Systems and methods for providing container security

US 10,601,807 B2
Filed: 06/18/2018
Issued: 03/24/2020
Est. Priority Date: 08/09/2011
Status: Active Grant

First Claim

Patent Images

1. A security system comprising a first server computer system, the first server computer system comprising:

one or more first processing units; and

a first memory, coupled to at least one of the one or more first processing units, the first memory storing a security module and an agent executive, the agent executive runs concurrently with the security module, and the agent executive executed by one or more of the one or more first processing units, the agent executive comprising instructions for;

(A) obtaining an agent API key from a user or by an automated process when the agent executive is executed for a first time;

(B) communicating the API key to a remote grid computer system;

(C) receiving an agent identity token from the remote grid computer system, wherein the remote grid computer system generates the agent identity token through a cryptographic token generation protocol when the API key is deemed valid by the remote grid computer system;

(D) storing the agent identity token in a secure data store associated with the agent executive;

(E) collecting information on the first server computer system for an evaluation of integrity of the agent executive using a plurality of agent self-verification factors;

(F) encrypting the information collected by the collecting (E) thereby creating encrypted information;

(G) signing the encrypted information using the agent identity token thereby creating signed encrypted information; and

(H) communicating the signed encrypted information to the remote grid computer system, wherein no network connection between the remote grid computer system and the agent executive is established,wherein the security module maintains a plurality of containers and comprises a container engine that instances a container image as a container in the plurality of containers, and wherein the container engine comprises a container manager that manages the plurality of containers.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computer systems and methods are provided in which an agent executive running concurrent with a security module, when initially executed, obtains an agent API key from a user. This key is communicated to a grid computer system. An agent identity token, generated by a cryptographic token generation protocol when the API key is valid, is received from the grid and stored in a secure data store associated with the agent executive. Information that evaluates the integrity of the agent executive is collected using agent self-verification factors. The information, encrypted and signed with a cryptographic signature, is communicated to the grid. Commands are obtained from the grid by the agent executive to check the security, compliance, and integrity of the computer system. Based on these check results, additional commands are obtained by the grid by the agent executive to correct security, compliance, and integrity problems and/or to prevent security comprises.

168 Citations

33 Claims

1. A security system comprising a first server computer system, the first server computer system comprising:
- one or more first processing units; and
  
  a first memory, coupled to at least one of the one or more first processing units, the first memory storing a security module and an agent executive, the agent executive runs concurrently with the security module, and the agent executive executed by one or more of the one or more first processing units, the agent executive comprising instructions for;
  
  (A) obtaining an agent API key from a user or by an automated process when the agent executive is executed for a first time;
  
  (B) communicating the API key to a remote grid computer system;
  
  (C) receiving an agent identity token from the remote grid computer system, wherein the remote grid computer system generates the agent identity token through a cryptographic token generation protocol when the API key is deemed valid by the remote grid computer system;
  
  (D) storing the agent identity token in a secure data store associated with the agent executive;
  
  (E) collecting information on the first server computer system for an evaluation of integrity of the agent executive using a plurality of agent self-verification factors;
  
  (F) encrypting the information collected by the collecting (E) thereby creating encrypted information;
  
  (G) signing the encrypted information using the agent identity token thereby creating signed encrypted information; and
  
  (H) communicating the signed encrypted information to the remote grid computer system, wherein no network connection between the remote grid computer system and the agent executive is established,wherein the security module maintains a plurality of containers and comprises a container engine that instances a container image as a container in the plurality of containers, and wherein the container engine comprises a container manager that manages the plurality of containers.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 2. The security system of claim 1, wherein the agent executive further comprises instructions for:
    - (I) querying a command queue on the remote grid computer system for one or more commands, wherein the command queue is accessed based upon an identity of the agent identity token; and
      
      (J) executing the one or more commands.
  - 3. The security system of claim 2, wherein a command in the one or more commands updates a firewall policy for the agent executive or the security module.
  - 4. The security system of claim 2, wherein a command in the one or more commands requires termination of the security module.
  - 5. The security system of claim 2, wherein the first memory further comprises a virtual machine and the security module and the agent executive are executed and associated with the virtual machine.
  - 6. The security system of claim 2, wherein a build log is compiled after each command in the one or more commands is completed.
  - 7. The security system of claim 2, wherein the querying (I) and executing (J) are repeated at a predetermined time.
  - 8. The security system of claim 2, wherein the querying (I) and executing (J) are repeated at on a predetermined recurring basis.
  - 9. The security system of claim 1, wherein:
    - the security system further comprises a second server computer system in electrical communication with the first security system, andthe second server computer system comprises;
      
      one or more second processing units,a second memory, coupled to at least one of the one or more second processing units, the second memory storing one or more registries, whereineach registry in the one or more registries comprises one or more container images,each container image in the one or more container images of each registry in the one or more registries comprises one or more layers, anda layer in the one or more layers of each respective container image in the one or more container images of each respective registry in the one or more registries is writeable.
  - 10. The security system of claim 9, wherein the agent executive further comprises instructions for:
    - (I) querying a command queue on the remote grid computer system for one or more commands, wherein the command queue is accessed based upon an identity of the agent identity token; and
      
