关键词: Docker容器逃逸, 强制访问控制, 模糊聚类, 风险矩阵分析, Linux安全模型

Abstract: Docker is widely used in network application systems. However, there are not enough corresponding protection measures for the relatively low frequency but fatal escape problem. In order to reduce the harm of the docker escape problems, CFMAC (container based on fuzzy mandatory access control) model is proposed to reinforce the security of the Docker container. The model uses mandatory access control to restrict the attacker's access after Evasion Attacks. As well as, in order to solve the problem of hard to determine the entity security level and strong subjectivity in mandatory access control, fuzzy clustering analysis and risk matrix analysis are combined to divide the subject and object into three levels: secret, general and public, to intercept access and enter security verification by LSM(Linux security model). The test results show that the model can successfully restrict suspicious processes to access files.

Key words: Docker container escape, mandatory access control, fuzzy clustering, risk matrix analysis, Linux security model