Research on a trusted migration scheme for containers based on the unclonable functions
摘要
Container migration technology leverages dynamic relocation of container runtime contexts to deliver core value across three key dimensions: resource optimization, load balancing, and fault recovery. Most studies focus on optimizing the performance of migration algorithms. However, the migration process faces multiple security threats, such as data tampering during transmission that compromises state integrity; and container images may be maliciously replaced with forged images. Aiming at the above problems, this paper proposes a container authentication framework based on hardware trusted root, which overcomes the limitations of traditional static verification and realizes cross-platform dynamic trust transfer. The main works are: (1) Trusted Root Construction: Generate a Container-oriented PUF (CPUF) with PUF characteristics. (2) Container Migration Certificate (CMC) Generation: Extend the trust chain; (3) Two-stage authentication scheme: Verify container security before and after migration. We performed security validation of the proposed scheme using the Scyther software tool. Performance comparison shows that this scheme offers certain advantages in terms of security properties and communication cost.