment isolated from a kernel of the host system in the host system based on physical resources of the host;
and the firewall setting submodule is used for configuring a network firewall with a preset security access strategy for the target file operating environment so as to acquire the sandbox environment.
Optionally, the environment construction sub-module is configured to:
when the physical resources of the host machine accord with the operating conditions of the virtual machine, a file operating environment is constructed through virtualization equipment and a virtualization kernel provided by the virtual machine and is used as the target file operating environment; or,
when the physical resources of the host do not accord with the running conditions of the virtual machine, a file running environment with a preset kernel access rule is built through actual physical equipment in the host system and serves as the target file running environment, and the preset kernel access rule is used for limiting the calling of the container application to the kernel of the host system.
Optionally, the container commissioning module includes:
the security scanning submodule is used for carrying out security scanning on the image file in a preset static security scanning mode;
a container generation submodule, configured to add a readable and writable layer to the image file subjected to the security scanning in the sandbox environment, so as to generate the container application;
and the container commissioning submodule is used for performing commissioning on the container application in the sandbox environment.
Optionally, the abnormality detecting module includes:
the port detection submodule is used for detecting all ports applied to the container according to a preset high-risk port list so as to obtain the abnormal ports;
a process detection submodule, configured to detect real-time running data of a process generated by the container application, so as to obtain the abnormal process, where the abnormal process at least includes: the non-working process with the abnormal resource utilization rate and the non-working process with the abnormal network input/output I/O quantity;
a network packet detection sub-module, configured to intercept an egress network packet of the container application to obtain the abnormal egress network packet, where the abnormal egress network at least includes: an egress network packet with abnormal egress bandwidth and an egress network packet with abnormal destination address;
a vulnerability detection submodule, configured to determine whether a security vulnerability exists in the container application, where the security vulnerability at least includes: code injection vulnerabilities, session fixing vulnerabilities, path access vulnerabilities, weak password vulnerabilities, and hard-coded encryption key vulnerabilities;
a resource consumption detection sub-module, configured to detect abnormal resource consumption of the container application, where the abnormal resource consumption at least includes: memory leakage and overflow, abnormal CPU utilization rate, abnormal communication protocol compression rate and abnormal system call response time;
and the information generation submodule is used for integrating the abnormal port, the abnormal process, the abnormal exit network packet, the security vulnerability and the abnormal resource consumption as the abnormal information.
According to a third aspect of the embodiments of the present disclosure, a computer-readable storage medium is provided, on which a computer program is stored, which when executed by a processor implements the steps of the security detection method for images provided by the first aspect of the embodiments of the present disclosure.
According to a fourth aspect of the embodiments of the present disclosure, there is provided an electronic apparatus including:
a memory having a computer program stored thereon;
a processor configured to execute the computer program in the memory to implement the steps of the method for detecting security of an image provided in the first aspect of the embodiments of the present disclosure.
By the technical scheme, the sandbox environment can be constructed in the host system, wherein the sandbox environment is a file operation environment which is isolated from the kernel of the host system and is provided with a network firewall; performing trial operation on the container application corresponding to the image file in the sandbox environment; monitoring the running state of the container application in the trial running process of the container application to acquire abnormal information, wherein the abnormal information at least comprises the following components: an abnormal port, an abnormal process, an abnormal exit network packet, a security vulnerability and abnormal resource consumption; and generating a security analysis report corresponding to the image file according to the abnormal information. The container application corresponding to the image file can be subjected to trial operation through an independent sandbox environment, abnormal state information of the container application is monitored in the trial operation process, a corresponding safety analysis report is generated, and safety in the image file production and deployment process is improved.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows.
Drawings
The accompanying drawings, which are included to provide a further understanding of the disclosure and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure without limiting the disclosure. In the drawings:
FIG. 1 is a flow diagram illustrating a method for security detection of an image in accordance with an exemplary embodiment;
FIG. 2 is a flow chart illustrating a method of building a sandbox environment in accordance with the embodiment of FIG. 1;
FIG. 3 is a flow chart of a method for commissioning a container application according to the embodiment shown in FIG. 1;
FIG. 4 is a flow chart illustrating a method for anomaly detection for a container application according to the embodiment shown in FIG. 2;
FIG. 5 is a block diagram illustrating a mirrored security detection apparatus in accordance with an exemplary embodiment;
FIG. 6 is a block diagram of a sandbox building module shown in accordance with the embodiment of FIG. 5;
FIG. 7 is a block diagram of a container commissioning module according to the embodiment shown in FIG. 5;
FIG. 8 is a block diagram of an anomaly detection module shown in the embodiment of FIG. 5;
FIG. 9 is a block diagram illustrating an electronic device in accordance with an example embodiment.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the exemplary embodiments below are not intended to represent all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present disclosure, as detailed in the appended claims.
