| 引用本文: |
-
邓启晴,宋晨,卢至彤,王利明,徐震.容器安全威胁及防护技术综述[J].信息安全学报,已采用 [点击复制]
- DENG Qiqing,SONG Chen,LU Zhitong,WANG Liming,XU Zhen.A Survey on Threats and Countermeasures of Container[J].Journal of Cyber Security,Accept [点击复制]
|
|
| 摘要: |
| 容器技术及其生态组件的应用,使服务具备快速部署、跨平台迁移、持续交付、横向扩展等能力,对云计算领域的发展带来了深远的影响,围绕容器技术的相关项目也日臻丰富和完善,提升了容器自身功能的多样性和易用性。然而,容器技术及其生态组件的使用进一步弱化了传统服务之间的隔离性,增加了应用、平台、系统、硬件等暴露的攻击面,制约了容器的发展。从恶意软件嵌入、容器逃逸攻击到编排平台的未授权访问,攻击的危害程度和影响范围不断增加,容器技术及其生态组件的安全问题受到越来越多关注。为此,学术界和产业界研究并提出了一些有价值的安全机制和解决方案,如入侵检测、权限控制、隔离优化、可信硬件等。本文将容器技术及其生态组件作为研究对象,在充分调研现有研究工作的基础上,总结提出了容器技术的生态架构,依据此架构,从容器实例、容器镜像、容器网络、容器核心、编排平台、系统内核、基础硬件、配置管理组件八个方面分析了容器面临的安全威胁,并相应地归纳了应对威胁的安全防护技术、比较了各类安全防护方案的优缺点。最后,本文对容器技术在“多租户”场景下的应用趋势进行了分析,进一步讨论了多租户容器发展趋势下面临的安全问题,并针对这些问题提出了一种容器级的安全防护解决方案。 |
| 关键词: 容器安全威胁 容器安全防护 容器技术 容器技术生态组件 |
| DOI:10.19363/J.cnki.cn10-1380/tn.2024.08.18 |
| 投稿时间:2022-10-09修订日期:2023-03-08 |
| 基金项目:国家重点研发计划项目 |
|
| A Survey on Threats and Countermeasures of Container |
|
DENG Qiqing, SONG Chen, LU Zhitong, WANG Liming, XU Zhen
|
| (Institute of Information Engineering,Chinese Academy of Sciences) |
| Abstract: |
| With the application of container technology and container ecosystem components, web services offer benefits from rapid deployment, cross-platform migration, continuous delivery to horizontal scaling, which has brought about a far-reaching impact on cloud computing. Subsequently, container technology has been widely used in the world, and related projects around container technology have been increasingly enriched and improved, further improving the functionality and usability of the container itself. However, the deployment of container and container ecosystem components could further weaken the isolation among traditional services and raise the exposure of the attack surface of applications, platforms, systems, and hardware, which places severe limitations on the growth of containers. Malware implantation, container escape, and unau-thorized access to orchestration platforms are just a few of the assaults that target containers. As a result, the harm degree and impact range of these attacks are expanding, and the security issue of containers has drawn more and more attention. In that case, valuable security mechanisms and solutions, including as intrusion detection, permission management, isolation optimization, and trusted hardware, have been proposed in both academic and industrial domains to safeguard containers and their ecological components. In this paper, we propose a framework for the study of container and container ecosystem components based on the previous existing research work. Given that framework, threats are analyzed from eight aspects: container instance, container image, container network, container core, orchestration platform, system kernel, hardware, and configuration management components. Furthermore, the countermeasures in response to the threats faced will be detailed and comparisons of the differences between various security protection schemes will be explained. By following this, our alignment analysis exposes the application trends of container technology in “multi-tenant” scenarios and potential research directions of multi-tenant container security. Specifically, we further discuss the security issues associated with the mul-ti-tenant container development trend and propose a more efficient solution for container-level security protection. |
| Key words: container security threats container security protection container container ecosystem components |
