在私有云上逆向工程Docker部署 [英] Reverse engineering a Docker deployment on private cloud

问题描述

我正在开发必须部署在客户端的私有云上​​的软件。客户端具有根访问权限以及硬件。我不希望客户端对我们的软件进行逆向工程。

I am working on a software that has to be deployed on private cloud of a client. The client has root access, as well as hardware. I don't want the client to reverse engineer our software.

我们可以在这里控制两件事：

We can control two things here:

1. 我们可以访问服务器的安全端口，我们可以使用它来发送令牌来解密代码，并在必要时将其关闭;


2. 我们可以手动安装（在安装时输入密码）或者如果我们必须使用防篡改设备。

Docker部署是否可以阻止我们的客户端对我们的代码进行逆向工程？我们计划打开一个端口并使用SSL来保护传入和传出的数据。

Can a Docker deployment prevent our client from reverse engineering our code? We plan to open a single port and use SSL to protect incoming and outgoing data.

推荐答案

如果用户有root，或者他可以使用他的定制内核（甚至内核模块），他可以做任何事情 - 转储内存，停止进程，附加调试器 - 启动逆向工程。如果用户可以访问硬件，他还可以获取root或定制内核。保护软件免受用户的唯一方法是使用良好的DRM，例如在TPM（可信平台模块）或ARM TrustZone的帮助下。 SecureBoot不会完全保护您的软件（在x86上通常可能会被关闭）。其他变体使用防篡改硬件（ http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/what-is-tamper-resistant-hardware.htm ），就像用来存储的银行的主加密密钥（处理PIN码）（ http://en.wikipedia.org/wiki / Hardware_security_module ），但是这个硬件的成本非常高。

If user has root, or he able to use his custom kernel (or even kernel modules), he can do anything - dump memory, stop process, attach debugger - to start reverse engineering. If user has access to hardware, he also can get root or custom kernel. The only way to protect soft from user - is using good DRM, for example with help of TPM (Trusted Platform Module), or ARM TrustZone. SecureBoot will not fully protect your soft (on x86 it usually may be turned off). Other variant is using Tamper-resistant hardware (http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/what-is-tamper-resistant-hardware.htm), like what is used to store master encryption keys (to process pin-codes) in banks (http://en.wikipedia.org/wiki/Hardware_security_module), but this hardware have very high cost.

已知Docker不会对用户的代码提供保护：
https://stackoverflow.com/a/26108342/196561 -

It is known that Docker does not give protection to the code from user: https://stackoverflow.com/a/26108342/196561 -

主机上运行的docker守护程序的root用户可以完全访问主机上运行的所有进程。这意味着控制主机的人可以随时访问应用程序的RAM以及文件系统。这使得无法隐藏解密文件系统或保护RAM免受调试的密钥。

The root user on the host machine (where the docker daemon runs) has full access to all the processes running on the host. That means the person who controls the host machine can always get access to the RAM of the application as well as the file system. That makes it impossible to hide a key for decrypting the file system or protecting RAM from debugging.

任何能够部署docker容器的用户来自docker组的用户）具有对容器fs的完全访问权限，具有对容器进程的root访问权限，并可以调试它们并转储其内存。
https：// www。 andreas-jung.com/contents/on-docker-security-docker-group-considered-harmful

Any user capable of deploying docker container (user from docker group) has full access to the container fs, has root access to the container processes and can debug them and dump their memory. https://www.andreas-jung.com/contents/on-docker-security-docker-group-considered-harmful

只有受信任的用户应该被允许控制你的Docker守护程序

Only trusted users should be allowed to control your Docker daemon

http://docs.docker.com/articles/security/#docker-daemon-attack-surface

Docker允许您在Docker主机和guest虚拟机容器之间共享目录;并且它允许您这样做，而不会限制容器的访问权限。

Docker allows you to share a directory between the Docker host and a guest container; and it allows you to do so without limiting the access rights of the container.

所以， Docker没有额外的保护您的用户代码;我们可以像其他包装系统一样考虑它，如rpm和deb。 Rpm和deb允许您将代码打包成单个文件和列表依赖关系，并将代码和依赖关系打包成单个文件。

So, Docker give no additional protection to your code from user; we can consider it just like other packaging system, like rpm and deb. Rpm and deb allows you to pack your code into single file and list dependencies, and docker packs your code and dependencies into single file.

解决方案托管在客户端的云服务器上，因此他们可以访问根和硬件。但是，我们有两个优点：1）我们可以访问一个安全的端口，我们可以使用它来发送令牌来解密代码，并审核可疑活动; 2）我们可以手动安装（在安装时输入令牌）

Our solution is hosted on our client's cloud server, so they do have access to both root and the hardware. However, we have two advantages here: 1) we have access to a secure port, which we can use to send tokens to decrypt the code, and audit suspicious activities; 2) we can do manual installation (key in a token at the time of installation)

您只能保护您拥有的代码，如果它在您拥有的硬件上运行（关闭所有NSA / IntelME / IPMI / UEFI后门到自己的硬件）。如果用户在他的硬件上运行你的代码，他将拥有所有的二进制文件，并且能够进行内存转储（从你收到令牌之后）。

You can protect only the code you own, if it is running on the hardware you own (turn off all NSA/IntelME/IPMI/UEFI backdoors to own hardware). If user runs your code on his hardware, he will have all binaries and will be capable of memory dumping (after receiving the token from you).

他的硬件上的虚拟化不会给您的代码提供额外的保护。

Virtualization on his hardware will not give your code any additional protection.

安全端口是指SSL / TLS / SSH？保护数据在网络发送时是安全的;两个端点将以简单，未加密的形式显示数据。

Does "secure port" means SSL/TLS/SSH? It is secure only to protect data when it is send on network; both endpoints will have the data in plain, unencrypted form.

手动安装不会有助于在离开用户数据中心后保护代码。

Manual installation will not help to protect code after you leave user's datacenter.

我认为您可以购买一些通常的软件保护解决方案，如flexlm，可能需要运行该软件所需的一些硬件令牌。但是任何保护可能会被破解，早期（便宜）会更容易破解，现代（更昂贵）的保护更难打破。

I think you can buy some usual software protection solution, like flexlm, may be with some hardware tokens required to run the software. But any protection may be cracked, early (cheaper) will be cracked easier, and modern (more expensive) protection is bit harder to crack.

您还可以运行一些部分的软件在您自己的服务器上;这部分将不会破解。

You may also run some part of software on your own servers; this part will be not cracked.

或使用防篡改硬件，如果我们必须。

or use Tamper resistance hardware if we have to.

如果用户的服务器中没有这样的硬件，则不能使用防篡改硬件。这是非常昂贵的。

You can't use tamper resistance hardware if there is no such hardware in the user's server. And it is very expensive.

这篇关于在私有云上逆向工程Docker部署的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！