Despite the wide usage of container-based cloud computing, container auditing for security analysis relies mostly on built-in host audit systems, which often lack the ability to capture high-fidelity container logs. State-of-the-art reference-monitor-based audit techniques greatly improve the quality of audit logs, but their system-wide architecture is too costly to be adapted for individual containers. Moreover, these techniques typically require extensive kernel modifications, making them difficult to deploy in practical settings. In this paper, we present saBPF (secure audit BPF), an extension of the eBPF framework capable of deploying secure system-level audit mechanisms at the container granularity. We demonstrate the practicality of saBPF in Kubernetes by designing an audit framework, an intrusion detection system, and a lightweight access control mechanism. We evaluate saBPF and show that it is comparable in performance and security guarantees to audit systems from the literature that are implemented directly in the kernel.
翻译:尽管广泛使用集装箱云计算,但用于安全分析的集装箱审计主要依靠主机内部审计系统,这些系统往往缺乏捕捉高不洁集装箱日志的能力。最先进的参考监测审计技术大大提高了审计日志的质量,但其全系统架构费用太高,无法适应单个集装箱。此外,这些技术通常需要大量的内核修改,难以在实际环境中部署。在本文件中,我们提出SaBPF(安全审计BPF),这是eBPF框架的延伸,能够在集装箱粮仓部署安全的系统级审计机制。我们通过设计审计框架、入侵探测系统和轻度出入控制机制,在库贝涅茨展示SaBPFF的实用性。我们评价SaBPF, 表明从直接在库奈尔实施的文献中,审计系统在业绩和安全保障方面与审计系统具有可比性。
相关内容
- Today (iOS and OS X): widgets for the Today view of Notification Center
- Share (iOS and OS X): post content to web services or share content with others
- Actions (iOS and OS X): app extensions to view or manipulate inside another app
- Photo Editing (iOS): edit a photo or video in Apple's Photos app with extensions from a third-party apps
- Finder Sync (OS X): remote file storage in the Finder with support for Finder content annotation
- Storage Provider (iOS): an interface between files inside an app and other apps on a user's device
- Custom Keyboard (iOS): system-wide alternative keyboards
Source: iOS 8 Extensions: Apple’s Plan for a Powerful App Ecosystem
微信扫码咨询专知VIP会员