1. Patent Search
  2. Details

METHOD OF ANALYZING CONTAINER SYSTEM CALL CONFIGURATION ERROR, AND RECORDING MEDIUM AND APPARATUS FOR PERFORMING THE SAME

20230008660 · 2023-01-12

    Inventors

    Cpc classification

    International classification

    Abstract

    Provided is a method of analyzing a container system call configuration error, including: profiling a set of trusted images that are uploaded to a public or private container image repository during initialization of a system or verified by a repository owner; identifying a custom service layer and known service layers based on the trusted image when a custom image is transmitted to the system; analyzing only the custom service layer by a system call extraction engine; and generating and optimizing a profile with an essential and non-malicious system call by scanning the custom service layer to remove a malicious program or a vulnerable system call. Accordingly, it is possible to reduce overhead by omitting re-analysis of known images in a container image scanning process.

    Claims

    1. A method of analyzing a container system call configuration error, the method comprising: profiling a set of trusted images uploaded to a public or private container image repository during initialization of a system or verified by a repository owner; identifying a custom service layer and known service layers based on a trusted image when a custom image is transmitted to the system; analyzing only the custom service layer by a system call extraction engine; and generating and optimizing a profile having an essential and non-malicious system call by scanning the custom service layer and removing a system call having a malicious program or a vulnerability.

    2. The method of claim 1, further comprising: when the custom service layer includes the malicious program or the vulnerability, scoring to automatically determine whether a system call is included in a whitelist system call list.

    3. The method of claim 2, wherein the scoring comprises: inspecting a system call list from a high level system call to a low level system call; and calculating a final score for a risk of the system call list.

    4. The method of claim 3, wherein the final score for the risk of the system call list is calculated based on an index value of each risk level and penalty value.

    5. The method of claim 2, further comprising providing a scoring result to a manager to approve or reject the system call.

    6. The method of claim 1, wherein the optimizing the profile comprises: notifying a manager of the malicious program or the vulnerability of the custom service layer when the system call having the malicious program or the vulnerability is found; and blocking deployment of the custom image.

    7. The method of claim 1, further comprising updating a seccomp profile to a database as an analysis result of the custom service layer.

    8. A non-transitory computer-readable storage medium on which a computer program for executing the method of analyzing a container system call configuration error of claim 1 is recorded.

    9. An apparatus for analyzing a container system call configuration error, the apparatus comprising: an image profiler configured to profile a set of trusted images uploaded to a public or private container image repository during initialization of a system or verified by a repository owner; an image layer classifier configured to identify a custom service layer and known service layers based on a trusted image when a custom image is transmitted to the system; an image analyzer configured to analyze only the custom service layer by a system call extraction engine; and an optimizer configured to generate and optimize a profile having an essential and non-malicious system call by scanning the custom service layer and removing a system call having a malicious program or a vulnerability.

    10. The apparatus of claim 9, further comprising a scorer configured to, when the custom service layers includes the malicious program or the vulnerability, score to automatically determine whether a system call is included in a whitelist system call list.

    11. The apparatus of claim 10, wherein the scorer comprises: an inspector configured to inspect a system call list from a high level system call to a low level system call; and a calculator configured to calculate a final score for a risk of the system call list.

    12. The apparatus of claim 11, wherein the calculator calculates the final score for the risk of the system call list based on an index value of each risk level and penalty value.

    13. The apparatus of claim 10, wherein the scorer comprises a provider configured to provide a scoring result to a manager to approve or reject the system call.

    14. The apparatus of claim 9, wherein the optimizer comprises: a notifier configured to notify a manager of the malicious program or the vulnerability of the custom service layer when the system call having the malicious program or the vulnerability is found; and a blocker configured to block deployment of the custom image.

    15. The apparatus of claim 9, further comprising an updater configured to update a seccomp profile to a database as an analysis result of the custom service layer.

    Description

    DESCRIPTION OF DRAWINGS

    [0030] FIG. 1 is a diagram for conceptually describing the present invention in terms of time.

    [0031] FIG. 2 is a block diagram of an apparatus for analyzing a container system call configuration error according to an embodiment of the present invention.

    [0032] FIG. 3 is a block diagram of an optimizer of FIG. 2.

    [0033] FIG. 4 is a block diagram of a scorer of FIG. 2.

    [0034] FIG. 5 is a flowchart of a method of analyzing a container system call configuration error according to an embodiment of the present invention.

    [0035] FIG. 6 is a flowchart for a scoring operation of FIG. 5.