Before describing security detection of images provided by the present disclosure, an application scenario involving various embodiments of the present disclosure is first described, the application scenario including a host that may include one or more servers running an application container engine (e.g., a Docker engine).
Fig. 1 is a flowchart illustrating a security detection method for an image, as shown in fig. 1, applied to the host according to an exemplary embodiment, where the method includes:
step 101, a sandbox environment is built in a host system.
Wherein the sandbox environment (sandbox) is a file operating environment isolated from the kernel of the host system and provided with a network firewall. It can be understood that, because the sandbox environment is an independent virtual operating environment, the application program operating inside the sandbox cannot permanently affect the hard disk of the host, and thus can be used to test untrusted network application programs or internet behavior.
And 102, performing trial operation on the container application corresponding to the mirror image file in the sandbox environment.
For example, an Image (Image) or Image file is a unified view of a plurality of read-only layers (read-only layers). The read-only layers are overlapped, and except the read-only layer at the lowest layer, other read-only layers have a pointer pointing to the next layer. Each read-only layer can be accessed in the host from the uppermost of the plurality of institutional layers by the Docker engine. It will be appreciated that the image file is static, each layer is only readable and not writeable, and the container application is an executable application that can run. In the run state, the container application may create a file or modify a directory, but the changes caused by these actions do not act on the image file. Creating a corresponding container application through the image file actually adds a readable and writable layer on the image file. It should be noted that, in actual operation, one image file may correspond to a plurality of container applications for the added readable and writable layers with different structures. In the sandbox environment according to the embodiment of the present disclosure, one or more container applications corresponding to an image file may be generated as needed, and the same security detection method is used for each container application. In addition, the "commissioning" operation referred to in the embodiments of the present disclosure is an operation of running the container application in a normal running state in a sandbox environment. The process of the trial operation is the same as the normal operation process under the actual operation environment when the mirror image file is online, generates the container application and is put into use.
Step 103, monitoring the running state of the container application in the trial running process of the container application to acquire abnormal information.
Wherein the abnormal information at least comprises: an abnormal port, an abnormal process, an abnormal exit network packet, a security vulnerability, and abnormal resource consumption.
For example, the container application may be commissioned within a preset time period, and meanwhile, the running state of the container application, including indexes such as a port state, a process state, an egress network packet state, a network security vulnerability, and a performance state, may be monitored. It can be understood that, in addition to limiting the call of the container application to the kernel of the host system, the commissioning process is completely consistent with the actual running process of the container application on the host system, and therefore, the monitoring data (i.e., the exception information) of the commissioning process of the container application here can effectively reflect the problems and vulnerabilities of the container application during the actual running process.
And 104, generating a security analysis report corresponding to the image file according to the abnormal information.
For example, the plurality of abnormal information may be counted and ranked according to the type, severity, and other indicators to generate the safety analysis report. And then, the generated security analysis report can be output to a developer or an operator, and the developer or the operator can optimize the image file or the system environment of the host according to the security analysis report and then deploy the image file to the server system of the host.
To sum up, the present disclosure can construct a sandbox environment in a host system, where the sandbox environment is a file operating environment that is isolated from a kernel of the host system and is provided with a network firewall; performing trial operation on the container application corresponding to the image file in the sandbox environment; monitoring the running state of the container application in the trial running process of the container application to acquire abnormal information, wherein the abnormal information at least comprises the following components: an abnormal port, an abnormal process, an abnormal exit network packet, a security vulnerability and abnormal resource consumption; and generating a security analysis report corresponding to the image file according to the abnormal information. The container application corresponding to the image file can be subjected to trial operation through an independent sandbox environment, abnormal state information of the container application is monitored in the trial operation process, a corresponding safety analysis report is generated, and safety in the image file production and deployment process is improved.
Fig. 2 is a flowchart of a method for building a sandbox environment according to the embodiment shown in fig. 1, where step 101 may include, as shown in fig. 2:
at step 1011, a target file operating environment isolated from the kernel of the host system is constructed in the host system based on the physical resources of the host.
Illustratively, to avoid malicious programs in the container application modifying the host configuration, it is necessary to completely isolate the sandbox environment from the kernel of the host system, based on the physical resource status of different hosts, this step 1011 includes: when the physical resources of the host machine accord with the operating conditions of the virtual machine, a file operating environment is constructed through virtualization equipment and a virtualization kernel provided by the virtual machine and serves as the sandbox environment; or when the physical resource of the host does not meet the running condition of the virtual machine, constructing a file running environment with a preset kernel access rule through the actual physical equipment in the host system to serve as the sandbox environment, wherein the preset kernel access rule is used for limiting the calling of the container application to the kernel of the host system.
