SYSTEM FOR SECURING SOFTWARE CONTAINERS WITH EMBEDDED AGENT

US 20190156023A1
Filed: 11/22/2017
Published: 05/23/2019
Est. Priority Date: 11/22/2017
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of providing security for a software container, comprising:

receiving a software container image comprising a software application and security agent that is separate from the software application, wherein an execution entry point of the software container image that was previously configured to launch the software application has been modified to instead launch the security agent;

receiving a request to instantiate the software container image as a software container;

launching the security agent based on the request;

authenticating the contents of the software container image; and

controlling operation of the software application based on the authenticating.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method of providing security for a software container, according to an example of the present disclosure includes, receiving a software container image with a software application and security agent that is separate from the software application. An execution entry point of the software container image that was previously configured to launch the software application has been modified to instead launch the security agent. The method includes receiving a request to instantiate the software container image as a software container, launching the security agent based on the request, authenticating the contents of the software container image, and controlling operation of the software application based on the authenticating.

Citations

24 Claims

1. A computer-implemented method of providing security for a software container, comprising:
- receiving a software container image comprising a software application and security agent that is separate from the software application, wherein an execution entry point of the software container image that was previously configured to launch the software application has been modified to instead launch the security agent;
  
  receiving a request to instantiate the software container image as a software container;
  
  launching the security agent based on the request;
  
  authenticating the contents of the software container image; and
  
  controlling operation of the software application based on the authenticating.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer-implemented method of claim 1, wherein said controlling operation of the software application based on the authenticating comprises the security agent:
    - preventing launch of the software application based on the authentication failing; and
      
      based on the authentication succeeding;
      
      launching the software application; and
      
      controlling runtime operation of the software application from within the software container based on a security policy of the software application.
  - 3. The computer-implemented method of claim 2, wherein said controlling runtime operation of the software application from within the container based on the security policy comprises the security agent:
    - implementing operating system hooks that are configured to intercept requests from the software application, wherein the operating system hooks are implemented prior to said launching the software application; and
      
      controlling, from within the software container, whether intercepted requests of the software application are granted based on the security policy.
  - 4. The computer-implemented method of claim 3, wherein the operating system hooks are configured to detect one or more of:
    - file system access requested by the software application;
      
      processes requested by the software application; and
      
      network access requested by the software application.
  - 5. The computer-implemented method of claim 3, comprising:
    - receiving the security policy from a security server based on the authenticating;
      
      transmitting a security notification from the security agent to the security server if the software application attempts an action that violates the security policy; and
      
      maintaining, by the security server, a log of security notifications received for the software application.
  - 6. The computer-implemented method of claim 1, wherein said authenticating the contents of the software container image comprises:
    - creating, by the security agent, a second cryptographic fingerprint based on the contents of the software container image and based on the request;
      
      wherein said authenticating is based on a comparison of the second cryptographic fingerprint to a preexisting first cryptographic fingerprint that was previously created by the security agent based on the contents of the software container image.
  - 7. The computer-implemented method of claim 6, comprising:
    - transmitting the second cryptographic fingerprint to a security server for comparison against the preexisting first cryptographic fingerprint; and
      
      determining whether the contents of the container image are authenticated based on a response received from the security server.
  - 8. The computer-implemented method of claim 7, comprising the security server:
    - receiving the first cryptographic fingerprint during a first time period;
      
      receiving the second cryptographic fingerprint during a subsequent second time period;
      
      comparing the first and second cryptographic fingerprints;
      
      transmitting a notification to the security agent indicating that the software container image is authenticated based on the first and second cryptographic signatures matching; and
      
      transmitting a notification to the security agent that the software container image is not authenticated based on the first and second cryptographic signatures not matching.
  - 9. The computer-implemented method of claim 8, comprising the security server:
    - transmitting a security policy for the software application to the security agent if the first and second cryptographic signatures match.
  - 10. The computer-implemented method of claim 9, comprising the security server:
    - determining an application type of the software application; and
      
      selecting the security policy based on the application type.
  - 11. The computer-implemented method of claim 10, wherein said selecting the security policy based on the application type comprises:
    - selecting a default security policy of the application type for the software application if a specific security policy for the software application has not been received at the security server.

