Research On Key Technologies Of Trusted Container Cloud Environment

In the container cloud environment,containers are created and run by the container engine.Compared with traditional virtual machines,containers run directly in the operating system,which has higher performance,better portability and faster speed.The rapid development of container task orchestration and resource scheduling technology has made container technology more and more popular.However,the container cloud also has many security issues,including container applications,container-to-container,container and host security,etc.Security issues have become one of the main obstacles to the deployment of container applications.The cloud environment based on container technology has become the application platform for many important information systems.In the newly released network security level protection standards,trusted computing has become the core technology that supports the security of important information systems.This paper studies the architecture and method of using active immune trusted computing to build a trusted container cloud environment.The main research work and innovations are as follows:1.Aiming at the problem of malicious tampering of container applications in the container cloud environment,a trusted container cloud environment architecture based on active immune trusted computing is proposed to comprehensively protect the container cloud environment.By extending the functions of the Trusted Software Base(TSB),a trusted measurement agent is added to the container engine to achieve static and dynamic measurement of container applications,and to remotely prove the security and trustworthiness of the container cloud environment.2.Aiming at the problem of malicious tampering with server firmware in the container cloud environment,a trusted startup method based on the Trust Platform Control Module(TPCM)is proposed.Use TPCM as the root of trust to measure the level of trust level by level,establish a chain of trust,and establish a trusted container cloud server operating environment.This paper proposes corresponding trusted startup methods for cloud server based on three cloud server infrastructures with different structures: the server trusted startup method based on the Preboot Execution Environment(PXE);the server based on the baseboard management controller(Baseboard)Management Controller,BMC)trusted startup method;based on paravirtualization technology virtual input output(Virtual I/O,Virt IO)device server trusted startup method.Experimental results show that the above method can effectively prevent the firmware from being tampered with.3.Aiming at the problem of untrustworthy network connections in the container cloud environment,based on the "three-element three-tier" trusted connection architecture(Trusted Connection Architecture,TCA),a container trusted connection architecture(Container Trusted Connection Architecture,CTCA)is proposed.The twoway identity authentication and two-way platform integrity authentication of the container cloud environment management node and the computing node are realized,and the container cloud environment management node can authenticate the behavior of the computing node credibly.This paper uses an improved and optimized convolutional neural network to detect the container network behavior data collected by CTCA to determine whether the container network behavior is credible.The trusted network protection strategy constructed by using the container network behavior detection results can identify network attack behaviors.This paper has carried out prototype design and experiments on the key technologies of the proposed trusted container cloud environment.The experimental results show the rationality and effectiveness of the architecture and model proposed in this paper.By adding a trusted measurement module to the open source container engine and scheduling tools Docker and Kubernetes,a trusted container cloud operating environment is realized.The trusted measurement verification algorithm is added to the open source BMC firmware and the open source BIOS firmware,and the trusted BMC firmware and the trusted BIOS firmware are constructed.The Bootloader and the operating system kernel are verified when the system is started,and the operating system is started after the verification passes.Based on the open source visual container cloud management scheduling tool,a trusted container cloud security management center was designed and implemented,including system management,security management and audit management.Design and deploy a container network behavior detection module in the security management center to detect container network behavior.