Research And Implementation Of Security Isolation Technology For Virtualized Containers

With the vigorous development of cloud computing,big data,blockchain and other technologies,the application of virtualization technology has become more and more ex-tensive,among which container-based virtualization solutions have received more atten-tion.Compared with the traditional virtualization solution,the container-based virtual-ization solution removes the guest kernel and virtual hardware layer,making this type of solution more lightweight and efficient.Docker is one of the most popular representative solutions.However,Docker also faces many security problems.Due to the direct use of the host's kernel and resource library,the isolation is not perfect,and many problems have occurred.Therefore,it is urgent to enhance the isolation of Docker.This article focuses on the Docker isolation problem,the main research content includes the following three parts.This thesis applies a multi-level container security isolation operation model,which is dedicated to solving the isolation problem of container processes and the secure sharing of shared volumes.In the design process,in order to maintain the lightweight and efficient features of Docker,the model was simplified and designed to restrict the subject and object of the model to the container process and container-related paths respectively,and on this basis,five access control strategies have been formulated.Regarding process isolation,the model proposed here restricts the access domain of the container to the container itself,and has no access rights to the read-write layers of other containers and host files.This ensures the isolation between the subject and the subject and between the subject and the object.For shared data,the advantages of the access strategy of the BLP model and the Biba model are combined here,and the security value attribute pair is set to control the access rights of the multi-level container to the shared data,so that the shared volume has better confidentiality and integrality.This thesis also uses a mandatory access control scheme for containers based on the principle of least privilege.At the same time,it also studied the operating permissions of Docker,and analyzed the two Docker container generated file formats,Dockerfile and Docker Compose.The mandatory program mainly includes two parts,static file detection and dynamic operation correction.The static file detection part analyzes the content of the file format,and extracts the required permissions to generate the corresponding Ap-p Armor configuration file.And in the dynamic running correction part,the configuration file is dynamically adjusted according to the user's process of the container.The entire program analyzes the necessary permissions of a container's from generation to operation,and automatically generates matching App Armor configuration files according to the op-erating characteristics of each container.Since the container only granted the permissions for the normal use,this satisfies the principle of least privilege and ensures the isolation of the container.This thesis also implements the prototype system of the multi-level container safe isolation operation model.In the implementation process,because App Armor's path-based access control method is consistent with the objects in the model in this article,the App Armor-based implementation is adopted.In order not to destroy the source code logic of Docker and App Armor,this article uses a mandatory access control scheme based on App Armor.And use LKM to supplement and expand the program,so that the prototype system meets the strategy of the multi-level container security isolation operation model.This thesis also carried out functional test and performance test on the prototype system.Through a series of simulated attack experiments,the results show that the prototype sys-tem of this article can improve the security and isolation of Docker? Performed multiple performance tests on ordinary personal computers.Compared with native Docker,its per-formance loss is not high,and it is still in the same order of magnitude,which maintains the efficiency of Docker.