面向云原生的API攻击诱捕技术研究

doi:10.19665/j.issn1001-2400.2023.04.023

Abstract

Abstract:

As the core channel for connecting services and transmitting data,the application programming interface (API) hides security risks that cannot be ignored behind its huge value.As the most important information infrastructure on the Internet,it has become the main target for attackers.In order to make up for the shortcomings of existing API security schemes that cannot adequately protect API attack surfaces,we focus on the API security of the cloud native architecture.Based on the idea of active trapping,a cloud-oriented API attack trapping framework is proposed,which constructs corresponding API decoys and high-interactive trapping environments according to the characteristics of different cloud service levels.Especially,in the container orchestration layer (platform layer),three API decoys are designed around the vulnerabilities of cloud components Kubernetes and Docker.In the application layer,fifteen API decoys are designed by selecting API vulnerabilities with more harm and higher utilization frequency.At the same time,in view of the high demand for physical resources of high-interaction API decoys in the application layer,a dynamic scheduling algorithm based on the current network traffic is proposed to maximize the capture effect by making full use of physical resources.On the basis of the trapping framework,a prototype system is implemented and deployed in the real environment.The trapping system finally captures 1270 independent Internet Protocol (IP) addresses and 4146 requests.The captured data are statistically analyzed,and the captured attack behaviors are analyzed in detail.Experimental results show that the proposed API attack trapping technology can effectively discover API attack behaviors in the cloud native environment.

Key words: application programming interfaces(API), security, cloud API security, attack trapping, decoy

CLC Number:

TP393.08

ZHANG Yue,CHEN Qingwang,LIU Baoxu,YU Cunwei,TAN Ru,ZHANG Fangjiao. Research on cloud native API attack trapping technology[J].Journal of Xidian University, 2023, 50(4): 237-248.

Figures/Tables 10

References 22

[1]	GARTNER. Hype Cycle for Application Security,2022[R]. Stanford:GARTNER, 2022.
[2]	中国信息通信研究院. 应用程序接口(API)数据安全研究报告(2020年)[R]. 北京: 中国信息通信研究院, 2020.
[3]	GANNON D, BARGA R, SUNDARESAN N. Cloud-Native Applications[J]. IEEE Cloud Computing, 2017, 4(5):16-21.
[4]	HUSSAIN F, NOYE B, SHARIEH S. Current State of API Security and Machine Learning[J]. IEEE Technology Policy and Ethics, 2019, 4(2):1-5.
[5]	赵娟娟. 基于 OpenResty 的 API 防护系统的设计与实现[D]. 武汉: 武汉轻工大学, 2021.
[6]	BAYE G, HUSSAIN F, ORACEVIC A, et al. API Security in Large Enterprises:Leveraging Machine Learning for Anomaly Detection[C]// 2021 International Symposium on Networks,Computers and Communications (ISNCC).Piscataway:IEEE, 2021:1-6.
[7]	MARTIN-LOPEZ A. Ai-Driven Web API Testing[C]// Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering:Companion Proceedings.Piscataway:IEEE, 2020:202-205.
[8]	DÍAZ-ROJAS J A, OCHARÁN-HERNÁNDEZ J O, PÉREZ-ARRIAGA J C, et al. Web API Security Vulnerabilities and Mitigation Mechanisms:A Systematic Mapping Study[C]// 2021 9th International Conference in Software Engineering Research and Innovation (CONISOFT).Piscataway:IEEE, 2021:207-218.
[9]	WEIR C, HERMANN B, FAHL S. From Needs to Actions to Secure Apps? The Effect of Requirementsand Developer Practices on App Security[C]// 29th USENIX Security Symposium (USENIX Security 20).Berkeley:USENIX, 2020:289-305.
[10]	GORSKI P L, IACONO L L, WERMKE D. Developers Deserve Security Warnings,Too:On the Effect of Integrated Security Advice on Cryptographic API Misuse[C]// Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018). New York: ACM, 2018.265-281.
[11]	OLIVEIRA D S, LIN T, RAHMAN M S. API Blindspots:Why Experienced Developers Write Vulnerable Code[C]// Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018). New York: ACM, 2018:315-328.
[12]	IMRAN A, FARRUKH H, IBRAHIM M, et al. {SARA}:Secure Android Remote Authorization[C]// 31st USENIX Security Symposium (USENIX Security 22).Berkeley:USENIX, 2022:1561-1578.
[13]	BREWER E A. Kubernetes and the Path to Cloud Native[C]// Proceedings of the Sixth ACM Symposium on Cloud Computing. New York: ACM, 2015:167.
[14]	HENDRICKSON S, STURDEVANT S, HARTER T, et al. Serverless Computation with OpenLambda[C]// 8th USENIX Workshop on Hot Topics in Cloud Computing (HotCloud 16).Berkeley:USENIX, 2016:33-39.
[15]	MUHAMMAD A B, ZORAN P. Guidelines for Building A Private Cloud Infrastructure (2012)[R/OL].[2012-12-31]. https://pure.itu.dk/da/publications/guidelines-for-building-a-private-cloud-infrastructure.
[16]	申京, 吴晨光, 郝洋, 等. 面向云计算数据中心的弹性资源调整方法[J]. 南京理工大学学报(自然科学版), 2015, 1:89-93.
	SHEN Jing, WU Chenguang, HAO Yang, et al. Elastic Resource Adjustment Method for Cloud Computing Data Center[J]. Journal of Nanjing University of Technology(Natural Science Edition), 2015, 1:89-93.
[17]	CHANDRAMOULI R, BUTCHER Z. Building Secure Microservices-Based Applications Using Service-mesh Architecture[J]. NIST Special Publication 800, 2020:204A.
[18]	陈真, 乞文超, 贺鹏飞, 等. 云应用程序编程接口安全研究综述:威胁与防护[J]. 电子与信息学报, 2022, 44:1-12.
	CHEN Zhen, QI Wenchao, HE Pengfei, et al. Overview of Cloud Application Programming Interface Security Research:Threats And Protection[J]. Journal of Electronics and Information, 2022, 44:1-12.
[19]	TANG L, OUYANG L, TSAI W T. Multi-Factor Web API Security for Securing Mobile Cloud[C]// 2015 12th International Conference on Fuzzy Systems and Knowledge Discovery (FSKD).Piscataway:IEEE, 2015:2163-2168.
[20]	LI C, WANG L, JI S, et al. Seeing is Living? Rethinking the Security of Facial Liveness Verification in the Deepfake Era (2022)[J/OL].[2022-02-22]. https://arxiv.org/abs/2202.10673.
[21]	李华东, 张学亮, 王晓磊, 等. Kubernetes集群中多节点合作博弈负载均衡策略[J]. 西安电子科技大学学报, 2021, 48(6):16-22.
	LI Huadong, ZHANG Xueliang, WANG Xiaolei, et al. Multi-Node Cooperative Game Load Balancing Strategy in Kubernetes Cluster[J]. Journal of Xidian University, 2021, 48(6):16-22.
[22]	贾召鹏, 方滨兴, 崔翔, 等. ArkHoney:基于协同机制的Web蜜罐[J]. 计算机学报, 2018, 41(2):413-425.
	JIA Shaopeng, FANG Binxing, CUI Xiang, et al. ArkHoney:Web Honeypot Based on Collaboration Mechanism[J]. Journal of Computer Science, 2018, 41(2):413-425.