Illustratively, the physical resource is the processing power of the host. It can be understood that sufficient physical resources are required for creating the independent virtual machine, and when the host includes servers with stronger computing power and a larger number, the physical resources of the host can be considered to meet the operating conditions of the virtual machine, and an independent area is created in the host system to construct a virtual machine (equivalent to the simulation of the original host) having a virtualization device (e.g., a virtual network card or a virtual memory) and a virtualization kernel as the target file operating environment. Or, when the host includes servers with poor computing capability or a small number, the physical resources of the host may be considered to be not in compliance with the operating conditions of the virtual machine, and then based on the process virtualization technology, based on the physical devices of the host system itself, a corresponding virtual process is created when the container application is running, and the call of the container application to the kernel of the host system is strictly limited by the preset access rule, so as to form the target file operating environment. In this case, the container application may also run normally, but the running trace thereof is erased after the operation is stopped, and is not retained in the host system, so as to achieve the purpose of performing a test run on the container application in an independent virtual environment.
Step 1012, configuring a network firewall with a preset security access policy for the target file operating environment to obtain the sandbox environment.
The security access policy is a basic security control mechanism for checking whether a data packet can pass through a firewall according to a certain rule, and is essentially to screen and filter the data packet used for carrying content in a network or file transmission process. The basic role of a firewall with security access policies is to protect a particular network from attacks by "untrusted" networks, but at the same time it is desirable to allow legitimate communications between the two networks. The security policy has the function of checking the data packets passing through the firewall, and the legal data packets which accord with the security policy can pass through the firewall. In this step 1012, a security access policy may be preset according to the service function of the container application, where the preset security access policy may include: the method comprises the following steps of controlling the access authority of a container application in an intranet to the extranet, controlling the access authority among applications in subnets of different security levels of the intranet, controlling an IP address of the container application, and the like.
Fig. 3 is a flowchart of a commissioning method of a container application according to the embodiment shown in fig. 1, and as shown in fig. 3, the step 102 may include:
step 1021, the security scanning is performed on the image file through a preset static security scanning mode.
Illustratively, the static security scanning manner may be a manner of statically scanning the image file by any static security scanning tool such as Clair, Anchore, and dockerccan.
At step 1022, a readable and writable layer is added to the sandbox environment for the image file subjected to the security scan to generate the container application.
For example, the container application may be regarded as an image file + a readable and writable layer, and the role of this configuration includes: on one hand, the image file can run under different file running environments through the added readable and writable layers with different structures, and on the other hand, the image file can be isolated from different file running environments, namely, operations such as data reading or code compiling and the like related in the process of realizing the business function corresponding to the image file only act on the readable and writable layers, and the image file is not changed, so that the sealing performance of the image file is ensured. The developer may set the structure of the subsequent readable and writable layer in advance according to the environment information of the constructed sandbox environment, so as to generate a container application capable of running in the sandbox environment in step 1022.
Step 1023, a commissioning of the container application is performed in the sandbox environment.
Fig. 4 is a flowchart of an anomaly detection method for a container application according to the embodiment shown in fig. 2, and as shown in fig. 4, the step 103 may include:
and step 1031, detecting all ports applied by the container according to a preset high-risk port list to obtain the abnormal port.
Illustratively, one container application includes a plurality of ports interacting with an external device or another container application, the high-risk port list is a port list of the container application or a certain type of container application determined by a developer or an operator according to professional knowledge, ports in the high-risk port list are arranged according to port risk degrees, and when detecting ports, ports with higher risk can be sequentially detected according to the list. The port may include: 22 ports, 80 ports, 8080 ports, etc.
Step 1032, the real-time running data of the process generated by the container application is detected to obtain the abnormal process.
Wherein, the abnormal process at least comprises: a non-working process with abnormal resource utilization and a non-working process with abnormal network input/output I/O volume.
Illustratively, a work process is a process that performs all of the actual tasks involved in the running of the container application, e.g., the work process may be a process for handling network connections, reading and writing content to virtual disks, or communicating with an upstream server, etc. And the non-working process is a process for maintaining and managing the whole running environment in the running process of the container application, for example, the non-working process may be a process for performing privileged operation, cache loading and management. In step 1032, all the non-working processes generated during the operation of the container application need to be monitored to obtain the non-working processes with high resource utilization rate and large network I/O amount as the above abnormal processes.
Step 1033, intercept the egress network packet of the container application to obtain the abnormal egress network packet.
Wherein the abnormal exit network comprises at least: an egress network packet with an abnormal egress bandwidth and an egress network packet with an abnormal destination address.
Illustratively, the egress network packet is a data packet output by the container application, and the data packet mainly consists of a destination IP address, a source IP address, payload data, and the like. In step 1033, the egress network packet for the container application may be intercepted by existing packet-grabbing techniques. When the intercepted payload data in the egress network packet is too large, the egress bandwidth of the container application can be considered to be higher; when the destination IP address in the intercepted egress network packet is a non-working network address, the destination address of the container application may be considered to be abnormal.
Step 1034, detect the security hole existing in the container application.
