Research On Construction Technology Of Security Container Based On Docker

In recent years,with the rapid development of mobile Internet,cloud computing technology has been widely used,which is another great innovation in the information age.As an important supporting technology,virtualization technology has also developed rapidly.Different from traditional virtualization technology,container technology is called the virtualization technology at the operating system level.Its representative solution,Docker,is welcomed by the majority of users due to its advantages of strong scalability,strong agility,fast startup speed and high efficiency.However,there are security issues in the life cycle of Docker images,such as easy tampering of image files,vulnerabilities in images,communication security issues in containers and so on.Therefore,how to protect Docker in the entire life cycle has become an important topic in container security research.Starting from solving the security problems in the life cycle of Docker images,this thesis aims to build a secure Docker container and conducts a series of researches.The main research work is as follows:(1)In view of the problem of untrusted container running environment,this thesis proposes to build a trusted container running environment based on Trusted Cryptography Module and trust chain technology,realizes the layer-by-layer trust from the underlying hardware to the upper-layer application,and proposes a security container construction solution at the application layer,Docker Security Guard,which completes the security protection of the Docker life cycle.(2)In view of the problem of trust chain extension when building a trusted environment,this thesis designs the life cycle management module in Docker Security Guard to complete the transmission of trust relationships.The module not only participates in the construction of the trust chain from the TCM chip to the upper-layer application,but also responsible for the transfer of trust relationship within Docker Security Guard.In addition,the module also receives user requests as the communication portal of Docker Security Guard,and calls each internal module to complete different functions.(3)In view of the problem that the local image file is easy to be tampered with,this thesis designs an integrity measurement module and a security reference value database,which cooperate to complete the measurement and verification of the local image file.Among them,the integrity measurement module innovatively uses the SM3 cryptographic algorithm to calculate the hash value of the image file,replacing the Secure Hash Algorithm(SHA)in the traditional scheme,such as SHA-256,SHA-1,etc.In addition,this thesis improves the traditional image measurement method based on the layered structure of the image,combined with multithreading technology.Experiments show that the improved measurement method has higher measurement efficiency in large-volume image scenes;The security reference value database combines the traditional reference value storage scheme with the container environment,realizes the safe and reliable storage of the reference value based on TCM and access control mechanism of database,and no longer has the capacity limit,which is more suitable for the container running environment.(4)In view of the problems of image vulnerabilities and outdated versions,this thesis designs a vulnerability scanning module and version management module.The vulnerability scanning module uses Trivy as a scanning tool,supplemented by the communication method of asynchronous generation and synchronous call based on vulnerability report,which effectively completes the vulnerability security protection of local image.The version management module is called in the process of pulling the image and starting the container,which can check the image version and return the update prompt in time.(5)In view of the security problem of communication between container and Docker daemon,this thesis designs a secure Socket module,docker-guard.sock,based on reverse proxy and Unix Socket communication technology.The reverse proxy technology can hide the real address of the Socket from the client,prevent the module from being maliciously attacked,and can also achieve load balancing.The module is responsible for forwarding the request and filtering the private information in responses,so as to prevent important information from being used to launch more serious attacks,and protect the security of Docker daemon and the host.(6)This thesis builds the running environment of Docker Security Guard,conducts functional tests on the core modules,analyzes the performance impact of Docker Security Guard on container startup,and proves the effectiveness and usability of the scheme.