      (J) executing the one or more commands.
  - 11. The security system of claim 10, wherein a first command in the one or more commands creates an inventory of container images across the one or more registries.
  - 12. The security system of claim 11, wherein the first command is repeated at a predetermined time.
  - 13. The security system of claim 11, wherein the first command is repeated on a predetermined recurring basis.
  - 14. The security system of claim 10, wherein a command in the one or more commands scans a layer in the one or more layers of each respective container image for a vulnerability in the respective container image.
  - 15. The security system of claim 14, wherein a layer in the one or more layers of each respective container image is the writeable layer.
  - 16. The security system of claim 10, wherein a command in the one or more commands scans a respective container image in the one or more container images for a vulnerability in the respective container image.
  - 17. The security system of claim 16, wherein the scanning comprises extracting and instancing the respective container image from the second server system as a container on the first server computer system.
  - 18. The security system of claim 16, wherein a command in the one or more commands scans a respective container image in the one or more container images that has not been previously scanned to identify a vulnerability in the respective container image.
  - 19. The security system of claim 18, wherein, when a new container image that has not been previously scanned is identified on the second server computer system by the agent executive, a first container of the new container image is deployed and stored in the memory of the first server computer system to test for vulnerabilities in the new container image.
  - 20. The security system of claim 10, wherein a command in the one or more commands maps a vulnerability in the one or more layers of a corresponding container image in the one or more registries.
  - 21. The security system of claim 10, wherein a command in the one or more commands detects a secret embedded in a container image in the one or more registries.
  - 22. The security system of claim 10, wherein a command in the one or more commands verifies a container image configuration hardening of a respective container image in the one or more registries.
  - 23. The security system of claim 22, wherein the container image configuration hardening comprises a user access control of the container corresponding to the respective container image, a network configuration of the container corresponding to the respective container image, a process profile of the container corresponding to the respective container image, or a combination thereof.
  - 24. The security system of claim 10, wherein a command in the one or more commands verifies a container runtime configuration of a container image in the one or more registries.
  - 25. The security system of claim 10, wherein a command in the one or more commands verifies a daemon configuration in a container image in the one or more registries.
  - 26. The security system of claim 10, wherein a command in the one or more commands audits a lifecycle of a respective container image in the one or more container images, wherein the lifecycle comprises a build, a distribution, and a run of the respective container image.
  - 27. The security system of claim 10, wherein a command in the one or more commands verifies one or more activities or one or more changes to a container image in the one or more registries.
  - 28. The security system of claim 10, wherein a command in the one or more commands creates a map between (i) the one or more container images in the one or more registries on the second server system and (ii) the at least one container in the container engine on the first server computer system.
  - 29. The security system of claim 10, wherein a command in the one or more commands creates groups between (i) the one or more container images in the one or more registries on the second server system and (ii) the at least one container in the container engine on the first computer system.
  - 30. The security system of claim 10, wherein a command in the one or more commands runs a Center for Internet Security (CIS) benchmark audit on a respective container image in the one or more registries.

31. A grid computer system comprising:
- one or more processing units;
  
  a memory, coupled to at least one of the one or more processing units, the memory storing a grid node, the grid node executed by at least one of the one or more processing units, the grid node comprising instructions for;
  
  (A) receiving an API key from an agent executive running concurrently with a security module that maintains a plurality of containers, which, in turn, is running on a computer that is remote to the grid computer system;
  
  (B) determining whether the API key is a valid API key;
  
  (C) generating a unique agent identity token through a cryptographic token generation protocol when the instructions for determining (B) deem the API key to be valid;
  
  (D) communicating the agent identity token to the security module running on the remote computer;
  
  (E) receiving encrypted information, signed with a cryptographic digital signature, from the security module from an evaluation of the integrity of the agent executive based upon a plurality of agent self-verification factors, wherein the receiving comprises decrypting the information using the agent identity token to form decrypted information and verifying the signature thereby obtaining decrypted, authenticated and integrity-verified information; and
  
  (F) verifying the integrity of the agent executive based on the decrypted, authenticated and integrity-verified information.

32. A grid computer system comprising:
- one or more processing units;
  
  a memory, coupled to at least one of the one or more processing units, the memory storing a grid node, the grid node executed by at least one of the one or more processing units, the grid node comprising instructions for;
  
  (A) receiving an alert from a first agent executive running concurrently with a first security module that maintains a plurality of containers on a computer that is remote to the grid computer system, the alert (i) indicating that the first agent executive has started running concurrently with the first security module and (ii) indicating a first agent identity token associated with the first agent executive;
  
  (B) determining whether the first agent identity token is valid;
  
  (C) determining whether the first agent identity token is being used by a second agent executive running concurrently with a second security module;
  
  (D) generating a second agent identity token through a cryptographic token generation protocol when (i) the first agent identity token is deemed valid by the determining (B) and (ii) the determining (C) determines that the first agent identity token is being used by the second agent running concurrent with the second security module;
  
  (E) communicating the second agent identity token to the first security module;
  
  (F) receiving encrypted information signed by a digital signature from the first security module from an evaluation of integrity of the first agent executive based upon a plurality of agent self-verification factors, wherein the receiving comprises decrypting the information using the second agent identity token in order to form decrypted information and validating the signature; and
  
  (G) verifying the integrity of the first agent executive based on the decrypted information when the signature has been validated.
- View Dependent Claims (33)
- - 33. The grid computer system of claim 32, the grid node further comprising instructions for:
    - (H) creating, as a function of the second agent identity token, a command queue on the grid computer system, wherein the command queue is unique to the first agent executive; and
      
      (I) posting one or more commands to be executed by the first agent executive to the command queue.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fidelis Security LLC, Runway Growth Finance Corporation
Original Assignee
CloudPassage Inc.
Inventors
Sweet, Carson, Gupta, Amit
Primary Examiner(s)
Su, Sarah

Application Number

US16/011,532
Publication Number

US 20180309747A1
Time in Patent Office

645 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/55   Detecting local intrusion o...

G06F 21/56   Computer malware detection ...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/083   using passwords cryptograph...

H04L 63/126   the source of the received ...

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

Systems and methods for providing container security

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

168 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for providing container security

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

168 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links