Illustratively, the security vulnerabilities include at least: code injection vulnerabilities, session fixing vulnerabilities, path access vulnerabilities, weak password vulnerabilities, and hard-coded encryption key vulnerabilities. Specifically, the method may include: a middleware weak password vulnerability, a front-end SQL (Structured Query Language) vulnerability, a Web application command vulnerability, an XSS (Cross Site Scripting) vulnerability, a CSRF (Cross-Site request formulation) vulnerability, a URL (Uniform Resource Locator) jump vulnerability, and the like. In this step 1034, all of the above security vulnerabilities may be detected by existing vulnerability detection techniques.
In step 1035, abnormal resource consumption of the container application is detected.
Illustratively, the anomalous resource consumption includes at least: memory leaks and overflows, abnormal CPU utilization, abnormal communication protocol compression and abnormal system call response time. The container application may involve consumption of virtual machine system resources or host system resources during its operation.
In addition, it should be noted that, the steps 1031 to 1035 described above may be executed simultaneously during the running process of the container application. In addition, the monitoring of the operation state of the container application is not limited to the operation state indexes referred to in steps 1031 to 1035, and in the actual detection process, various indexes of the operation of the container application may be monitored by the operation state monitoring mechanisms of all existing network applications, so as to generate the most complete abnormal information.
Step 1036, synthesize the abnormal port, the abnormal process, the abnormal exit network packet, the security vulnerability, and the abnormal resource consumption as the abnormal information.
To sum up, the present disclosure can construct a sandbox environment in a host system, where the sandbox environment is a file operating environment that is isolated from a kernel of the host system and is provided with a network firewall; performing trial operation on the container application corresponding to the image file in the sandbox environment; monitoring the running state of the container application in the trial running process of the container application to acquire abnormal information, wherein the abnormal information at least comprises the following components: an abnormal port, an abnormal process, an abnormal exit network packet, a security vulnerability and abnormal resource consumption; and generating a security analysis report corresponding to the image file according to the abnormal information. The container application corresponding to the image file can be subjected to trial operation through an independent sandbox environment, abnormal state information of the container application is monitored in the trial operation process, a corresponding safety analysis report is generated, and safety in the image file production and deployment process is improved.
Fig. 5 is a block diagram illustrating an mirrored security detection apparatus according to an exemplary embodiment, as shown in fig. 5, the apparatus 500 comprising:
a sandbox constructing module 510 configured to construct a sandbox environment in the host system, where the sandbox environment is a file operating environment isolated from a kernel of the host system and provided with a network firewall;
a container commissioning module 520, configured to perform commissioning on a container application corresponding to the image file in the sandbox environment;
an anomaly detection module 530, configured to monitor an operation state of the container application in a commissioning process of the container application to obtain anomaly information, where the anomaly information at least includes: an abnormal port, an abnormal process, an abnormal exit network packet, a security vulnerability and abnormal resource consumption;
and a report generating module 540, configured to generate a security analysis report corresponding to the image file according to the abnormal information.
FIG. 6 is a block diagram of a sandbox building module according to the embodiment shown in FIG. 5, such as sandbox building module 510 shown in FIG. 6, including:
an environment construction sub-module 511, configured to construct, in the host system, a target file operating environment isolated from a kernel of the host system based on physical resources of the host;
the firewall setting sub-module 512 is configured to configure a network firewall with a preset security access policy for the target file operating environment, so as to obtain the sandbox environment.
Optionally, the environment construction sub-module 511 is configured to:
when the physical resources of the host machine accord with the operating conditions of the virtual machine, a file operating environment is constructed through virtualization equipment and a virtualization kernel provided by the virtual machine and is used as the target file operating environment; or,
when the physical resources of the host do not meet the running conditions of the virtual machine, a file running environment with a preset kernel access rule is built through actual physical equipment in the host system and serves as the target file running environment, and the preset kernel access rule is used for limiting the calling of the container application to the kernel of the host system.
Fig. 7 is a block diagram of a container commissioning module according to the embodiment shown in fig. 5, and as shown in fig. 7, the container commissioning module 520 includes:
the security scanning submodule 521 is configured to perform security scanning on the image file in a preset static security scanning manner;
a container generation sub-module 522, configured to add a readable and writable layer to the image file subjected to the security scan in the sandbox environment to generate the container application;
a container commissioning submodule 523 configured to commission the container application in the sandbox environment.
