한국정보통신학회논문지 (Journal of the Korea Institute of Information and Communication Engineering)

  • 제25권10호
  • /
  • Pages.1397-1402
  • /
  • 2021
  • /
  • 2234-4772(pISSN)
  • /
  • 2288-4165(eISSN)
한국정보통신학회 (The Korea Institute of Information and Commucation Engineering)
권호 표지
DOI QR코드

DOI QR Code

Overlay2 파일 시스템의 소스 보호 방법에 관한 연구

Overlay2 file system's Source Protection Methodology

  • Han, Sung-Hwa (Department of Information Security, Tongmyung University)
  • 투고 : 2021.08.09
  • 심사 : 2021.09.13
  • 발행 : 2021.10.31
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

Overlay2 파일 시스템은 다수의 directory를 하나로 통합하여 mount 하는 union 파일 시스템 중의 하나이다. 이 overlay2 일 시스템 마운트에 생성되는 write-able layer는 source directory에 독립적으로 동작하는 특징이 있어 application 배포를 위한 컨테이너 플랫폼 등에 많이 사용되고 있다. 그러나 overlay2 파일 시스템은 mount에 사용되는 source directory에 있는 파일을 임의 변조할 경우, 그 변조 내용이 write-able layer에 적용되는 보안 취약점이 있다. 본 연구에서는 보안 취약점을 제거하기 위한 overlay2 파일 시스템의 source directory 보호 기술을 제안하였다. 제안하는 아키텍처에 따라 실증 구현 후 source directory 보호 기능을 검증한 결과, 본 연구에서 제안하는 보호 기술은 실효적이라고 판단되었다. 다만 본 연구에서 제안하는 방법은 수동적인 보호 방식이므로, 이를 운영체제 레벨에서 자동 보호하기 위한 후속 연구가 필요하다.

The overlay2 file system is one of the union file systems that mounts multiple directories into one. The source directory used for this overlay2 file system mount has a characteristic that it operates independently of the write-able layer after mounting, so it is often used for container platforms for application delivery. However, the overlay2 file system has a security vulnerability that the write-able layer is also modified when file in the source directory is modified. In this study, I proposed the overlay2 file system protection technology to remove the security vulnerabilities of the overlay2 file system. As a result of empirically implementing the proposed overlay2 file system protection technology and verifying the function, the protection technology proposed in this study was verified to be effective. However, since the method proposed in this study is a passive protection method, a follow-up study is needed to automatically protect it at the operating system level.

키워드

참고문헌

  1. C. Zheng, L. Rupprecht, V. Tarasov, D. Thain, M. Mohamed, D. Skourtis, A. S. Warke, and D. Hildebrand, "Wharf: Sharing docker images in a distributed file system," in Proceedings of the ACM Symposium on Cloud Computing pp. 174-185, Oct. 2018.
  2. C. Wu and Q. A. Chen, "Research on Union file system for Linux and Its Performance Analysis," Computer Knowledge and Technology, 2013.
  3. D. Seybold, C. B. Hauser, G. Eisenhart, S. Volpert, and J. Domaschka, "The impact of the storage tier: A baseline performance analysis of containerized dbms," in European Conference on Parallel Processing Springer, Cham, pp. 93-105, Aug. 2018.
  4. L. Ma, S. Yi, and Q. Li, "Efficient service handoff across edge servers via docker container migration," in Proceedings of the Second ACM/IEEE Symposium on Edge Computing, pp. 1-13, Oct. 2017.
  5. C. Zheng and D. Thain, "Integrating containers into workflows: A case study using makeflow, work queue, and docker," in Proceedings of the 8th International Workshop on Virtualization Technologies in Distributed Computing, pp. 31-38, Jun. 2015.
  6. G. Kappes and S. V. Anastasiadis, "A user-level toolkit for storage I/O isolation on multitenant hosts," in Proceedings of the 11th ACM Symposium on Cloud Computing, pp. 74-89, Oct. 2020.
  7. W. Findlay, A. Somayaji, and D. Barrera, "bpfbox: Simple Precise Process Confinement with eBPF," in Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop, pp. 91-103, Nov. 2020.
  8. I. Borate and R. K. Chavan, "Sandboxing in linux: From smartphone to cloud," International Journal of Computer Applications, vol. 148, no. 8, 2016.
  9. M. Nieles, K. Dempsey, and V. Y. Pillitteri, "An introduction to information security," NIST special publication, vol. 800, no. 12, 2017.
  10. J. A. Bullock, G. D. Haddow, and D. P. Coppola, "Introduction to homeland security: Principles of all-hazards risk management," Butterworth-Heinemann, 2011.
  11. S. De Capitani di Vimercati, S. Paraboschi, and P. Samarati, "Access control: principles and solutions," Software: Practice and Experience, vol. 33, no. 5, pp. 397-421, 2003. https://doi.org/10.1002/spe.513
  12. P. Bellavista and A. Montanari, "Context awareness for adaptive access control management in IoT environments," Security and Privacy in Cyber-Physical Systems: Foundations, Principles and Applications, vol. 2, no. 5, pp. 157-178, 2017.