Optimization Of Multi-variant Execution System Based On Container Technology

With the popularization of Internet technology,a large amount of high-value data information in the Internet attracts hackers to spare no effort to attack and destroy the Internet,which greatly threatens the security of the Internet.The mainstream network security defense technology mainly relies on the discovered vulnerabilities in system software for passive defense,and cannot effectively target the potential vulnerabilities that have not been discovered,resulting in the situation of "easy to attack but difficult to defend" in the field of network security.Multi-Variant Execution technology realizes active defense based on the idea of heterogeneous redundancy,which can effectively prevent hackers from exploiting unknown vulnerabilities and has higher security than passive patching defense.However,due to the existence of common mode vulnerability,the current Multi-Variant Execution technology has a lot of room for improvement in security.At the same time,the Multi-Variant Execution system has some usability problems because of its complex architecture.The security and availability of Multi-Variant Execution system can be improved effectively by transforming Multi-Variant Execution system with container technology.Firstly,this thesis makes extensive and in-depth research on Multi-Variant Execution technology and container technology,analyzes the feasibility of Optimizing Multi-Variant Execution system based on container technology combined with the characteristics of container technology,and designs and implements the container variant generation prototype system,Finally,a scheme to improve the security and fault tolerance of Multi-Variant Execution system based on container file system transformation is proposed and implemented.The main research contents and innovations are as follows:1.Combined with the attack surface theory and the characteristics of Multi-Variant Execution system,an attack surface modeling method for Multi-Variant Execution system is proposed.Based on this,the security deficiencies of Multi-Variant Execution system are analyzed,and the feasibility of improving the security of Multi-Variant Execution system through seccomp mechanism of container technology is verified.At the same time,the disadvantages of the MultiVariant Execution system are analyzed,and the feasibility of improving the availability of MultiVariant Execution system through namespace mechanism of container technology and joint file system mechanism is verified.2.The concept of equivalent container group for Multi-Variant Execution system and the container group life cycle management process are proposed.Based on the mainstream container runtime technology containerd,a container variant generation prototype system is designed and implemented to realize the management of heterogeneous redundant container executors.3.Proposed a Multi-Variant Execution scheme based on container file system,and implemented the scheme based on Overlay FS,the mainstream container file system.Finally,the effectiveness of the scheme in improving the security and fault tolerance of Multi-Variant Execution system was proved through simulation experiments.