A Multidimensional Security Measurement Architecture for the Container Lifecycle

doi:10.3969/j.issn.1671-1122.2025.11.008

Abstract

Abstract:

Container security threats have become increasingly complex. Trusted Execution Environment (TEE)-based solutions emerged as an effective way to enhance container trustworthiness. However, existing approaches mainly focus on static measurements at the container launch stage or monitor only partial runtime behaviors, making it difficult to comprehensively cover the entire container lifecycle and defend against complex attacks such as control-flow hijacking. In addition, TEE communication often relies on synchronous interactions, where frequent data transmissions may lead to blocking and performance bottlenecks. To address these issues, this paper proposed a multidimensional security measurement Architecture for the container lifecycle. The Architecture covered both image construction and runtime stages, and monitored memory changes and key control-flow events, including indirect jumps, indirect function calls, and returns. Furthermore, a TrustZone-based cross-domain communication mechanism was designed, which integrated shared memory, a ring buffer, and semaphores to enable efficient and secure transmission of measurement data. Experimental results show that the proposed system enhances container integrity protection with low performance overhead. It meets the requirements of cloud-native environments and multi-tenant platforms.

Key words: container security, trusted execution environment, dynamic integrity measurement, control flow integrity

CLC Number:

TP309

ZHAO Bo, LYU Jiamin, WANG Yixuan. A Multidimensional Security Measurement Architecture for the Container Lifecycle[J]. Netinfo Security, 2025, 25(11): 1745-1761.

Figures/Tables 16

References 36

[1]	JARKAS O, KO R, DONG N, et al. A Container Security Survey: Exploits, Attacks, and Defenses[J]. ACM Computing Surveys, 2025, 57(7): 279-314.
[2]	ZHANG Xinyi, WU Zehui, JIA Qiong, et al. Demand-Driven Container Security Policy Automatic Generation Technology[J]. Journal of Chinese Computer Systems. 2024, 45(4): 951-959.
	张新义, 武泽慧, 贾琼, 等. 需求驱动的容器安全策略自动生成技术[J]. 小型微型计算机系统. 2024, 45(4): 951-959.
[3]	VS D P, SETHURAMAN S C, KHAN M K. Container Security: Precaution Levels, Mitigation Strategies and Research Perspectives[EB/OL]. (2023-09-22)[2025-05-15]. https://www.sciencedirect.com/science/article/pii/S0167404823004005.
[4]	GAO Xing, GU Zhongshu, KAYAALP M, et al. Containerleaks: Emerging Security Threats of Information Leakages in Container Clouds[C]// IEEE. 2017 the 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). New York: IEEE, 2017: 237-248.
[5]	LIU Ziwen, FENG Dengguo. Dynamic Integrity Measurement Architecture Based on Trusted Computing[J]. Journal of Electronics and Information Technology, 2010, 32(4):875-879. doi: 10.3724/SP.J.1146.2009.00408 URL
	刘孜文, 冯登国. 基于可信计算的动态完整性度量架构[J]. 电子与信息学报, 2010, 32(4):875-879.
[6]	HUA Zhichao, YU Yang, GU Jingyu, et al. TZ-Container: Protecting Container from Untrusted OS with ARM TrustZone[J]. China Information Sciences, 2021, 64(9): 192101-192117.
[7]	SONG Liantao, DING Yan, GUO Yong, et al. Dimac: Dynamic Integrity Measurement Architecture for Containers with ARM TrustZone[C]// IEEE. 2024 IEEE International Conference on Web Services (ICWS). New York: IEEE, 2024: 844-852.
[8]	HAN Yufei, LI Chao, ZHANG Jianbiao, et al. DMSCTS: Dynamic Measurement Scheme for the Containers-Hybrid-Deployment Based on Trusted Subsystem[EB/OL]. (2024-10-16)[2025-04-21]. https://www.sciencedirect.com/science/article/pii/S0167404824004632.
[9]	Intel. Intel® Trust Domain Extensions[EB/OL]. (2023-01-10)[2025-05-15]. https://www.intel.com/content/www/us/en/developer/tools/trust-domain-extensions/documentation.html.
[10]	Advanced Micro Devices. AMD SEV-SNP: Strengthening VM Isolation with Integrity Protection and More[EB/OL]. (2020-01-30)[2025-05-15]. https://www.amd.com/content/dam/amd/en/documents/epyc-business-docs/white-papers/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more.pdf
[11]	ARM. ARM Confidential Compute Architecture[EB/OL]. (2021-07-23)[2025-05-15]. https://www.arm.com/architecture/security-features/arm-confidential-compute-architecture.
[12]	MERKEL D. Docker: Lightweight Linux Containers for Consistent Development and Deployment[J]. Linux Journal, 2014, 239(2): 76-91.
[13]	MORABITO R, KJALLMAN J, KOMU M. Hypervisors vs. Lightweight Virtualization: A Performance Comparison[C]// IEEE. 2015 IEEE International Conference on Cloud Engineering. New York: IEEE, 2015: 386-393.
[14]	SOLTESZ S, POTZL H, FIUCZYNSKI M E, et al. Container-Based Operating System Virtualization: A Scalable, High-Performance Alternative to Hypervisors[J]. ACM SIGOPS Operating Systems Review, 2007, 42(3): 275-287.
[15]	SULTAN S, AHMAD I, DIMITRIOU T. Container Security: Issues, Challenges and the Road Ahead[J]. IEEE Access, 2019, 7: 52976-52996. doi: 10.1109/Access.6287639 URL
[16]	Microsoft. Secure the Windows Boot Process[EB/OL]. (2024-02-18)[2025-04-21]. https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.
[17]	TAO Zhe, RASTOGI A, GUPTA N, et al. DICE*: A Formally Verified Implementation of DICE Measured Boot[C]// USENIX. The 30th USENIX Security Symposium (USENIX Security 21). Berkeley: USENIX, 2021: 1091-1107.
[18]	STEFFEN A. The Linux Integrity Measurement Architecture and TPM-Based Network Endpoint Assessment[C]// Linux Foundation. Linux Security Summit. San Diego: Linux Foundation, 2012: 1-12.
[19]	LUO Wu, SHEN Qingni, XIA Yuyang, et al. Container-IMA: A Privacy-Preserving Integrity Measurement Architecture for Containers[C]// USENIX. The 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019). Berkeley: USENIX, 2019: 487-500.
[20]	SUN Yuqiong, SAFFORD D, ZOHAR M, et al. Security Namespace: Making Linux Security Frameworks Available to Containers[C]// USENIX. The 27th USENIX Security Symposium (USENIX Security 18). Berkeley: USENIX, 2018: 1423-1439.
[21]	MCKEEN F, ALEXANDROVICH I, BERENZON A, et al. Innovative Instructions and Software Model for Isolated Execution[C]// ACM. The 2nd International Workshop on Hardware and Architectural Support for Security and Privacy (HASP 2013). New York: ACM, 2013: 73-81.
[22]	ARM. ARM TrustZone Technology[EB/OL]. (2019-02-05)[2025-05-19]. https://developer.arm.com/documentation/100690/0201/?lang=en.
[23]	HUA Zhichao, YU Yang, GU Jinyu, et al. TZ-Container: Protecting Container from Untrusted OS with ARM TrustZone[EB/OL]. (2021-08-19)[2025-05-15]. https://link.springer.com/article/10.1007/s11432-019-2707-6.
[24]	Confidential Containers Community. Enclave-CC: Process-Based Confidential Container Solution Leveraging Intel SGX[EB/OL]. (2022-01-13)[2025-05-15]. https://github.com/confidential-containers/enclave-cc.
[25]	Alibaba Cloud and CNCF. Inclavare Containers Overview[EB/OL]. (2022-06-30)[2025-05-15]. https://openanolis-downloads.oss-cn-beijing.aliyuncs.com/meetup/Inclavare-Containers_Overview_rev11.pdf.
[26]	BIONDO A, CONTI M, DAVI L, et al. The Guard’s Dilemma: Efficient Code-Reuse Attacks against Intel SGX[C]// USENIX. The 27th USENIX Security Symposium (USENIX Security 18). Berkeley: USENIX, 2018: 1213-1227.
[27]	ERLINGSSON M, JIGATTI J. Control-Flow Integrity[C]// ACM. The 12th ACM Conference on Computer and Communications Security. New York: ACM, 2005: 340-353.
[28]	BUCHANAN E, ROEMER R, SHACHAM H, et al. When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC[C]// ACM. The 15th ACM Conference on Computer and Communications Security. New York: ACM, 2008: 27-38.
[29]	BLETSCH T, JIANG Xuxian, FREEH V W, et al. Jump-Oriented Programming: A New Class of Code-Reuse Attack[C]// ACM. The 6th ACM Symposium on Information, Computer and Communications Security. New York: ACM, 2011: 30-40.
[30]	NETO A J, NUNES I D O. ISC-FLAT: On the Conflict between Control Flow Attestation and Real-Time Operations[C]// IEEE. 2023 IEEE 29th Real-Time and Embedded Technology and Applications Symposium (RTAS). New York: IEEE, 2023: 133-146.
[31]	BIONDO A, CONTI M, DAVI L, et al. Modular Control-Flow Integrity[C]// ACM. The 2014 ACM Conference on Computer and Communications Security (CCS’14). New York: ACM, 2014: 577-587.
[32]	BAUER M, GRISHCHENKO I, ROSSOW C. TyPro: Forward CFI for C-Style Indirect Function Calls Using Type Propagation[C]// ACM. Annual Computer Security Applications Conference (ACSAC 2022). New York: ACM, 2022: 346-360.
[33]	ZHOU Jie, DU Yingqi, SHEN Zhi, et al. Silhouette: Efficient Protected Shadow Stacks for Embedded Systems[C]// USENIX.The 29th USENIX Security Symposium (USENIX Security 20). Berkeley: USENIX, 2020: 1219-1236.
[34]	WANG Jinwen, WANG Yujie, LI Ao, et al. ARI: Attestation of Real-Time Mission Execution Integrity[C]// USENIX. The 32nd USENIX Security Symposium (USENIX Security 23). Berkeley: USENIX, 2023: 2761-2778.
[35]	SUN Zhichuang, FENG Bo, LU Long, et al. OAT: Attesting Operation Integrity of Embedded Devices[C]// IEEE. 2020 IEEE Symposium on Security and Privacy (SP). New York: IEEE, 2020: 1433-1449.
[36]	CAULFIELD A, RATTANAVIPANON N, NUNES I D O. ACFA: Secure Runtime Auditing & Guaranteed Device Healing via Active Control Flow Attestation[C]// USENIX. The 32nd USENIX Security Symposium (USENIX Security 23). Berkeley: USENIX, 2023: 5827-5844.