组件名	脆弱点	说明	日志记录
API Server	SA凭证泄漏	通过泄漏ServiceAccount凭证,诱捕攻击者使用该凭证对API Server发起请求	API Server的请求日志
Kubelet	不安全配置Kubelet	设置Kubelet配置来允许未授权用户向当前节点Kubelet API下发命令	Kubelet守护进程日志
Docker	Docker未授权访问	将Docker守护进程的API端口暴露在公网上来吸引攻击者	Docker守护进程日志

序号	API类型	组件名	漏洞编号	说明
1	认证授权	Apache APISIX	CVE-2022-24112	攻击者可以向batch-requests插件发送请求来绕过Admin API的IP限制
2	认证授权	Weblogic	CVE-2020-14882	允许未授权的用户绕过管理控制台的权限验证访问后台
3	认证授权	Spring-security	CVE-2022-22978	未经身份验证攻击者可以构造恶意数据包绕过身份认证
4	认证授权	ApacheSolr	CVE-2020-1957	攻击者通过构造恶意链接可以绕过目录权限限制
5	认证授权	Grafana	CVE-2022-21673	允许未授权用户检索数据
6	业务逻辑	Apache Log4j	CVE-2021-44228	攻击者可以控制日志消息来执行任意代码
7	业务逻辑	ApacheSolr	CVE-2019-17558	允许未授权的用户绕过管理控制台的权限验证访问后台,用户可以注入自定义模板,通过Velocity模板语言执行任意命令
8	业务逻辑	Spring Cloud Gateway	CVE-2022-22947	Gateway Actuator启用时,攻击者可以发送恶意请求在远程主机上进行任意远程执行
9	业务逻辑	Spring Cloud Function	CVE-2022-22963	攻击者可以向服务器传递恶意表达式Cloud Functions任意代码执行
10	业务逻辑	Fastjson	CVE-2022-25845	该漏洞允许攻击者绕过Fastjson中的“AutoTypeCheck”机制并实现远程代码执行
11	业务逻辑	Fastjson	CNVD-2019-22238	该漏洞允许攻击者绕过黑白名单检测实现远程代码执行
12	数据访问	JBoss	CVE-2017-12149	攻击者可以构造序列化代码传入服务器执行任意代码
13	数据访问	Weblogic	CVE-2020-14883	允许后台任意用户通过HTTP协议执行任意命令
14	数据访问	Grafana	CVE-2022-39307	sent-reset-email路由会将信息泄露给未经身份验证的用户
15	数据访问	Django	CVE-2022-34265	存在SQL注入漏洞

