{"title":"加密虚拟机中操作系统容器的热迁移","authors":"Joana Pecholt, Monika Huber, Sascha Wessel","doi":"10.1145/3474123.3486761","DOIUrl":null,"url":null,"abstract":"With the widespread use of Docker and Kubernetes, OS-level virtualization has become a key technology to deploy and run software. At the same time, data centers and cloud providers offer shared computing resources on demand. The use of these resources usually leads to a larger trusted computing base and less control over the data. We present a confidential computing concept for the migration of operating system containers in secure encrypted virtual machines so that these are protected from the operator and administrator. In our approach, processes inside of the containers remain intact, i.e., they keep their state and do not have to be restarted. Network services inside of the containers remain unchanged and reachable. This is typically called live migration. Integrity and confidentiality of the data inside of the containers is enforced during migration as well as on the destination platform, namely in transit, in use and at rest. The authenticity and integrity of the destination platform is verified using remote attestation before any data is transferred. While our core concept is not specific to a particular hardware, we present two different approaches corresponding to the first generation of AMD SEV as well as SEV-SNP. Our proof of concept implementation is based on the first generation of SEV.","PeriodicalId":109533,"journal":{"name":"Proceedings of the 2021 on Cloud Computing Security Workshop","volume":"33 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-11-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"Live Migration of Operating System Containers in Encrypted Virtual Machines\",\"authors\":\"Joana Pecholt, Monika Huber, Sascha Wessel\",\"doi\":\"10.1145/3474123.3486761\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"With the widespread use of Docker and Kubernetes, OS-level virtualization has become a key technology to deploy and run software. At the same time, data centers and cloud providers offer shared computing resources on demand. The use of these resources usually leads to a larger trusted computing base and less control over the data. We present a confidential computing concept for the migration of operating system containers in secure encrypted virtual machines so that these are protected from the operator and administrator. In our approach, processes inside of the containers remain intact, i.e., they keep their state and do not have to be restarted. Network services inside of the containers remain unchanged and reachable. This is typically called live migration. Integrity and confidentiality of the data inside of the containers is enforced during migration as well as on the destination platform, namely in transit, in use and at rest. The authenticity and integrity of the destination platform is verified using remote attestation before any data is transferred. While our core concept is not specific to a particular hardware, we present two different approaches corresponding to the first generation of AMD SEV as well as SEV-SNP. Our proof of concept implementation is based on the first generation of SEV.\",\"PeriodicalId\":109533,\"journal\":{\"name\":\"Proceedings of the 2021 on Cloud Computing Security Workshop\",\"volume\":\"33 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2021-11-15\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 2021 on Cloud Computing Security Workshop\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3474123.3486761\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2021 on Cloud Computing Security Workshop","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3474123.3486761","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Live Migration of Operating System Containers in Encrypted Virtual Machines
With the widespread use of Docker and Kubernetes, OS-level virtualization has become a key technology to deploy and run software. At the same time, data centers and cloud providers offer shared computing resources on demand. The use of these resources usually leads to a larger trusted computing base and less control over the data. We present a confidential computing concept for the migration of operating system containers in secure encrypted virtual machines so that these are protected from the operator and administrator. In our approach, processes inside of the containers remain intact, i.e., they keep their state and do not have to be restarted. Network services inside of the containers remain unchanged and reachable. This is typically called live migration. Integrity and confidentiality of the data inside of the containers is enforced during migration as well as on the destination platform, namely in transit, in use and at rest. The authenticity and integrity of the destination platform is verified using remote attestation before any data is transferred. While our core concept is not specific to a particular hardware, we present two different approaches corresponding to the first generation of AMD SEV as well as SEV-SNP. Our proof of concept implementation is based on the first generation of SEV.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
