Research On Safety Isolation Mechanism Of Docker Container

Since the mirrors of the Docker container are not well protected,their container mirrors are likely to be tampered with,thus causing significant damage to the safety of the container,and even threaten the security of the entire Docker system.And if there is no monitoring of the process inside the container,a malicious process running inside the container will cause a significant threat to the container itself.On the other hand,Docker containers are not completely isolated,unauthorized containers can communicate with other containers,and are likely to be attacked by untrusted containers.In view of this,this paper focused on the dynamic integrity measure of the process,and proposed a model on dynamic integrity measurement based on trusted computing process,on this basis,a multi-level security isolation model based on the trusted Docker container is constructed.Finally,the feasibility of the model is verified by experiment.The main researches of this paper include the following:1.Analyze the deficiencies of the dynamic integrity measurement model of existing processes,with the idea of trusted computing,integrity measurement technology and shadow stack technology,based on the dynamic integrity measurement model of existing processes,proposed a dynamic integrity measure model based on trusted computing process.The model performs a static integrity measure on the process of the process before the process starts,ensuring that the process is credible before start.Perform the integrity measurement of the code page information and the stack after the process being loaded into memory,therefore ensuring the process is credible after being loaded into memory,and can effectively prevent ROP buffer overflow attacks.2.With the idea of trusted computing,integrity measurement and RRN key generation algorithm,combining with the integrity measure model based on trusted computing model presented in this paper,a multi-level security isolation model based on trusted computing Docker container is constructed.The model build a trusted chain starts from the Docker system,then the container,and then process loading inside the container,which allows the container to run in a safe and reliable environment.Besides the multi-level access control module of the container can effectively limit the communication of the unauthorized container,enhancing the security isolation between the containers.Mathematical method and experiment proved that the model can enhance the safety isolation of the container to a certain extent,and can effectively protect the safety of the container,so as to achieve the research purpose on Docker container safety isolation mechanism.