日志来源	日志类别
控制节点	应用层诱饵请求日志
控制节点	API Server日志
工作节点	命令执行日志
工作节点	Kubelet守护进程日志
工作节点	Docker守护进程日志

序号	漏洞编号	诱饵权重
1	CVE-2022-24112	0.8
2	CVE-2020-14882	0.6
3	CVE-2022-22978	0.6
4	CVE-2020-1957	0.5
5	CVE-2022-21673	0.5
6	CVE-2021-44228	0.9
7	CVE-2019-17558	0.8
8	CVE-2022-22947	0.9
9	CVE-2022-22963	0.8
10	CVE-2022-25845	0.7
11	CNVD-2019-22238	0.7
12	CVE-2017-12149	0.6
13	CVE-2020-14883	0.9
14	CVE-2022-39307	0.5
15	CVE-2022-34265	0.7

Research on cloud native API attack trapping technology

RichHTML

PDF (PC)

Like

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 10

References 22

Related Articles 15

Metrics

Comments

Recommended 0

[1]	LI Yiming,LIU Shengli. Adaptive secure stream encryption supporting pattern matching [J]. Journal of Xidian University, 2023, 50(4): 1-10.
[2]	HUO Yuehua,WU Wenhao,ZHAO Faqi,WANG Qiang. Multi-view encryption malicious traffic detection method combined with co-training [J]. Journal of Xidian University, 2023, 50(4): 139-147.
[3]	GAO Jianbang, GAO Guowang. Reconfigurable intelligent surface-assisted non-line-of-sight secure communication scheme [J]. Journal of Xidian University, 2023, 50(2): 64-70.
[4]	LIU Ya,GONG Jiaxin,ZHAO Fengyu. Impossible differential attack on the encryption algorithm Simpira v2 [J]. Journal of Xidian University, 2022, 49(5): 201-212.
[5]	ZHAO Yiqiang,CAO Yuwen,HE Jiaji,Ma Haocheng,LIU Yanjiang,YE Mao. Design of random pre-obfuscation logic units against EM side-channel attack [J]. Journal of Xidian University, 2022, 49(4): 167-175.
[6]	XIE Lixia,NI Huiyu. Key business node identification model for the business process [J]. Journal of Xidian University, 2022, 49(2): 190-197.
[7]	DU Ruizhong,WANG Yi,TIAN Junfeng. Support dynamic and verifiable scheme for ciphertext retrieval [J]. Journal of Xidian University, 2022, 49(1): 35-46.
[8]	YANG Haibin,LI Ruifeng,YI Zhengge,NIU Ke,YANG Xiaoyuan. Efficient cloud storage data auditing scheme without bilinear pairing [J]. Journal of Xidian University, 2022, 49(1): 47-54.
[9]	WANG Yong,SU Zhuoyi,ZHU Zhengyu. Detection of voice transformation spoofing using the dense convolutional neural network [J]. Journal of Xidian University, 2021, 48(4): 168-175.
[10]	XIAO Yeqiu,ZHU Xinghui,ZHAO Shuangrui,REN Baoquan,SHEN Yulong. Analysis of physical layer security performance for satellite communication systems [J]. Journal of Xidian University, 2021, 48(3): 163-169.
[11]	SHEN Lixiang,MU Dejun,CAO Guo,XIE Guangqian,SHU Fangyong. Constructing formal verification models for hardware Trojans [J]. Journal of Xidian University, 2021, 48(3): 146-153.
[12]	LIU Huayuan,SU Yunfei,LI Ruilin,TANG Chaojing. Structure-statebased graybox Fuzzing technique [J]. Journal of Xidian University, 2021, 48(1): 117-123.
[13]	LI Teng,CAO Shijie,YIN Siwei,WEI Dawei,MA Xindi,MA Jianfeng. Optimal method for the generation of the attack path based on the Q-learning decision [J]. Journal of Xidian University, 2021, 48(1): 160-167.
[14]	YANG Hongyu,ZENG Renyun. Method for assessment of network security situation with deep learning [J]. Journal of Xidian University, 2021, 48(1): 183-190.
[15]	ZHENG Xianchun,LI Hui,WANG Rui,YAN Haonan,DAI Rui,XIAO Mingchi. Survey of anonymous network applications and simulation platforms [J]. Journal of Xidian University, 2021, 48(1): 22-38.