13. A computer-implemented method of providing security for a software container image, comprising:
- embedding a security agent within a software container image that also includes a software application, wherein the security agent is configured to control operation of the software application when the software container image is instantiated as a software container based on a security policy and a cryptographic fingerprint of the software container image; and
  
  replacing an initial execution entry point of the software container image that would have launched the software application upon software container image instantiation with a modified execution entry point that instead launches the security agent upon software container image instantiation.
- View Dependent Claims (14, 15)
- - 14. The computer-implemented method of claim 13, comprising:
    - transmitting a security policy for the software application to a security server for storage;
      
      wherein the security server is different from a computing device that performs said embedding; and
      
      wherein the security agent is configured to download the security polity from the security server at runtime when the software container image is instantiated as a container.
  - 15. The computer-implemented method of claim 13, wherein said embedding comprises adding a layer that includes the security agent to the software container image without modifying preexisting layers in the software container image.

16. A computing device comprising:
- memory configured to store a software container image that includes a software application and a security agent that is separate from the software application, wherein an execution entry point of the software container image that was previously configured to launch the software application has been modified to instead launch the security agent; and
  
  a processor operatively connected to the memory and configured to;
  
  receive a request to instantiate the software container image as a software container;
  
  launch the security agent based on the request;
  
  authenticate the contents of the software container image; and
  
  control operation of the software application based on the authentication.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The computing device of claim 16, wherein to control operation of the software application based on the authentication, the processor is configured to operate the security agent to:
    - prevent launch of the software application based on the authentication failing; and
      
      based on the authentication succeeding;
      
      launch the software application; and
      
      control runtime operation of the software application from within the software container based on a security policy of the software application.
  - 18. The computing device of claim 17, wherein to control runtime operation of the software application from within the container based on the security policy, the processor is configured to operate the security agent to:
    - implement operating system hooks that intercept requests from the software application, wherein the operating system hooks are implemented prior to launch of the software application; and
      
      control, from within the software container, whether intercepted requests of the software application are granted based on the security policy.
  - 19. The computing device of claim 18, wherein the operating system hooks are configured to detect one or more of:
    - file system access requested by the software application;
      
      processes requested by the software application; and
      
      network access requested by the software application.
  - 20. The computing device of claim 16, wherein the processor is configured to:
    - operate the security agent to create a second cryptographic fingerprint based on the contents of the software container image and based on the request;
      
      wherein the authentication is based on a comparison of the second cryptographic fingerprint to a preexisting first cryptographic fingerprint that was previously created by the security agent based on the contents of the software container image.
  - 21. The computing device of claim 20, wherein the processor is configured to:
    - transmit the second cryptographic fingerprint to a security server for comparison against the preexisting first cryptographic fingerprint; and
      
      determine whether the contents of the container image are authenticated based on a response received from the security server.

22. A computing device comprising:
- memory configured to store a software container image comprising a software application; and
  
  a processor operatively connected to the memory and configured to;
  
  embed a security agent within the software container image, wherein the security agent is configured to control operation of the software application when the software container image is instantiated as a software container based on a security policy and a cryptographic fingerprint of the software container image; and
  
  replace an initial execution entry point of the software container image that would have launched the software application upon software container image instantiation with a modified execution entry point that instead launches the security agent upon software container image instantiation.
- View Dependent Claims (23, 24)
- - 23. The computing device of claim 22, wherein the processor is configured to:
    - transmit a security policy for the software application to a security server for storage;
      
      wherein the security server is different from a computing device that performs the embedding; and
      
      wherein the security agent is configured to download the security polity from the security server at runtime when the software container image is instantiated as a container.
  - 24. The computing device of claim 22, wherein to embed the security agent, the processor is configured to add a layer that includes the security agent to the software container image without modifying preexisting layers in the software container image.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Aqua Security Software, Ltd.
Original Assignee
Aqua Security Software, Ltd.
Inventors
Gerebe, Amir, Osnat, Rani

Granted Patent

US 10,956,563 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 21/51   at application loading time...

G06F 21/54   by adding security routines...

G06F 2221/033   Test or assess software

H04L 9/3226   using a predetermined code,...

SYSTEM FOR SECURING SOFTWARE CONTAINERS WITH EMBEDDED AGENT

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM FOR SECURING SOFTWARE CONTAINERS WITH EMBEDDED AGENT

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links