    MODES OF THE INVENTION

    [0036] Embodiments of the present invention will be described in detail with reference to the accompanying drawings. These embodiments will be described in detail for those skilled in the art in order to practice the present invention. It should be appreciated that various exemplary embodiments of the present invention are different from each other, but do not have to be exclusive. For example, specific shapes, structures, and characteristics described in the present specification may be implemented in another exemplary embodiment without departing from the objective and the scope of the present invention in connection with an exemplary embodiment. In addition, it should be understood that a position or an arrangement of individual components in each disclosed exemplary embodiment may be changed without departing from the objective and the scope of the present invention. Therefore, a detailed description described below should not be construed as being restrictive. In addition, the scope of the present invention is defined only by the accompanying claims and their equivalents if appropriate. Similar reference numerals will be used to describe the same or similar functions throughout the accompanying drawings.

    [0037] Hereinafter, exemplary embodiments of the present invention will be described in more detail with reference to the accompanying drawings.

    [0038] FIG. 1 is a diagram for conceptually describing the present invention in terms of time.

    [0039] Referring to FIG. 1, the present invention may be divided into a trusted image seccomp profiling process (phase 1) and an optimized image analysis process (phase 2) for generating a seccomp policy.

    [0040] First, phase 1 is performed during initialization of a system and performed ahead of any attacks. The main goal of this process is to profile and generate a set of trusted (official) images from verified vendors such as MongoDB and Apache.

    [0041] Phase 2 is performed when one custom image is transmitted to the system for deployment. The main purpose of this process is to analyze and optimize the seccomp profile for the custom image before the image is deployed on the system.

    [0042] FIG. 2 is a block diagram of an apparatus for analyzing a container system call configuration error according to an embodiment of the present invention.

    [0043] The apparatus 10 (hereinafter, apparatus) for analyzing a container system call configuration error according to the present invention avoids re-analysis of known images by separating a custom image into two parts, and optimizes a system call filtering profile by approving or rejecting dangerous system calls based on a scoring system.

    [0044] Referring to FIG. 2, the apparatus 10 according to an embodiment of the present invention includes an image profiler 110, an image layer classifier 130, an image analyzer 150, and an optimizer 170. In another embodiment, the apparatus 10 may further include a scorer 190 and an updater (not illustrated).

    [0045] The apparatus 10 may execute software (an application) for performing analysis on a container system call configuration error installed therein, and the configuration of the image profiler 110, the image layer classifier 130, the image analyzer 150, the optimizer 170, the scorer 190, and the updater (not illustrated) may be controlled by software for performing the analysis on the container system call configuration error that is executed on the apparatus 10.

    [0046] The apparatus 10 may be a separate terminal or a part of a module of the terminal. In addition, the configuration of the image profiler 110, the image layer classifier 130, the image analyzer 150, the optimizer 170, the scorer 190, and the updater (not illustrated) may be formed as an integrated module or may be formed in one or more modules. However, on the other hand, each configuration may be configured as a separate module. The apparatus 10 may be movable or stationary. The apparatus 10 may be in the form of a server or an engine, and may be called by another term such as “device,” “application,” “terminal,” “user equipment (UE),” “mobile station (MS),” “wireless device,” or “handheld device.”

    [0047] The apparatus 10 may execute or manufacture various types of software based on an operating system (OS), that is, a system. The OS is a system program for software to use the hardware of the apparatus, and may include both a mobile computer OS such as Android OS, iOS, Windows Mobile OS, Bada OS, Symbian OS, or Blackberry OS and a computer OS such as Windows series, Linux series, Unix series, MAC, AIX, or HP-UX.

    [0048] The image profiler 110 profiles a set of trusted images during the initialization of the system.

    [0049] In the present invention, a trusted image is defined as an image that is pushed (uploaded) to a public container image repository (or private repository) or verified by a repository owner.

    [0050] The trusted image is usually used as a base image. In the container image, the base image becomes the first layer. The trusted images are downloaded or pulled from a trusted public repository (or private repository).

    [0051] Most basic components of the container image, such as the system OS, are included in the base image (first layer) of the container image. In the present invention, there is no need to re-analyze these layers, which may greatly reduce the analysis cost and overhead.

    [0052] The trusted images are analyzed only once to generate the seccomp profile. The present invention may reuse the existing seccomp generation techniques and tools to complete this task.

    [0053] The seccomp of each trusted image may be stored in the seccomp profile database for later use.

    [0054] When the custom image is transmitted to the system, the image layer classifier 130 identifies the custom service layer and the known service layer based on the trusted image.

    [0055] In the present invention, the known service layer (generally made from the trusted image) does not need to be re-analyzed. The system first fetches the seccomp profile of the corresponding known service from the seccomp profile database by reading the metadata of the container image.

    [0056] The image analyzer 150 analyzes only the custom service layer by the system call extraction engine.

    [0057] In the present invention, only the custom layer is analyzed by the system call extraction engine. The system call extraction engine needs to analyze a small portion of the image of the container including the custom service. For example, the information on the custom service may be provided by a developer.

    [0058] The seccomp profile obtained from the seccomp profile database and the information (e.g., JSON profile format) on the custom service are compared to determine whether an additional system call is required in the system.

    [0059] The optimizer 170 optimizes to generate a profile with an essential and non-malicious system call by scanning the custom service layer removing a malicious program or a vulnerable system call.

    [0060] The custom layers are scanned for malware and vulnerabilities, notifications are transmitted to a manager and images are blocked if custom service layers include malicious programs or vulnerabilities.

    [0061] To this end, referring to FIG. 3, the optimizer 170 may further include a notifier 171 that notifies the manager of the malicious program or vulnerability of the custom service layer and a blocker 173 that blocks the deployment of the custom image.

    [0062] When the custom service layer includes the malicious program or vulnerability, the scorer 190 performs scoring of automatically determining whether the system call should be included in the whitelist system call list.

    [0063] That is, the dangerous system calls are summarized and known in the scorer 190. The manager may approve or reject the system call of the sensitive list based on his knowledge or the suggestion of the scorer 190.

    [0064] The main purpose of the scorer 190 is to automatically determine whether the system call should be included in the whitelist system call list.

    [0065] Referring to FIG. 4, the scorer 190 may include an inspector 191, a calculator 193, and a provider 195. The scorer 190 is an optional configuration of the apparatus 10, and may give useful suggestions to the manager for determining the seccomp profile.

    [0066] In one embodiment, depending on the effect of the system call on the OS, it may have three levels that are high, medium, and low. When the level is the same, it means that they have the same level of risk.

    [0067] The inspector 191 performs the inspection from a high level system call to a low level system call when the system call list is given after the list operation.

    [0068] The calculator 193 may calculate the total score of the system call list. For example, the final score of the system call list may be calculated as in Equation 1 below.


    Final score=Total score+I*M  [Equation 1]

    [0069] Here, I represents an index (e.g., A, B, and C) of each risk level, and M represents a penalty value. The penalty value may be set by the manager, and when M is high, it may be less likely that the dangerous system call will be added to the profile.

    [0070] The updater (not illustrated) updates the seccomp profile in the database as the analysis result of the custom service layer.

    [0071] Since the custom image is separated into two parts in the present invention, it is possible to reduce the overhead of scanning the entire image by avoiding the re-analysis of the known images. In addition, the scoring method may be used to help the system manager to analyze the custom container image and then optimize the system call filtering profile.

    [0072] FIG. 5 is a flowchart of a method of analyzing a container system call configuration error according to an embodiment of the present invention.

    [0073] The method of analyzing a container system call configuration error according to the present embodiment may be performed in substantially the same configuration as the apparatus 10 of FIG. 2. Accordingly, the same components as those of the apparatus 10 of FIG. 2 are denoted by the same reference numerals, and repeated description thereof will be omitted.

    [0074] In addition, the method of analyzing a container system call configuration error according to the present embodiment may be executed by software (an application) for performing the analysis on the container system call configuration error.

    [0075] The present invention avoids the re-analysis of the known images by separating the custom image into two parts, and optimizes the system call filtering profile by approving or rejecting the dangerous system calls based on the scoring system.

    [0076] Referring to FIG. 5, in the method of analyzing a container system call configuration error according to the present embodiment, first, a set of trusted images, which are uploaded to a public or private container image repository during the initialization of the system or verified by the repository owner, is profiled.

    [0077] In the present invention, the trusted image is defined as an image that is pushed (uploaded) to a public container image repository (or private repository) or verified by a repository owner.

    [0078] The trusted image is usually used as a base image. In the container image, the base image becomes the first layer. The trusted images are downloaded or pulled from a trusted public repository (or private repository).

    [0079] Most basic components of the container image, such as the system OS, are included in the base image (first layer) of the container image. In the present invention, there is no need to re-analyze these layers, which may greatly reduce the analysis cost and overhead.

    [0080] The trusted images are analyzed only once to generate the seccomp profile. The present invention may reuse the existing seccomp generation techniques and tools to complete this task.

    [0081] The seccomp of each trusted image may be stored in the seccomp profile database for later use.

    [0082] Then, when one custom image is transmitted to the system for deployment, the seccomp profile for the custom image is analyzed and optimized before the image is deployed on the system.

    [0083] For this, when the custom image is transmitted to the system, the custom service layer and the known service layers based on the trusted image are identified.

    [0084] In the present invention, the known service layer (generally made from the trusted image) does not need to be re-analyzed. The system first fetches the seccomp profile of the corresponding known service from the seccomp profile database by reading the metadata of the container image (operation S10).

    [0085] In the present invention, only the custom layer is analyzed by the system call extraction engine (operation S20). The system call extraction engine needs to analyze a small portion of the image of the container including the custom service. For example, the information on the custom service may be provided by a developer.

    [0086] The seccomp profile obtained from the seccomp profile database and the information (e.g., JSON profile format) on the custom service are compared to determine whether an additional system call is required in the system (operation S30).

    [0087] When the additional system is required, the optimizer 170 optimizes to generate the profile with the essential and non-malicious system call (operation S50) by scanning the custom service layer (operation S40) and removing the malicious program or the vulnerable system call. When the system call with the malicious program or the vulnerability is found, a manager may be notified of the malicious program or the vulnerability of the custom service layer.

    [0088] In addition, when the custom service layer includes the malicious program or the vulnerability, it is possible to perform scoring to automatically determine whether the system call is included in a whitelist system call list (operation S6).

    [0089] Referring to FIG. 6, in the performing of the scoring, a total score for risk may be calculated by performing an inspection of the system call list from a high level system call to a low level system call (step S61).

    [0090] When the total score for the risk is lower than the preset threshold (operation S62), the process ends (operation S63). On the other hand, when the total score for the risk is higher than the preset threshold (operation S62), the profile of each system call is updated (operation S65) by performing the inspection of the system call list from the high level system to the low level system (operation S64).

    [0091] In addition, the final score of the system call list is calculated (step S66). For example, the final score of the system call list may be calculated based on the index value of each risk level and penalty value.

    [0092] In addition, the scoring result is provided to the manager to allow the manager to approve or reject the system call, thereby giving the manager useful suggestions to determine the seccomp profile.

    [0093] As the analysis result of the custom service layer, the seccomp profile may be updated in the database.

    [0094] Since the custom image is separated into two parts in the present invention, it is possible to reduce the overhead of having to scan the entire image by avoiding the re-analysis of the known images. In addition, the scoring method may use the scoring method to help the system manager to analyze the custom container image and then optimize the system call filtering profile.

    [0095] Such a method of analyzing a container system call configuration error may be implemented as an application or implemented in the form of a program command that may be executed through various computer components and recorded on a computer-readable recording medium. The computer-readable recording medium may include a program command, a data file, a data structure, or the like, alone or a combination thereof.

    [0096] The program instructions recorded on the computer-readable recording medium may be specially designed and constituted for the present invention or be known to those skilled in the field of computer software.

    [0097] Examples of the computer-readable recording media may include a magnetic medium such as a hard disk, a floppy disk, or a magnetic tape, an optical recording medium such as a compact disk read only memory (CD-ROM) or a digital versatile disk (DVD), a magneto-optical medium such as a floptical disk, and a hardware device specially configured to store and execute program commands, such as a read only memory (ROM), a random access memory (RAM), a flash memory, or the like.

    [0098] Examples of the program instructions include a high level language code capable of being executed by a computer using an interpreter, or the like, as well as a machine language code created by a compiler. The hardware device may be constituted to be operated as one or more software modules to perform processing according to the present invention, and vice versa.

    [0099] Although the embodiments of the present invention have been described hereinabove, those skilled in the art will be able to understand that the present invention may be variously modified and altered without departing from the spirit and scope of the present invention disclosed in the following claims.

    INDUSTRIAL APPLICABILITY

    [0100] The present invention proposes a method of optimizing a container image scanning process to generate a system call filtering profile, and therefore can be useful in a vulnerability scan application, a vulnerability list check application, etc.

    EXPLANATION OF REFERENCE NUMERALS

    [0101] 10: apparatus

    [0102] 110: image profiler

    [0103] 130: image layer classifier

    [0104] 150: image analyzer

    [0105] 170: optimizer

    [0106] 190: scorer

    [0107] 171: notifier

    [0108] 173: blocker

    [0109] 191: inspector

    [0110] 193: calculator

    [0111] 195: provider