Cloud Container System Based On Process-level Virtualization And Technology Security Hardware Feature

With the rapid development of cloud computing,more and more highperformance,valuable data and applications are being migrated to the cloud.Currently,both virtual machine technology and container technology are used in the cloud to isolate applications from different users.Compared with traditional virtual machine technology,container technology is widely used in cloud scene due to its advantages such as fast startup performance,high resource utilization,and easy deployment.Container technology enables users to focus on bussiness logic without having to consider factors such as the system's operating environment,which increase efficiency.Unlike the virtual machine,which has an independent guest operating system(Guest OS),containers share the host operating system and it makes containers be of less isolated than virtual machines.Containers are provided with system calls services by the host operating system.After the host operating system is compromised by a malicious container,the isolation between the containers will be destroyed,which influences the security of containers.The weakness of container technology in isolation makes this technology mainly used in private cloud scene.In complex public cloud scene,cloud service providers mostly provide container services to users by running containers in virtual machines.In order to solve the application problem of container technology in public cloud scene,this thesis attempts to combine process-level virtualization technology with Trusted Execution Environment(TEE)technology to enhance the isolation of containers.This thesis provides a secure and efficient container solution,which can suitable for complex public cloud scene.This solution uses AMD Secure Encrypted Virtualization(SEV)technology as security hardware feature support.Users can use the secure container provided by this solution in the public cloud as a process-level Trusted Exection Environment(TEE).This solution uses SEV memory encryption to prevent privileged program attacks and physical attacks.Users can complete transactions and use of cloud services without trusting the cloud service provider There are two main issues in traditional cloud container solution which running containers in a virtual machine:1.Both the cloud platform system software and the virtual machine system software will affect the security of the container,which make the trusted computing base(TCB)too large.2.Containers cannot defend against attacks from malicious cloud providers.In order to solve the above two problems,this thesis proposes a security solution based on the combination of container technology and SEV technology.This solution is applicable to public cloud scene and mainly contains the following two parts.· In order to solve the problem that the trusted computing base(TCB)is too large,this thesis designs and implements a process-level virtualization container solution.Compared with the traditional cloud container solution which running containers in virtual machines,this solution uses process-level virtualization technology to convert the system-level virtualization environment into process-level virtualization environment.The process-level virtualization container solution provides a streamlined kernel and streamlined virtual machine monitor,which solves the problem of large trusted computing base.This solution improves the security of containers by combining containers with process-level virtualization technology.· In order to solve the problem that containers cannot defend against attacks from malicious cloud service providers,this thesis extends the SEV function on the basis of the process-level virtualization container solution and provides the SEV secure container solution.Compared with the traditional cloud container solution which running containers in virtual machines,this solution supports system calls in the container by the library operating system(Lib OS).This solution can reduce the container's dependence on the host operating system.The SEV security container solution uses SEV encryption to prevent malicious program attacks and physical attacks from malicious cloud service providers,enabling users to complete transactions and use of secure containers without trusting the cloud service providers.