Unlock instant, AI-driven research and patent intelligence for your innovation.

A container virtualization security hardening device and method

A reinforcement device and virtualization technology, which is applied in the direction of program control devices, instruments, program/content distribution protection, etc., can solve problems such as unrealistic, large amount of operating system code, and complex implementation of container-related isolation codes, etc., to achieve fast startup, Containers are lightweight and fast

Active Publication Date: 2021-02-05
INST OF COMPUTING TECH CHINESE ACAD OF SCI
View PDF6 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

However, due to the huge amount of operating system code and the complexity of container-related isolation code implementation, it is very unrealistic to directly modify the underlying operating system

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • A container virtualization security hardening device and method

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0034] The present invention provides a container virtualization security hardening device, which includes:

[0035] Containers running in client non-root mode;

[0036] The underlying operating system modules and common application modules running in the root mode of the host;

[0037] Implanting a microkernel in the non-root mode for managing memory and file system resources used by the container; wherein,

[0038] Enforced isolation between the container and the underlying operating system modules.

[0039] In the container virtualization security hardening device, the microkernel includes virtual CPU cores and virtual physical memory.

[0040] In the container virtualization security hardening device, the management of the container by the microkernel includes: system call processing, exception and interrupt processing, and system file system mounting.

[0041] The container virtualization security hardening device, wherein each of the virtual CPU cores is bound to a th...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The present invention proposes a container virtualization security hardening device and method, including: a container running in the non-root mode of the client computer; a bottom operating system module and a common application program module running in the root mode of the host computer; A microkernel is implanted in the mode to manage the memory and file system resources used by the container; the container is enforced to be isolated from the underlying operating system module. Compared with traditional containers, the present invention has better security, and compared with virtual machines and container technologies based on virtual machines, it has the advantages of light weight and fast startup.

Description

technical field [0001] The invention relates to the field of computer system security virtualization, and in particular to a container virtualization security hardening device and method. Background technique [0002] Due to the characteristics of flexibility and light weight of container technology, this technology has been widely used in the industry. Compared with the traditional hypervisor-based virtualization technology, container technology achieves isolation at the OS (operating system) layer, and the operating system kernel is shared between each container. Container-level virtualization is actually process-level virtualization provided by the operating system. The benefits achieved in this way mainly focus on two points: 1) It is lighter, and the VM (virtual machine) no longer needs to be accompanied by a huge guest operating system; 2) The startup speed is fast, and the startup of the container can be as fast as the startup of the process. [0003] However, the p...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Patents(China)
IPC IPC(8): G06F21/14G06F9/455
CPCG06F9/45558G06F21/14
Inventor 王喆武成岗谢梦瑶张晓峰赖远明康妍曾凯
Owner INST OF COMPUTING TECH CHINESE ACAD OF SCI