GB2563385A - Containerised programming - Google Patents

Containerised programming Download PDF

Info

Publication number
GB2563385A
GB2563385A GB1709133.1A GB201709133A GB2563385A GB 2563385 A GB2563385 A GB 2563385A GB 201709133 A GB201709133 A GB 201709133A GB 2563385 A GB2563385 A GB 2563385A
Authority
GB
United Kingdom
Prior art keywords
shell script
container
containerised
interpreter
orchestrator
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB1709133.1A
Other versions
GB201709133D0 (en
Inventor
Beddus Simon
Cristina Claudia
El-Moussa Fadi
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
British Telecommunications PLC
Original Assignee
British Telecommunications PLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by British Telecommunications PLC filed Critical British Telecommunications PLC
Priority to GB1709133.1A priority Critical patent/GB2563385A/en
Publication of GB201709133D0 publication Critical patent/GB201709133D0/en
Publication of GB2563385A publication Critical patent/GB2563385A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45504Abstract machines for programme code execution, e.g. Java virtual machine [JVM], interpreters, emulators
    • G06F9/45508Runtime interpretation or emulation, e g. emulator loops, bytecode interpretation
    • G06F9/45512Command shells
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/54Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45579I/O management, e.g. providing access to device drivers or storage
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45591Monitoring or debugging support
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44505Configuring for program initiating, e.g. using registry, configuration files
    • G06F9/4451User profiles; Roaming
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Stored Programmes (AREA)

Abstract

An orchestrator for containerised processes comprises an input interpreter 2 that interprets user commands and user profile data and builds a deployment specification 4 for a containerised process, an event interpreter 8 that identifies external inputs relating to external events that affect the utilisation of the computer resources, an orchestration processor 5 that generates a shell script to operate the functions specified in the deployment specification in accordance with the external inputs, and a virtualisation agent 6 that runs the shell script on a host virtualisation container using computer resources associated with the orchestrator. The event interpreter may be arranged to identify security threats and/or resource overloads, and the script provided by the orchestration processor may provide appropriate defenses or be appropriate to the available resources.