Fig. 8 is a block diagram of an anomaly detection module according to the embodiment shown in fig. 5, and as shown in fig. 8, the anomaly detection module 530 includes:
the port detection submodule 531 is configured to detect all ports applied to the container according to a preset high risk port list, so as to obtain the abnormal port;
the process detection submodule 532 is configured to detect real-time running data of a process generated by the container application to obtain the abnormal process, where the abnormal process at least includes: the non-working process with the abnormal resource utilization rate and the non-working process with the abnormal network input/output I/O quantity;
the network packet detection sub-module 533 is configured to intercept an egress network packet of the container application to obtain the abnormal egress network packet, where the abnormal egress network at least includes: an egress network packet with abnormal egress bandwidth and an egress network packet with abnormal destination address;
the vulnerability detection sub-module 534 is configured to determine whether a security vulnerability exists in the container application, where the security vulnerability at least includes: code injection vulnerabilities, session fixing vulnerabilities, path access vulnerabilities, weak password vulnerabilities, and hard-coded encryption key vulnerabilities;
the resource consumption detecting sub-module 535 is configured to detect abnormal resource consumption of the container application, where the abnormal resource consumption at least includes: memory leakage and overflow, abnormal CPU utilization rate, abnormal communication protocol compression rate and abnormal system call response time;
the information generating sub-module 536 is configured to integrate the exception port, the exception process, the exception egress network packet, the security vulnerability, and the exception resource consumption as the exception information.
To sum up, the present disclosure can construct a sandbox environment in a host system, where the sandbox environment is a file operating environment that is isolated from a kernel of the host system and is provided with a network firewall; performing trial operation on the container application corresponding to the image file in the sandbox environment; monitoring the running state of the container application in the trial running process of the container application to acquire abnormal information, wherein the abnormal information at least comprises the following components: an abnormal port, an abnormal process, an abnormal exit network packet, a security vulnerability and abnormal resource consumption; and generating a security analysis report corresponding to the image file according to the abnormal information. The container application corresponding to the image file can be subjected to trial operation through an independent sandbox environment, abnormal state information of the container application is monitored in the trial operation process, a corresponding safety analysis report is generated, and safety in the image file production and deployment process is improved.
With regard to the apparatus in the above-described embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be elaborated here.
Fig. 9 is a block diagram illustrating an electronic device 900 in accordance with an example embodiment. As shown in fig. 9, the electronic device 900 may include: a processor 901, a memory 902, multimedia components 903, input/output (I/O) interfaces 904, and communications components 905.
The processor 901 is configured to control the overall operation of the electronic device 900, so as to complete all or part of the steps in the above-mentioned mirrored security detection method. The memory 902 is used to store various types of data to support operation of the electronic device 900, such as instructions for any application or method operating on the electronic device 900 and application-related data, such as contact data, transmitted and received messages, pictures, audio, video, and the like. The Memory 902 may be implemented by any type of volatile or non-volatile Memory device or combination thereof, such as Static Random Access Memory (SRAM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Erasable Programmable Read-Only Memory (EPROM), Programmable Read-Only Memory (PROM), Read-Only Memory (ROM), magnetic Memory, flash Memory, magnetic disk or optical disk. The multimedia component 903 may include a screen and an audio component. Wherein the screen may be, for example, a touch screen and the audio component is used for outputting and/or inputting audio signals. For example, the audio component may include a microphone for receiving external audio signals. The received audio signal may further be stored in the memory 902 or transmitted through the communication component 905. The audio assembly also includes at least one speaker for outputting audio signals. The I/O interface 904 provides an interface between the processor 901 and other interface modules, such as a keyboard, mouse, buttons, etc. These buttons may be virtual buttons or physical buttons. The communication component 905 is used for wired or wireless communication between the electronic device 900 and other devices. Wireless communication, such as Wi-Fi, bluetooth, Near Field Communication (NFC), 2G, 3G, or 4G, or a combination of one or more of them, so that the corresponding communication component 905 may include: Wi-Fi module, bluetooth module, NFC module.
In an exemplary embodiment, the electronic Device 900 may be implemented by one or more Application Specific Integrated Circuits (ASICs), Digital Signal Processors (DSPs), Digital Signal Processing Devices (DSPDs), Programmable Logic Devices (PLDs), Field Programmable Gate Arrays (FPGAs), controllers, microcontrollers, microprocessors, or other electronic components for performing the mirrored security detection method described above.
In another exemplary embodiment, a computer readable storage medium comprising program instructions, such as the memory 902 comprising program instructions, which are executable by the processor 901 of the electronic device 900 to perform the above-described mirrored security detection method is also provided.
Preferred embodiments of the present disclosure are described in detail above with reference to the accompanying drawings, however, the present disclosure is not limited to the specific details of the above embodiments, and other embodiments of the present disclosure may be easily conceived by those skilled in the art within the technical spirit of the present disclosure after considering the description and practicing the present disclosure, and all fall within the protection scope of the present disclosure.
It should be noted that the various features described in the above embodiments may be combined in any suitable manner without departing from the scope of the invention. Meanwhile, any combination can be made between various different embodiments of the disclosure, and the disclosure should be regarded as the disclosure of the disclosure as long as the combination does not depart from the idea of the disclosure. The present disclosure is not limited to the precise structures that have been described above, and the scope of the present disclosure is limited only by the appended claims.
