Container isolation enhancement system based on ARM TrustZone

A technology that enhances the system and isolation, applied in the field of virtualization, can solve the problem of no description or report found, no data collected, etc., to achieve the effect of protecting user privacy

Active Publication Date: 2018-11-02
SHANGHAI JIAO TONG UNIV
View PDF3 Cites 30 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0009] However, SCONE has two disadvantages: First, it can only support single-application single-process containers
[0011] At present, there

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Container isolation enhancement system based on ARM TrustZone
  • Container isolation enhancement system based on ARM TrustZone
  • Container isolation enhancement system based on ARM TrustZone

Examples

Experimental program
Comparison scheme
Effect test

Embodiment

[0072] This embodiment provides a container isolation enhancement system based on ARM TrustZone, which can effectively solve the problems encountered in the prior art, including:

[0073] How to use the characteristics of the ARM platform's own architecture to maintain any number of trusted execution environments for containers? ARM's TrustZone hardware technology only provides a single trusted execution environment called "secure world". However, simply running different container applications in a "secure world" cannot improve the security between containers. Therefore, how to take advantage of the "secure world" and provide each container process with an exclusive trusted execution environment is very important.

[0074] How to prevent container applications from being attacked while relying on untrusted operating systems to provide services? Applications (including applications in containers) rely on system calls provided by the operating system to complete many function...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention provides a container isolation enhancement system based on an ARM TrustZone. The system comprise a container management client side which runs at a client side; an untrusted operation system, an untrusted container management module and a trusted execution environment which run in the ordinary world of a server side; and a page table management module, a register protection module, asystem call hijacking module, a file system safety enhancement module, an execution flow synchronous service safety enhancement module, an interprocess communication service safety enhancement module, a trusted container mirror image downloading module and a safety container starting module which run in the safety world of the server side. According to the container isolation enhancement system based on the ARM TrustZone, an existing application program safely runs on a malicious operation system which is completely controlled by an attacker so that different applications of different users in the container can perform safe communication and synchronous control flow; and the users do not need to make any modification on an existing mirror image.

Description

technical field [0001] The invention relates to the technical field of virtualization, in particular to an ARM TrustZone-based container isolation enhancement system. Background technique [0002] Virtualization technology can simulate multiple virtual computers on one physical computer, thereby improving hardware utilization and making it easier for multiple users to share the same physical device. Containers are a lightweight virtualization technology. Different containers will share the same operating system kernel, but each container has its own independent file system, user space, process space, etc. Compared with traditional virtualization technologies, containers have shorter startup times, faster performance, and easier deployment methods. Due to these remarkable advantages, containers have been widely used in the server field. Based on containers, cloud servers can quickly and easily create an independent operating environment for each user. And more and more us...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): G06F9/455
CPCG06F9/45558G06F2009/45562G06F2009/45587
Inventor 夏虞斌华志超陈海波臧斌宁
Owner SHANGHAI JIAO TONG UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap