Design And Implementation Of Docker Container Integrity Measurement Mechanism Based On Trusted Computing

Container-based virtualization technology is now widely used for its efficient resource utilization,standardized and consistent application environment,convenient image scheduling and distribution,and good cross-platform support.However,with the rapid development of containers have also exposed many security issues.For example,vulnerabilities inside the container image,illegal tampering of the container itself,malicious intrusion of the processes inside the container and vulnerabilities directly related to the container engine.Existing security mechanisms are generally designed to avoid security problems by protecting data integrity,confidentiality,authenticity,availability,and other aspects.Integrity,as the basis for other features,ensures that data is stored or transmitted without being deliberately deleted,tampered with,or falsified by unauthorized users.By performing integrity metrics on containers,we can effectively and timely find out whether the containers are under threat and minimize the resulting damage.Existing container integrity metrics are mainly based on IMA or v TPM;the former does not provide independent evidence of container integrity status during the metric process.The latter has to modify the container image to adapt to v TPM according to the platform characteristics,which destroys the original environment consistency and standardization of container technology.At the same time,both are static integrity metrics,which cannot detect the damage to integrity caused by memory attacks during container runtime.In view of the above problems,this thesis proposes a Container Integrity Measurement Mechanism(CIMM)based on trusted computing,taking Docker,a representative of container technology,as the research object.This mechanism runs as a kernel extension module in the system,which can store the measurement results independently with the container as the main body without destroying the original characteristics of container technology,and can dynamically measure the process memory of the container.The main work of this thesis is as follows: 1)By designing Namespace parser,the "isolation" of CIMM from container in integrity metrics is eliminated.After analyzing the shortcomings of IMA in container integrity metrics,we modify the code based on it and add a static integrity metrics module to support container dependency and integrity metrics at container startup.2)Designing a dynamic integrity metric module based on page and frame remapping technology,combining with Namespace parser to provide information about the running processes in the container,and performing dynamic metrics on the process memory.3)Storing the metric results in the container after the metric is completed.The v PCR component is designed based on trusted computing to protect the metric information of each container independently,and the related protocol is designed to ensure the trustworthiness of v PCR through physical PCR.Finally,this thesis builds a trusted computing platform environment with Raspberry Pi as the computing platform and equipped with TPM 2.0 chip,tests the relevant modules in the CIMM proposed in this thesis,and performs static metrics and dynamic metrics on container integrity.The experimental results show that the CIMM can measure the container image and related dependencies comprehensively,and the additional overhead caused by the metric can be less than 100ms;when the container process memory is attacked and tampered,the dynamic metric can detect it in time.