Netinfo Security ›› 2022, Vol. 22 ›› Issue (11): 55-61.doi: 10.3969/j.issn.1671-1122.2022.11.007

Previous Articles     Next Articles

A Secure Container Management Approach Based on Virtual Machine Introspection

HUANG Zilong(), ZHAN Dongyang, YE Lin, ZHANG Hongli   

  1. School of Cyberspace Science, Harbin Institute of Technology, Harbin 150001, China
  • Received:2022-06-08 Online:2022-11-10 Published:2022-11-16
  • Contact: HUANG Zilong E-mail:hithuangzl@163.com

Abstract:

With the development of containers, container-based cloud native has been popularized by cloud service providers. Compared with virtual machines, containers are lighter, but exists the problem of insufficient isolation capability. However, if the attacker escapes from the container inside the virtual machine, the container management tools running inside the virtual machine may also be attacked and can no longer be trusted. This paper proposed a secure container management method based on virtual machine introspection to manage the container in the virtual machine, which could automatically obtain and change the execution state of the container in the virtual machine from the hypervisor layer. Since the management tool run in the virtual machine monitor layer, it is secure even if the virtual machine is controlled by an attacker. In order to automatically control the execution state of the target container, this paper proposed a clientless system call injection method, which could efficiently reuse the system calls of the target virtual machine. Furthermore, a high-performance kernel protection and recovery method for performing management operations in untrusted virtual machine operating systems was proposed. Experimental results show that our approach can perform lots of common container management operations.

Key words: container management, VM-based containers, system call reuse, virtual machine introspection

CLC Number: