计算机工程与应用 ›› 2018, Vol. 54 ›› Issue (6): 81-85.DOI: 10.3778/j.issn.1002-8331.1611-0054

• 网络、通信与安全 • 上一篇    下一篇

基于MNT随机化容器文件系统安全性加强技术

魏小锋,郭玉东,林  键   

  1. 信息工程大学 数学工程与先进计算国家重点实验室,郑州 450001
  • 出版日期:2018-03-15 发布日期:2018-04-03

Hardening technology for container file system based on MNT namespace randomization

WEI Xiaofeng, GUO Yudong, LIN Jian   

  1. State Key Laboratory of Mathematical Engineering and Advanced Computing, Information Engineering University, Zhengzhou 450001, China
  • Online:2018-03-15 Published:2018-04-03

摘要: 容器作为一种操作系统层的虚拟化技术,被广泛认为是资源使用率最高的虚拟化方法,而MNT名字空间是容器实现文件系统隔离的重要技术,但procfs和sysfs等文件系统不支持名字空间,存在信息泄漏的风险。针对MNT名字空间存在的不足,提出并实现了基于MNT名字空间随机化,通过修改Linux的MNT名字空间创建及工作过程,对文件名/目录使用AES加密方式进行处理,使用名字空间内的进程只能看到模糊的文件目录树,实现对目录的屏蔽。实验结果表明,该方法能有效防护扫描软件针对枚举目录和特定敏感文件的攻击,而且性能损耗小,只增加约1.82%的运行开销。

关键词: 容器, MNT名字空间, 文件名加密, 随机化

Abstract: As a virtualization technology of operating system layer, container is widely considered to be the top resources utilization rate virtualization method, MNT name space is an important technology for container file system isolation, but procfs and sysfs file system does not support namespace, there is the risk of information leakage. In view of the insufficiency of MNT name space, this paper puts forward and realizes the randomization of MNT name space. The work process is created by modifying the Linux MNT namespace, AES encryption methods are used for filename/directory processing, using the name space can see the process of fuzzy file directory tree, shielding of the directory. The experimental results show that the method can effective prevent scanning software from attacking on enumeration directory and specific sensitive files, and performance loss is small, only increases about 1.82% of the operating expenses.

Key words: container, mount namespace(MNT namespace), filename encryption, randomization