Claims (10)
1. A method for security detection of an image, the method comprising:
constructing a sandbox environment in a host system, wherein the sandbox environment is a file operation environment which is isolated from a kernel of the host system and is provided with a network firewall;
performing trial operation on the container application corresponding to the mirror image file in the sandbox environment;
monitoring the running state of the container application in the trial running process of the container application to acquire abnormal information, wherein the abnormal information at least comprises: an abnormal port, an abnormal process, an abnormal exit network packet, a security vulnerability and abnormal resource consumption;
and generating a security analysis report corresponding to the image file according to the abnormal information.
2. The method of claim 1, wherein building a sandbox environment for commissioning an image file in a host system comprises:
constructing a target file running environment isolated from a kernel of a host system in the host system based on physical resources of the host;
and configuring a network firewall with a preset security access strategy for the target file operation environment to acquire the sandbox environment.
3. The method of claim 2, wherein the building, in the host system, a target file runtime environment isolated from a kernel of the host system based on the host-based physical resources comprises:
when the physical resources of the host machine accord with the operating conditions of the virtual machine, a file operating environment is constructed through virtualization equipment and a virtualization kernel provided by the virtual machine and is used as the target file operating environment; or,
when the physical resources of the host do not accord with the running conditions of the virtual machine, a file running environment with a preset kernel access rule is built through actual physical equipment in the host system and serves as the target file running environment, and the preset kernel access rule is used for limiting the calling of the container application to the kernel of the host system.
4. The method of claim 1, wherein the attempting to run the container application corresponding to the image file in the sandbox environment comprises:
carrying out security scanning on the image file in a preset static security scanning mode;
adding a readable and writable layer to the image file subjected to the security scanning in the sandbox environment to generate the container application;
and performing commissioning on the container application in the sandbox environment.
5. A mirrored security detection apparatus, the apparatus comprising:
the system comprises a sandbox construction module, a network firewall and a database management module, wherein the sandbox construction module is used for constructing a sandbox environment in a host system, and the sandbox environment is a file operation environment which is isolated from a kernel of the host system and is provided with the network firewall;
the container commissioning module is used for performing commissioning on the container application corresponding to the mirror image file in the sandbox environment;
an anomaly detection module, configured to monitor an operation state of the container application in a commissioning process of the container application to obtain anomaly information, where the anomaly information at least includes: an abnormal port, an abnormal process, an abnormal exit network packet, a security vulnerability and abnormal resource consumption;
and the report generating module is used for generating a security analysis report corresponding to the image file according to the abnormal information.
6. The apparatus of claim 5, wherein the sandbox building module comprises:
the environment construction sub-module is used for constructing a target file operation environment isolated from a kernel of the host system in the host system based on physical resources of the host;
and the firewall setting submodule is used for configuring a network firewall with a preset security access strategy for the target file operating environment so as to acquire the sandbox environment.
7. The apparatus of claim 6, wherein the environment construction sub-module is configured to:
when the physical resources of the host machine accord with the operating conditions of the virtual machine, a file operating environment is constructed through virtualization equipment and a virtualization kernel provided by the virtual machine and is used as the target file operating environment; or,
when the physical resources of the host do not accord with the running conditions of the virtual machine, a file running environment with a preset kernel access rule is built through actual physical equipment in the host system and serves as the target file running environment, and the preset kernel access rule is used for limiting the calling of the container application to the kernel of the host system.
8. The apparatus of claim 5, wherein the container commissioning module comprises:
the security scanning submodule is used for carrying out security scanning on the image file in a preset static security scanning mode;
a container generation submodule, configured to add a readable and writable layer to the image file subjected to the security scanning in the sandbox environment, so as to generate the container application;
and the container commissioning submodule is used for performing commissioning on the container application in the sandbox environment.
9. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 4.
