2023云原生安全威胁分析与能力建设白皮书

1云原生安全威胁分析与能力建设白皮书中国联通研究院中国联通网络安全研究院下一代互联网宽带业务应用国家工程研究中心2023年11月 版权声明本报告版权属于中国联合网络通信有限公司研究院，并受法律保护。转载、摘编或利用其他方式使用本报告文字或者观点的，应注明“来源：中国联通研究院”。违反上述声明者，本院将追究其相关法律责任。 云原生安全威胁分析与能力建设白皮书1目录一、云原生安全概述................................................................................................91.1云原生及云原生安全.....................................................................................91.1.1云原生...................................................................................................101.1.2云原生安全...........................................................................................121.2云原生安全发展...........................................................................................141.3云原生安全风险...........................................................................................17二、云原生关键技术威胁全景..............................................................................192.1云原生安全威胁分析...................................................................................192.2路径1：镜像攻击.......................................................................................212.2.1镜像投毒攻击........................................................................................212.2.2镜像仓库攻击........................................................................................222.2.3中间人攻击...........................................................................................222.2.4敏感信息泄露攻击................................................................................222.2.5针对镜像不安全配置的攻击................................................................222.3路径2：容器攻击.......................................................................................232.3.1守护进程攻击........................................................................................232.3.2容器提权和逃逸攻击............................................................................242.3.3拒绝服务攻击........................................................................................25 云原生安全威胁分析与能力建设白皮书22.3.4容器网络攻击........................................................................................262.4路径3：编排工具攻击................................................................................262.4.1k8s组件攻击.........................................................................................272.4.2服务对外暴露攻击................................................................................272.4.3业务pod攻击......................................................................................282.4.4集群环境下的横向攻击........................................................................292.4.5k8s管理平台攻击.................................................................................292.4.6第三方组件攻击....................................................................................292.5路径4：微服务攻击...................................................................................292.5.1API攻击.................................................................................................302.5.2API网关攻击.........................................................................................322.5.3微服务应用攻击....................................................................................322.6路径5：Serverless攻击...........................................................................332.6.1事件注入攻击........................................................................................342.6.2敏感数据泄露攻击................................................................................342.6.3身份认证攻击........................................................................................352.6.4权限滥用攻击........................................................................................352.6.5拒绝服务攻击........................................................................................36 云原生安全威胁分析与能力建设白皮书32.6.6针对函数供应链的攻击........................................................................36三、典型攻击场景分析.........................................................................................373.1镜像投毒攻击...............................................................................................373.1.1攻击场景介绍........................................................................................373.1.2攻击过程复现........................................................................................383.2挂载DockerSocket导致容器逃逸攻击..................................................383.2.1攻击场景介绍........................................................................................383.2.2攻击过程复现........................................................................................393.3k8s权限提升攻击........................................................................................403.3.1攻击场景介绍........................................................................................403.3.2攻击过程复现........................................................................................413.4Istio认证策略绕过攻击...............................................................................433.4.1攻击场景介绍......................