| With the booming development of IoT technology and the large-scale deployment of terminal programs,people have put forward higher requirements for cloud computing virtualization technology.Different from the traditional virtual machine technologies,container as a new virtualization technology has the characteristics of easy deployment,fast startup and high operating efficiency,which is favored by many IoT vendors and enterprises.Docker as a typical representative is the mainstream of container technology,however,it faces increasingly serious security problems.From the perspective of ensuring the security of IoT programs,this paper analyzes the security threats faced by IoT programs deployed on Docker,mainly in the following aspects:(1)The operating environment is untrustworthy:Docker images and Dockerfile startup scripts,etc.may be subject to malicious tampering or injection attacks,resulting in the injection of viruses at container startup,affecting the normal operation of the program afterwards(2)Runtime state is untrustworthy:the program may be attacked by memory during the running process,resulting in disorderly running state of the program and abnormal IoT service system.In response to the above problems,this paper researches the runtime verification mechanism of IoT programs based on trusted Docker,and designs and implements a prototype system of IoT program runtime security,mainly divided into the following three aspects:(1)A trusted startup architecture for Docker containers based on improved IMA.In this paper,we design an overall process of Docker trusted startup,including two major parts:integrity measurement and remote verification.In the integrity measurement,to address the problem that the vPCR architecture only considers the image integrity,this paper introduces an improved IMA mechanism,which measures the dependency file and application parts of the container startup,extends the trust chain to the container user application layer at startup,and satisfies the isolated storage of container measurement values in the vPCR architecture,and implements the measurement of multiple container startups.In remote verification,a trust extension-based remote verification protocol with dual AIK signatures is designed,which avoids interaction with a third-party platform by using trust extensions and improves the efficiency of container trusted startup compared with the previous application of certificates to it.Also,to ensure the integrity of vPCR data,a dual AIK signature verification protocol based on the vPCR architecture is designed to realize dual verification of platform identity and platform information.(2)In-memory runtime business process validation mechanism based on Docker.In this paper,we combine memory forensics and runtime verification technology to realize business process verification of IoT programs running on Docker.To meet the above requirements,this paper makes the following innovations:I.Compared with the current technologies for acquiring memory on the host,this paper implements the acquisition of container memory on the host and precisely locates the process memory address to improve the speed of memory acquisition,while listening to the time prediction of the verifier to improve the accuracy of event collection.II.This paper extends the previous memory forensics process-level analysis to the stack parameter level to collect more accurate memory events.III.A series of strategies for time prediction,multifunction verification and time prediction correction are proposed for the verification state machine to solve the blindness problem of memory event collection and improve the efficiency of runtime verification.(3)Prototype system implementation of runtime security for IoT applications.In this paper,we design a prototype system for the above two mechanisms,implement the three parts of Docker trusted startup,runtime memory forensics and event verification,and guarantee the trustworthiness of IoT programs at runtime from the perspective of the runtime environment and runtime status. |
PDF Full Text Request