US2021209221A1PendingUtilityA1

System for securing software containers with encryption and embedded agent

51
Assignee: AQUA SECURITY SOFTWARE LTDPriority: Jan 8, 2018Filed: Mar 19, 2021Published: Jul 8, 2021
Est. expiryJan 8, 2038(~11.5 yrs left)· nominal 20-yr term from priority
H04L 63/145H04L 9/3247H04L 9/3226G06F 21/44H04L 63/08H04L 9/3236H04L 9/0643H04L 63/12G06F 21/565H04L 63/20
51
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A computer-implemented method of providing security for a software container according to an example of the present disclosure includes receiving a software container image having a software application layer that is encrypted and includes a software application, and having a separate security agent layer that includes a security agent. The method includes receiving a request to instantiate the software container image as a software container. The method also includes, based on the request: launching the security agent and utilizing the security agent to decrypt and authenticate the software application layer, and control operation of the software application based on the authentication.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A computer-implemented method of providing security for a software container, comprising:
 receiving a software container image comprising a software application layer that is encrypted and includes a software application, and a separate security agent layer that includes a security agent;   receiving a request to instantiate the software container image as a software container; and   based on the request:
 launching the security agent; and 
 utilizing the security agent to decrypt and authenticate the software application layer, and control operation of the software application based on the authentication. 
   
     
     
         2 . The computer-implemented method of  claim 1 , wherein said utilizing the security agent to control operation of the software application based on the authenticating comprises the security agent:
 preventing launch of the software application based on the authentication failing; and   based on the authentication succeeding:
 launching the software application; and 
 controlling runtime operation of the software application from within the software container based on a security policy of the software application. 
   
     
     
         3 . The computer-implemented method of  claim 2 , wherein said controlling runtime operation of the software application from within the software container based on the security policy comprises the security agent:
 implementing operating system hooks that are configured to intercept requests from the software application, wherein the operating system hooks are implemented prior to said launching the software application; and   controlling, from within the software container, whether intercepted requests of the software application are granted based on the security policy.   
     
     
         4 . The computer-implemented method of  claim 3 , wherein the operating system hooks are configured to detect one or more of:
 file system access requested by the software application;   processes requested by the software application; and   network access requested by the software application.   
     
     
         5 . The computer-implemented method of  claim 3 , comprising:
 receiving the security policy from a security server based on the authenticating;   transmitting a security notification from the security agent to the security server based on the software application attempting an action that violates the security policy; and   maintaining, by the security server, a log of security notifications received for the software application.   
     
     
         6 . The computer-implemented method of  claim 1 , wherein said utilizing the security agent to authenticate the software application layer comprises:
 creating, by the security agent, a second cryptographic fingerprint based on the decrypted software application layer and based on the request;   wherein said authenticating is based on a comparison of the second cryptographic fingerprint to a preexisting first cryptographic fingerprint that was previously created based on the software application layer.   
     
     
         7 . The computer-implemented method of  claim 6 , comprising:
 transmitting the second cryptographic fingerprint to a security server for comparison against the preexisting first cryptographic fingerprint; and   determining whether the software application layer is authenticated based on a response received from the security server.   
     
     
         8 . The computer-implemented method of  claim 7 , comprising the security server:
 receiving the first cryptographic fingerprint during a first time period;   receiving the second cryptographic fingerprint during a subsequent second time period;   comparing the first and second cryptographic fingerprints;   transmitting a notification to the security agent indicating that the software application layer is authenticated based on the first and second cryptographic fingerprints matching; and   transmitting a notification to the security agent that the software application layer is not authenticated based on the first and second cryptographic fingerprints not matching.   
     
     
         9 . The computer-implemented method of  claim 8 , comprising the security server:
 transmitting a security policy for the software application to the security agent based on the first and second cryptographic fingerprints matching.   
     
     
         10 . The computer-implemented method of  claim 9 , comprising the security server:
 determining an application type of the software application; and   selecting the security policy based on the application type.   
     
     
         11 . The computer-implemented method of  claim 10 , wherein said selecting the security policy based on the application type comprises:
 selecting a default security policy of the application type for the software application based on a specific security policy for the software application not being received at the security server.   
     
     
         12 . A computer-implemented method of providing security for a software container image, comprising:
 obtaining a software container image that includes at least one lower layer that stores a software application, and includes an execution entry point configured to launch to the software application upon instantiation of the software container image;   encrypting the at least one lower layer to obtain at least one encrypted layer; and   generating an encrypted container image that replaces the at least one lower layer with the at least one encrypted layer;   embedding a security agent within the encrypted software container image that is configured to control operation of the software application when the encrypted software container image is instantiated as a software container based on a security policy and a cryptographic fingerprint of the at least one lower layer; and   configuring the execution entry point of the encrypted software container image to launch the security agent instead of the software application upon instantiation of the encrypted software container image.   
     
     
         13 . The computer-implemented method of  claim 12 , comprising:
 transmitting a security policy for the software application to a security server for storage;   wherein the security server is different from a computing device that performs said generating and embedding; and   wherein the security agent is configured to download the security polity from the security server at runtime when the software container image is instantiated as a container.   
     
     
         14 . A computing device comprising:
 memory configured to store a software container image that includes a software application layer that is encrypted and includes a software application, and a separate security agent layer that includes a security agent; and   a processor operatively connected to the memory and configured to:
 receive a request to instantiate the software container image as a software container; and 
 based on the request:
 launch the security agent; and 
 utilize the security agent to decrypt and authenticate the software application layer, and control operation of the software application based on the authentication. 
 
   
     
     
         15 . The computing device of  claim 14 , wherein to control operation of the software application based on the authentication, the processor is configured to operate the security agent to:
 prevent launch of the software application based on the authentication failing; and   based on the authentication succeeding:
 launch the software application; and 
 control runtime operation of the software application from within the software container based on a security policy of the software application. 
   
     
     
         16 . The computing device of  claim 15 , wherein to control runtime operation of the software application from within the software container based on the security policy, the processor is configured to operate the security agent to:
 implement operating system hooks that intercept requests from the software application, wherein the operating system hooks are implemented prior to launch of the software application; and   control, from within the software container, whether intercepted requests of the software application are granted based on the security policy.   
     
     
         17 . The computing device of  claim 16 , wherein the operating system hooks are configured to detect one or more of:
 file system access requested by the software application;   processes requested by the software application; and   network access requested by the software application.   
     
     
         18 . The computing device of  claim 14 , wherein the processor is configured to:
 operate the security agent to create a second cryptographic fingerprint based on the decrypted software application layer and based on the request;   wherein the authentication is based on a comparison of the second cryptographic fingerprint to a preexisting first cryptographic fingerprint that was previously created by the security agent based on the software application layer.   
     
     
         19 . The computing device of  claim 18 , wherein the processor is configured to:
 transmit the second cryptographic fingerprint to a security server for comparison against the preexisting first cryptographic fingerprint; and   determine whether the software application layer is authenticated based on a response received from the security server.   
     
     
         20 . A computing device comprising:
 memory configured to store a software container image comprising at least one lower layer that stores a software application, and includes an execution entry point configured to launch the software application upon instantiation of the software container image; and   a processor operatively connected to the memory and configured to:
 encrypt the at least one lower layer to obtain at least one encrypted layer; and 
 generate an encrypted software container image that replaces the at least one lower layer with the at least one encrypted layer; 
 embed a security agent within the encrypted software container image, wherein the security agent is configured to control operation of the software application when the encrypted software container image is instantiated as a software container based on a security policy and a cryptographic fingerprint of the at least one lower layer; and 
 configure the execution entry point of the encrypted software container image to launch the security agent instead of the software application upon instantiation of the encrypted software container image. 
   
     
     
         21 . The computing device of  claim 20 , wherein the processor is configured to:
 transmit a security policy for the software application to a security server for storage;   wherein the security server is different from a computing device that performs the generating and embedding; and   wherein the security agent is configured to download the security polity from the security server at runtime when the software container image is instantiated as a container.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.