实验配置	型号及版本
CPU	Intel? Core? i5-13400
内存	16 GB
HOST OS	Ubuntu 20.04 Linux 5.15.0
QEMU	8.1.2
Guest Kernel	6.12.0
OP-TEE OS	4.5.0
LLVM	18.1.8

名称	版本	大小/MB	平均开销
busybox	latest	4.28	5.0%
ubuntu	latest	78.10	5.2%
redis	latest	117.00	5.4%
apache	latest	241.00	5.4%

测试项	avg	min	P50	P95	P99	max
PING_INLINE	11.3%	24.1	7.2%	24.1%	56.7%	133.9%
PING_MBULK	-1.8%	0	0	0	0	-20.1%
SET	10.1%	30.1%	2.6%	30.1%	39.8%	96.0%
GET	-0.4%	-2.0%	0	-2.0%	-9.9%	-2.6%
INCR	9.9%	37.1%	6.5%	37.1%	51.8%	40.2%
LPUSH	8.5%	31.3%	5.9%	31.3%	54.5%	117.2%
RPUSH	0	6.0%	-2.9%	6.0%	6.0%	22.9%
LPOP	4.4%	11.3%	0	11.3%	29.7%	132.6%
RPOP	4.5%	20.0%	2.7%	20.0%	25.0%	-36.2%
SADD	8.1%	29.2%	3.0%	29.2%	33.4%	135.9%
HSET	6.4%	19.7%	5.6%	19.7%	31.3%	47.8%
SPOP	6.3%	18.7%	7.2%	18.7%	11.4%	188.2%
ZADD	3.9%	15.1%	0	15.1%	18.9%	131.8%
ZPOPMIN	2.8%	13.1%	3.5%	13.1%	4.2%	6.2%
XADD	3.8%	16.9%	1.9%	16.9%	29.4%	-61.7%

方案	容器启动开销/s	动态度量开销
DMSCTS	0.20	9.8%
Dimac	1.30	7.0%
本文方案	0.03	13.0%