摘要
针对Docker目前存在的容器及镜像被篡改、容器的恶意进程及非授权通信问题,利用可信计算的相关技术如信任链、完整性度量以及实时监控等方法,设计并实现了一个可信增强的Docker容器-DockerGuard.DockerGuard构造了一条从硬件到容器内部进程和文件的信任链,同时增加了包括进程监控、文件系统度量、网络监控三大功能于一体的安全防护模块,从而全方位对Docker进行度量与细粒度的监控.基于Docker1.6.0实现了具备上述功能的安全增强系统DockerGuard,并对系统进行了性能评估.结果表明,DockerGuard可以保护容器及镜像不被篡改,同时限制容器网络通信行为并监控容器内部进程,极大地提高了Docker容器的安全性.
Docker is a greatly popular open source container engine now. Compared with the hardware virtualization technology, Docker has some new features, including highly resource utilization, easy deployment, fast starting, good flexibility and so on. Because the virtualization technology of Docker is based on software and the sharing of same Linux kernel by multiple containers, hence its security problem is absolutely worse compared with the traditional hardware virtualization, such as unauthorized access to the underlying container resources, tampered container, and invaded container service, etc. Aiming at the security issues above, trusted computing, integrity measurement and realtime monitoring methods were used to reinforce the Docker container system so as to implement a security enhanced trusted container and its management system--DockerGuard. DockerGuard constructed a trusted chain from the hard- ware to the container internal process and document, also included the security module with the process monitoring, file system metrics, network monitoring functions, thus protecting the Docker with fully measure and fine-grained mo nitoring. We implemented a security enhanced system DockerGuard with the above functions based on Docker1. 6.0 and evaluated the performance of the system. The results show that DockerGuard can protect the container and image from tampering, while limit the network communication behavior of the container and monitor the internal process of the container, which greatly improves the security of the Docker container.
出处
《武汉大学学报(理学版)》
CAS
CSCD
北大核心
2017年第2期102-108,共7页
Journal of Wuhan University:Natural Science Edition
基金
国家自然科学基金项目(61332019)
国家重点基础发展计划(973)(2014CB340600)资助项目
