Research On Live Migration Of Secure Containers In Cloud Environment

In recent years,container-based virtualization technology has become increasingly popular in the industry.As containers become the new cloud computing platform,cloud security has been a major challenge for container deployment.Intel SGX(Software Guard Extensions)provides a strong protection for applications.Applying SGX technology to containers will enhance the security of container cloud and provide tenants with strong privacy protection.A container running with SGX is referred to herein as a secure container.However,this technology has also brought new problems.For example,the performance of SGX secure containers is degraded significantly and SGX secure containers don not support live migration.Since SGX does not allow applications running in the enclave to execute system calls,an application must exit the enclave mode when it needs to request system services.If an application requests system services frequently,the overhead of mode switching is not negligible.At the same time,because an SGX enclave is usually bound to specific hardware and the untrusted OS cannot access the code and data in the enclave,SGX secure containers cannot be properly live migrated.However,live migration is a basic function of cloud computing.The advantages of cloud computing will be lost without live migration.Firstly,this thesis studies the performance optimization of secure containers,and proposes the switchless call based on Intel SGX SDK(Software Development Kit),which eliminates the overhead caused by mode switching.And this thesis establishes a performance model for switchless call.Based on the results of performance analysis,this thesis designs and implements an efficiency-based scheduling algorithm for worker thread to optimize CPU(Central Processing Unit)efficiency.Secondly,existing container live migration solutions cannot handle the migration of SGX secure containers.In order to solve this problem,this thesis designs and implements a live migration framework of SGX secure container.This migration framework combines the features of SGX technology with the usage scenario of containers,and provides developers with a lightweight,easy-to-use solution while taking into account the migration of EPC(Enclave Page Cache)memory and persistent storage.When this thesis designs the live migration framework of secure container,it ensures the security of the migration framework in addition to considering the implementation of the migrated functionality.The framework can prevent fork attack and rollback attack on the migration process and ensure the consistency of the migrated data without relying on the operating system.Finally,security evaluations demonstrate the security of the migration framework.Performance evaluations show that the secure container optimization has a significant improvement in performance,while the worker thread scheduling algorithm effectively adjusts the number of worker threads for different types of workloads.Besides,SGX secure container migration has a time overhead of 15%compared to normal container migration,which is acceptable for its security advantage.