Research On Vulnerability Detection And Protection Technology Of Binary Code In Container Environment

With the development of cloud computing,the lightweight virtualization technology represented by containers has been widely used.Nevertheless,the security issues of containers have also received extensive attention.The services provided by the container are based on the binary programs in the container.Attackers often exploit the vulnerabilities in the binary programs to invade the container and further cause more damage,significantly affecting the container environment’s reliability and security.Therefore,conducting security research on binary programs in the container environment has essential academic importance and practical significance.This thesis is based on the defense perspective,focusing on the vulnerability of binary programs in the container environment and conducting research from two perspectives detection and protection.The main work and contributions of this thesis are as follows:1.Aiming at the problem that there lacks of a systematic analysis of the different security threats faced by different binary programs in the container environment,it is proposed to conduct research from two perspectives of binary vulnerability detection and protection.This thesis divides the binary program in the container environment into the application program inside and the kernel outside the container based on the attack path the container faces.For the application program in the container,in order to make full use of the advantages of intermediate language in program analysis,this thesis proposes to lift the application from binary code to the intermediate language and then use the binary function similarity analysis to detect known vulnerabilities and use fuzzing to discover unknown vulnerabilities.It is difficult for the kernel outside the container to ensure its security by vulnerability detection.This thesis intends to ensure the kernel’s security from the perspective of vulnerability protection.Finally,focusing on the binary program in the container environment,the runtime security of the container is guaranteed from inside and outside the container.2.Aiming at the problem that most of the current binary function similarity analysis techniques d.o not work well in real scenarios,a method for binary code similarity analysis using program dependency graphs is proposed.First,the program is lifted from binary code to an intermediate language,and then the program dependency graph of binary functions is extracted and adequately normalized.Then,to balance the efficiency and accuracy of binary similarity analysis,the program dependency graph of the function is decomposed into units of variables,and the variables with semantic redundancy within the function are pruned.Finally,the similar variable pairs between functions are matched,and the similarity of variables between functions is converted into the similarity of functions from the perspective of whether two functions can represent each other.Compared with the existing binary function similarity analysis works,the method proposed in this thesis improves the AUC value by 4.34%in experiments with different instruction architectures and compilation configurations.3.Aiming at the problem that the current coverage-based fuzzing technology is challenging to discover vulnerabilities with complex trigger logic in binary programs,a multi-priority queue-oriented fuzzing technology is proposed based on directed fuzzing.First,the binary program is lifted to an intermediate language to prepare for the following program analysis.Then,the function fingerprinting and static pointer analysis on the intermediate language automatically identify the target location.Finally,the multi-priority seed queue guides the fuzzing to reach different target codes in sequence.The vulnerabilities are discovered by combining various runtime indicators and taint analysis techniques.The results show that the method proposed in this thesis can increase the speed of vulnerability discovering by 3.35 times in the experiment of vulnerability discovering with complex trigger logic.4.Aiming at the problem that the existing container escape detection technology faces the high false positive rate,a real-time monitoring method of heterogeneous observation is proposed to defend against exploiting kernel vulnerabilities to achieve container escape.First,the container escape attacks exploiting kernel vulnerabilities are modeled,and they can be divided into direct escape and indirect escape.The critical attributes of the process are selected as observation points,and a heterogeneous observation method with"privilege escalation" as the detection criterion is proposed.Then,the kernel module is used to capture the attribute information of the process in real-time,the process origin graph is constructed,and the scale of the original graph is reduced through the process boundary identification technology inside and outside the container.Finally,a heterogeneous observation chain is constructed based on process attribute information,and a prototype system is implemented.Compared with the existing tools for detecting container escape attacks,the method proposed in this thesis can successfully detect two types of container escape attacks.