10. An electronic device, comprising:
a memory having a computer program stored thereon;
a processor for executing the computer program in the memory to carry out the steps of the method of any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811638930.4A CN109828824A (en) | 2018-12-29 | 2018-12-29 | Safety detecting method, device, storage medium and the electronic equipment of mirror image |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811638930.4A CN109828824A (en) | 2018-12-29 | 2018-12-29 | Safety detecting method, device, storage medium and the electronic equipment of mirror image |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109828824A true CN109828824A (en) | 2019-05-31 |
Family
ID=66860025
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811638930.4A Pending CN109828824A (en) | 2018-12-29 | 2018-12-29 | Safety detecting method, device, storage medium and the electronic equipment of mirror image |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109828824A (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110311901A (en) * | 2019-06-21 | 2019-10-08 | 南京尓嘉网络科技有限公司 | A kind of lightweight network sandbox setting method based on container technique |
| CN110851241A (en) * | 2019-11-20 | 2020-02-28 | 杭州安恒信息技术股份有限公司 | Safety protection method, device and system for Docker container environment |
| CN111414612A (en) * | 2020-06-05 | 2020-07-14 | 腾讯科技(深圳)有限公司 | Security protection method and device for operating system mirror image and electronic equipment |
| CN112084005A (en) * | 2020-09-09 | 2020-12-15 | 北京升鑫网络科技有限公司 | Container behavior auditing method, device, terminal and storage medium |
| CN112104597A (en) * | 2020-07-23 | 2020-12-18 | 广西电网有限责任公司电力科学研究院 | Terminal data isolation method and device for one-end multi-network environment |
| CN113157550A (en) * | 2020-01-23 | 2021-07-23 | 北京华顺信安科技有限公司 | Vulnerability environment management method and system based on container |
| CN113419816A (en) * | 2021-06-16 | 2021-09-21 | 国网安徽省电力有限公司信息通信分公司 | Container mirror image dynamic risk detection method |
| CN113886004A (en) * | 2021-08-24 | 2022-01-04 | 阿里云计算有限公司 | Safe container operation, image data download method, device and storage medium |
| CN114035898A (en) * | 2021-11-10 | 2022-02-11 | 湖北亿咖通科技有限公司 | Mirror image generation method, device, equipment and medium |
| CN114329443A (en) * | 2021-12-28 | 2022-04-12 | 杭州谐云科技有限公司 | A method, system, electronic device and storage medium for generating container sandbox rules |
| CN114547590A (en) * | 2020-11-25 | 2022-05-27 | 中国电信股份有限公司 | Code detection method, device and non-transitory computer readable storage medium |
| CN115063146A (en) * | 2022-06-29 | 2022-09-16 | 支付宝(杭州)信息技术有限公司 | Risk assessment method, system and device for protecting data privacy |
| CN116431276A (en) * | 2023-02-28 | 2023-07-14 | 港珠澳大桥管理局 | Container security protection method, device, computer equipment and storage medium |
| WO2023160010A1 (en) * | 2022-02-28 | 2023-08-31 | 中兴通讯股份有限公司 | Security detection method and apparatus, electronic device and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017005276A1 (en) * | 2015-07-03 | 2017-01-12 | Telefonaktiebolaget Lm Ericsson (Publ) | Virtual machine integrity |
| CN106598694A (en) * | 2016-09-23 | 2017-04-26 | 浪潮电子信息产业股份有限公司 | Virtual machine safety monitoring mechanism based on container |
| CN106778246A (en) * | 2016-12-01 | 2017-05-31 | 北京奇虎科技有限公司 | The detection method and detection means of sandbox virtualization |
| CN106878343A (en) * | 2017-04-18 | 2017-06-20 | 北京百悟科技有限公司 | The system that network security is service is provided under a kind of cloud computing environment |
| CN107480524A (en) * | 2017-08-18 | 2017-12-15 | 郑州云海信息技术有限公司 | A kind of security sandbox and its construction method |
| CN107679399A (en) * | 2017-10-19 | 2018-02-09 | 郑州云海信息技术有限公司 | A kind of Malicious Code Detection sandbox system and detection method based on container |
| CN108171050A (en) * | 2017-12-29 | 2018-06-15 | 浙江大学 | The fine granularity sandbox strategy method for digging of linux container |
-
2018
- 2018-12-29 CN CN201811638930.4A patent/CN109828824A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017005276A1 (en) * | 2015-07-03 | 2017-01-12 | Telefonaktiebolaget Lm Ericsson (Publ) | Virtual machine integrity |
| CN106598694A (en) * | 2016-09-23 | 2017-04-26 | 浪潮电子信息产业股份有限公司 | Virtual machine safety monitoring mechanism based on container |
| CN106778246A (en) * | 2016-12-01 | 2017-05-31 | 北京奇虎科技有限公司 | The detection method and detection means of sandbox virtualization |
| CN106878343A (en) * | 2017-04-18 | 2017-06-20 | 北京百悟科技有限公司 | The system that network security is service is provided under a kind of cloud computing environment |
| CN107480524A (en) * | 2017-08-18 | 2017-12-15 | 郑州云海信息技术有限公司 | A kind of security sandbox and its construction method |
| CN107679399A (en) * | 2017-10-19 | 2018-02-09 | 郑州云海信息技术有限公司 | A kind of Malicious Code Detection sandbox system and detection method based on container |
