<p>Container migration technology leverages dynamic relocation of container runtime contexts to deliver core value across three key dimensions: resource optimization, load balancing, and fault recovery. Most studies focus on optimizing the performance of migration algorithms. However, the migration process faces multiple security threats, such as data tampering during transmission that compromises state integrity; and container images may be maliciously replaced with forged images. Aiming at the above problems, this paper proposes a container authentication framework based on hardware trusted root, which overcomes the limitations of traditional static verification and realizes cross-platform dynamic trust transfer. The main works are: (1) Trusted Root Construction: Generate a Container-oriented PUF (CPUF) with PUF characteristics. (2) Container Migration Certificate (CMC) Generation: Extend the trust chain; (3) Two-stage authentication scheme: Verify container security before and after migration. We performed security validation of the proposed scheme using the Scyther software tool. Performance comparison shows that this scheme offers certain advantages in terms of security properties and communication cost.</p>

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Research on a trusted migration scheme for containers based on the unclonable functions

  • XinFeng He,
  • Tanxin Zou

摘要

Container migration technology leverages dynamic relocation of container runtime contexts to deliver core value across three key dimensions: resource optimization, load balancing, and fault recovery. Most studies focus on optimizing the performance of migration algorithms. However, the migration process faces multiple security threats, such as data tampering during transmission that compromises state integrity; and container images may be maliciously replaced with forged images. Aiming at the above problems, this paper proposes a container authentication framework based on hardware trusted root, which overcomes the limitations of traditional static verification and realizes cross-platform dynamic trust transfer. The main works are: (1) Trusted Root Construction: Generate a Container-oriented PUF (CPUF) with PUF characteristics. (2) Container Migration Certificate (CMC) Generation: Extend the trust chain; (3) Two-stage authentication scheme: Verify container security before and after migration. We performed security validation of the proposed scheme using the Scyther software tool. Performance comparison shows that this scheme offers certain advantages in terms of security properties and communication cost.