Research And Implementation Of Vulnerability Detection Platform Based On Code Clone Detection And Dynamic Detection

Container technology has gradually become an essential technology for Internet companies with the development of the Internet,.And security research on container technology is also increasing.Container security mainly revolves around three aspects:container image security,container runtime security,and container orchestration system security.This topic proposes and implements a security detection scheme and platform based on container images.Container images are complex,portable,and confusing.For container images provided by third parties,black boxes are difficult to detect.Container image security is similar to traditional supply chain security.How to detect hidden security issues in container images is a big challenge.In this paper,the research on the above problems is carried out,and the specific work is as follows:(1)This paper proposes a static detection technology of container images based on vulnerability meta-information.The technology detects possible security problems in container images from three aspects:historical vulnerabilities caused by low-version applications in the images,security vulnerabilities caused by incorrect configuration files,and container image risks caused by compliance with security regulations.This method also judges the problem of low software version by sorting and comparing the vulnerability meta information,and sorting out dozens of compliance security through the experience gained from the red-blue confrontation exercise.Combining these two methods can quickly complete the container.Static detection of images.(2)The paper proposes a container image dynamic detection technology based on container runtime.This technology proposes a general method for instantiating container image files,summarizes the behavioral characteristics that need to be collected in the runtime state of the container,and improves the rules for how to judge whether it is a malicious container image.The hook completes the dynamic detection module of the container image.(3)Combining these two detection technologies,the paper designs and implements the container image risk detection platform CID.The platform adopts a variety of detection schemes,supports multiple input methods,and can be embedded in the DevSecOps process to complete the container image risk detection.The experimental results show that the two combined dynamic and static detection methods proposed in the paper can detect risks when faced with malicious samples that have undergone many different obfuscation and concealment methods.The CID platform detects the risks of different malicious container images in the actual detection tasks,which proves that the platform has strong container image risk detection capabilities.