Container-IMA: A privacy-preserving Integrity Measurement Architecture for Containers

Authors: 

Wu Luo, Qingni Shen, Yutang Xia, and Zhonghai Wu, Peking University, Beijing, China

Abstract: 

Container-based virtualization has been widely utilized and brought unprecedented influence on traditional IT architecture. How to build trust for containers has become an important security issue as well. Despite the fact that substantial efforts have been made to solve this issue, there are still some challenges to be handled, i.e. how to prevent from exposing information of the underlying host and other users' containers to a remote verifier, how to measure the integrity status of a designated container along with its reliant services in the underlying host and generate a hardware-based integrity evidence. None of the currently solutions can counter these challenges and guarantee efficiency simultaneously.

In this paper, we present Container-IMA, a novel solution to cope with these challenges. We firstly analyze the essential evidence to validate the integrity of a designated container. Afterwards we make a division of the traditional Measurement Log (ML), which ensures privacy and decreases the latency of attestation. A container-based Platform Configuration Register (cPCR) mechanism is introduced to protect each ML partition with a hardware-based Root of Trust. The attestation mechanism is proposed as well. We implement a prototype based on Docker. The experiment results demonstrate the effectiveness and efficiency of our solution.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {242075,
author = {Wu Luo and Qingni Shen and Yutang Xia and Zhonghai Wu},
title = {{Container-IMA}: A privacy-preserving Integrity Measurement Architecture for Containers},
booktitle = {22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019)},
year = {2019},
isbn = {978-1-939133-07-6},
address = {Chaoyang District, Beijing},
pages = {487--500},
url = {https://www.usenix.org/conference/raid2019/presentation/luo},
publisher = {USENIX Association},
month = sep
}