| CN108171050A (en) * | 2017-12-29 | 2018-06-15 | 浙江大学 | The fine granularity sandbox strategy method for digging of linux container |
Non-Patent Citations (1)
| Title |
|---|
| 王永红: "《计算机网络技术》", 31 August 2014, 北京航空航天大学出版社 * |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110311901B (en) * | 2019-06-21 | 2022-03-08 | 北京雅客云安全科技有限公司 | Lightweight network sandbox setting method based on container technology |
| CN110311901A (en) * | 2019-06-21 | 2019-10-08 | 南京尓嘉网络科技有限公司 | A kind of lightweight network sandbox setting method based on container technique |
| CN110851241A (en) * | 2019-11-20 | 2020-02-28 | 杭州安恒信息技术股份有限公司 | Safety protection method, device and system for Docker container environment |
| CN113157550A (en) * | 2020-01-23 | 2021-07-23 | 北京华顺信安科技有限公司 | Vulnerability environment management method and system based on container |
| CN111414612A (en) * | 2020-06-05 | 2020-07-14 | 腾讯科技(深圳)有限公司 | Security protection method and device for operating system mirror image and electronic equipment |
| CN111414612B (en) * | 2020-06-05 | 2020-10-16 | 腾讯科技(深圳)有限公司 | Security protection method and device for operating system mirror image and electronic equipment |
| CN112104597A (en) * | 2020-07-23 | 2020-12-18 | 广西电网有限责任公司电力科学研究院 | Terminal data isolation method and device for one-end multi-network environment |
| CN112104597B (en) * | 2020-07-23 | 2023-04-07 | 广西电网有限责任公司电力科学研究院 | Terminal data isolation method and device for one-end multi-network environment |
| CN112084005A (en) * | 2020-09-09 | 2020-12-15 | 北京升鑫网络科技有限公司 | Container behavior auditing method, device, terminal and storage medium |
| CN114547590A (en) * | 2020-11-25 | 2022-05-27 | 中国电信股份有限公司 | Code detection method, device and non-transitory computer readable storage medium |
| CN114547590B (en) * | 2020-11-25 | 2024-12-20 | 中国电信股份有限公司 | Code detection method, device and non-transitory computer-readable storage medium |
| CN113419816A (en) * | 2021-06-16 | 2021-09-21 | 国网安徽省电力有限公司信息通信分公司 | Container mirror image dynamic risk detection method |
| CN113886004A (en) * | 2021-08-24 | 2022-01-04 | 阿里云计算有限公司 | Safe container operation, image data download method, device and storage medium |
| CN114035898A (en) * | 2021-11-10 | 2022-02-11 | 湖北亿咖通科技有限公司 | Mirror image generation method, device, equipment and medium |
| CN114329443A (en) * | 2021-12-28 | 2022-04-12 | 杭州谐云科技有限公司 | A method, system, electronic device and storage medium for generating container sandbox rules |
| WO2023160010A1 (en) * | 2022-02-28 | 2023-08-31 | 中兴通讯股份有限公司 | Security detection method and apparatus, electronic device and storage medium |
| CN115063146A (en) * | 2022-06-29 | 2022-09-16 | 支付宝(杭州)信息技术有限公司 | Risk assessment method, system and device for protecting data privacy |
| CN116431276A (en) * | 2023-02-28 | 2023-07-14 | 港珠澳大桥管理局 | Container security protection method, device, computer equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109828824A (en) | Safety detecting method, device, storage medium and the electronic equipment of mirror image | |
| US11080399B2 (en) | System and method for vetting mobile phone software applications | |
| US11870811B2 (en) | Trusted execution security policy platform | |
| Ujcich et al. | Cross-app poisoning in software-defined networking | |
| Yuan et al. | A systematic survey of self-protecting software systems | |
| US8990948B2 (en) | Systems and methods for orchestrating runtime operational integrity | |
| Wong et al. | On the security of containers: Threat modeling, attack analysis, and mitigation strategies | |
| US20220046030A1 (en) | Simulating user interactions for malware analysis | |
| Zeng et al. | Full-stack vulnerability analysis of the cloud-native platform | |
| Röpke et al. | Retaining control over SDN network services | |
| Röpke et al. | On network operating system security | |
| CN118946885A (en) | System and method for detecting exploit comprising shell code | |
| Nazar et al. | Rooting Android–Extending the ADB by an auto-connecting WiFi-accessible service | |
| Väisänen | Security review of Cloud Application architectures | |
| Zahedi | Virtualization security threat forensic and environment safeguarding | |
| Samir et al. | Adaptive controller to identify misconfigurations and optimize the performance of kubernetes clusters and iot edge devices | |
| Ghazizadeh et al. | Automated Tools for Cloud Security Testing | |
| Rangta | Tools for Security Auditing and Hardening in Microservices Architecture | |
| Nordell | A Systematic evaluation of CVEs and mitigation strategies for a Kubernetes stack | |
| Rönnbäck et al. | Automatic enforcement of container security guidelines through policy as code | |
| Peck et al. | Android security analysis final report | |
| Budigiri et al. | Elastic Cross-Layer Orchestration of Network Policies in the Kubernetes Stack | |
| Grisin et al. | Containers and Breakaway Security: Evaluating Vulnerabilities and Safeguarding Strategies | |
| Wech | Isolation-Centric Operating Systems for the Enterprise | |
| Morfonios | Kubernetes cybersecurity |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190531 |