Research On Docker Platform Protection Technology Based On Trusted Computing

With the continuous development and widespread application of cloud computing technology,virtualization technology has become increasingly important.Compared to traditional virtualization technology,container-based virtualization technology is more lightweight,flexible,and has less impact on system performance,and is therefore favored by more and more users and manufacturers.Docker technology is a kind of container technology.It currently occupies a dominant position in the container market and has become the de facto standard for container technology.Therefore,it is meaningful and significant in theory and application to research on the security protection of the Docker platform.In the Docker platform,the low isolation of the container and the construction and distribution of the image may introduce new security threats.How to ensure the trusted startup of the container and the trust between user and container in an untrusted container environment is an urgent problem.To this end,this dissertation uses the trusted computing technology to implement the dynamic security protection of the Docker platform to solve the above problems.The research work of this dissertation mainly includes the following aspects:1.In view of the existing performance and confidentiality problems of using physical TPM or virtual TPM to implement trusted computing in the Docker environment,this dissertation proposes a method for implementing trusted computing based on virtual PCR.The virtual PCR method only virtualizes the PCR part of the TPM,and other TPM functions are directly provided by the physical TPM.This method generates a corresponding virtual PCR instance that is used for the extended storage of measurement values for each container.And the instance is strongly bound to the corresponding container and the underlying trusted computing base respectively to ensures the isolation and trust of measurement data of each container.At the same time,in reponse to the problem that the AIK of TPM cannot sign external data in the TCG specification,the dual AIK signature scheme is apopted.The virtual AIK is used to sign data in the virtual PCR instance,and the corresponding protocol for the virtual PCR module to apply for the virtual AIK certificate from CA is designed to ensure the authenticity of the identity of the virtual PCR instance.2.In view of the problem of lack of dynamic integrity measurement in Dockeroriented trusted measurement methods,this dissertation proposes a dynamic integrity measurement method based on the code segments in the process address space.This method uses the code segments of target process itself and the rely on shared libraries as measurement object.The measurement agent calculates the hash value of the content in each code segment as measurement value,and uses the virtual PCR module to provide trusted storage for the measurement value,thereby achieving the effect of container-level dynamic trust.3.To address the difficulty of maintaining the dataset of reference values used in the verification process,this dissertation proposes a method to automatically generate reference values based on ELF files to ensure the maintainability of the dataset.At the same time,in view of the problem of poor isolation of local verification,this dissertation proposes a remote verification method,by placing the target system and the verification system in different physical hosts,and using the designed remote verification protocol to obtain the evidence provided by the measurement agent,verify the trust of the evidence,and compare the measurement value and the reference value to finally determine the trust state of the target system.By this method,the turst of the verification result of the measurement value can be guaranteed.4.The trusted Docker platform is designed and implemented.The benchmark calculation module,container management module and remote attestation module are designed and implemented respectively.And the trusted Docker host discussed in 1 and2 is also implemented.Finally,the platform is evaluated form two aspects of effectiveness and usability.