Description

This invention relates to the management of computer server systems, and in particular to the use of a “container” server architecture. Container technology allows multiple applications to run on a common operating system, but each operates inside its own isolated environment with only software components and libraries it requires, packaged in a standardised way. Using containers results in smaller applications, which are quicker to download, and use less of the system's resources. This approach means applications will be more efficient, lightweight and portable between different operating systems. Container technology is often compared to virtual machines (VM). Virtualisation enables multiple operating systems and applications to run on the same physical hardware. A hypervisor, an emulation of the actual physical hardware, allows slicing of compute, storage and network for each VM. However, each VM has a complete operating system which means it is large in size (Gigabytes), uses up many system resources and can take long to start-up.
The usage of containerised applications requires no virtualisation of the hardware as they only abstract the operating system kernel. This makes containers more efficient, faster to implement and more portable than virtual machines.
The use of “Container” technology to run services and applications is becoming increasingly common due to its flexibility, packing density, portability across systems, and ease of deployment and configuration.
A drawback of container technology is that containers are not completely isolated and secure when deployed. Container technologies such as “Docker” use kernel namespaces to provide a level of isolation, but they do not namespace all the resources. For example, the user namespace is disabled by default in container deployments which results in the container running the same namespace as its host. This leads to containers having full privileges when accessing the host’s directories. When namespaces are enabled, containers run in their own namespace, rather than defaulting to that of the host, and are thus isolated from the host’s namespace and so are not allowed to access important system directories.
Another security flaw in containers is the default ability to use all the resources of the host (such as memory and CPU). This is a problem because container applications run on the same kernel resources, so if an individual container consumes too much memory, as it would during a DDoS attack, it will starve any other applications running on the host.
A number of container monitoring tools exist that allow specification of monitoring configuration, such as Data Dog, Sysdig, Prometheus and Sensu.
Network virtualisation originally used virtual machines but now increasingly uses container technology (due to better packing density). Given that networking is BT core business it is critical that best of breed security and ease of provisioning (through orchestration) and operations are both safe and efficient. Our invention through the use of standard APIs allows security countermeasures to be deployed seamlessly (and if necessary secretly) to vendors containers.
The container concept allows applications and their libraries to be run with a degree of isolation on the same operating system. This approach provides a much higher packing density of applications per physical server than virtualisation or indeed the traditional operating system and application model. It also enables much better portability between different operating systems and their flavours i.e. (Ubuntu, Centos, MacOS, Mint etc). The container requires only the application and necessary libraries to run. The container approach results in smaller applications, (low 10s of MB)), quicker to download, use less resources and very fast to start up sometime in the 10s of milliseconds.
At present, there is no platform that can automatically orchestrate secure and efficient computing containers based on policy, infrastructure load and security threats. At the same time, container technologies lack certain security and network features that can make deployment insecure.
However, the containers all share the same operating system and as such the isolation between containers is reduced, thus increasing the security threat. Container features such as ‘user namespaces and control groups can be set to increase the isolation between containers, but they require a detailed knowledge of container technology that is unlikely in the average user. At the same time, there are problems in the area of network management and encryption that make the efficient and secure deployment of container onerous if not impossible. There are a number of companies that provide container orchestration solutions that include companies such as Docker, Kubernetes, Cloudsoft and Rancher. They effectively provide low-level tools that will interpret a range of user generated instructions to build applications but will not address issues such as security threats or network requirements without hard coding by the user.
According to one aspect of the invention there is provided an orchestrator for containerised processes, comprising an Input Interpreter, for interpreting user commands and user profile data to build a deployment specification specifying functions to be run by a containerised process, an orchestration processor to generate a shell script to operate the functions specified by the input interpreter and a virtualisation agent to run the shell script on a host virtualisation container, using computer resources associated with the orchestrator an event interpreter for identifying inputs relating to external events affecting utilisation of the computer resources, and wherein the orchestration processor is responsive to the event interpreter to generate a shell script in accordance with the external inputs.
A second aspect provides a method of operating a computerised system to generate a containerised processing function, in which:
user commands and user profile data are interpreted to build a deployment specification specifying functions to be run by a containerised process, a shell script is generated suitable for operating functions specified by an input interpreter and the shell script is run on a host virtualisation container to run the containerised process, wherein the shell script is generated by an orchestration processor in response to inputs relating to external events affecting utilisation of the computer resources
Inputs are responsive to security threats and the orchestration processor generates a shell script providing defences appropriate to the level and type of security threats identified. Further inputs may relate to computing resource overloads, the orchestration processor generating a shell script appropriate to the available resources.
The invention may be implemented by a computer system including a processor and memory storing computer program code for performing the steps of the process. The invention also extends to a computer program element comprising computer program code to, when loaded into a computer system and executed thereon, cause the computer to perform the process.
In particular, this invention interprets external inputs such as event logging (security threats, network overloads etc) as well as manual inputs to generate the virtualised process using an orchestrator for virtualised and/or containerised processes.
The invention requires only the basic container commands to be understood by the user to deploy a safe container. A user can either specify a profile or can use a default profile to define the security and configuration. A container can be deployed that complies with the profile without the need of complex instructions, and apply controls and constraints before deployment, and indeed preventing deployment in high threat locations. It allows the use of ‘standard’ container APIs without the complexity of new instructions and procedures for the user. The invention can provide an orchestrator that not only applies vulnerability detection but can apply other countermeasures such as deployment or migration of containers during attacks to lesser prone infrastructure, and allows the orchestration of non-container tools to provide security and resilience.
An embodiment of the Invention will now be described, by way of example, with reference to the Figures, in which:
Figure 1 depicts a high-level view of the system architecture, showing the flow of information and events through each of the components.
Figure 2 depicts the flow of events when a container starts.
Figure 3 depicts a high-level view architecture of a container agent generated according to the embodiment.
The embodiment enables containers to be deployed and operated securely and efficiently based on policy. At the core of the embodiment is a container orchestrator that combines live security threats, network and compute status and static security pre-requisites to deploy, operate and re-deploy containers and their dependencies to comply with a customer expectation. By introducing new and sometimes existing components the embodiment addresses security and network issues within containers.
This embodiment allows the use of standard application programming interfaces (APIs). System managers can set policies that are implemented across all deployments. It allows more efficient and secure deployment of containers. Service Level Management techniques can be applied to containers to manage compute, memory, storage and network during the runtime.
Hot standby features can be offered to bring in a replacement container in the event that a primary container fails.
The embodiment provides a single view of all deployed assets. New physical or virtual servers can be brought into operation and used as an extension to the container computing pool. It allows reuse of existing visualised network and security invested.
As depicted in Figure 1, the embodiment comprises the following components. A Command Interpreter 2 interprets user commands delivered through a user interface 1, using data retrieved from a store 3 relating to policy, status and resources to build a deployment specification 4. The Command Interpreter 2 processes standard container commands received over the user interface 1 into a more sophisticated deployment description/specification 4 that takes into account preferences or settings defined by a predefined default profile, modified according to a user-specific profile stored in a local file and/or stored centrally 3. For example the profile may be flagged as vulnerable to malware. Other factors such as minimum bit rate, latency etc may also be included. The Command Interpreter 2 may also have inputs 40 from an event interpreter 8 providing live security information, such as, network load or a measure of the likelihood of a malware attack, and combines this with profile information to determine the resources to use and updates the deployment specification.
The deployment specification 4 is implemented by an Orchestrator 5. On receiving the complete deployment descriptor 4, the orchestrator generates a shell script 60 that will be run on a Container Agent 6. The orchestrator 5 can issue commands to the Container Agent 6 via a web service or via secure shell (SSH) cryptographic commands.
The process operates as depicted in the flow chart of Figure 2. The process starts when a command 20 is received by the user interface 1. The command interpreter 2 responds to the command by retrieving a user profile from the store 3 (step 21) and constructs a suitable deployment specification 4 (step 22). Suitable resources, either existing or new, are requested from the inventory 3 (step 23) and the deployment specification 4 is updated (step 26).
If the inventory 3 identifies that inadequate resources are available to meet the request (step 24), remedial measures are taken, which may include taking over resources from other containerised applications that are not running or have a lower priority (step 25), or revising the deployment specification (step 22 repeated) to meet the available resources.
The deployment specification 4 generated by the command interpreter 2 is passed to the orchestrator 5 that then generates a shell script (step 27) that can be applied to the Container Agent 6 to deploy the container (step 28). The results of deployment actions are recorded in the inventory 3 (step 29). The inventory data 3 can be used for later modification of a service (step 23) or removal of a service.
An example shell script 60 identifies input and output ports, create connections with other containers, configure the elements used in the container and initiate the functions, reporting the CPU and memory usage of the containered function to the inventory 3, to record allocation of resources to new or modified containers. The inventory store 30 also has provision for manual inputs through a user interface 30 for users and managers to view deployments and create profiles
The Container Agents 6, 6a, 6b etc, one of which is depicted in greater detail in Figure 3 comprise a central processing application programming interface (API) 69 co-ordinating the operation of a number of processors 61-66 (sometimes known as “daemons”) featuring monitoring, extended networking, vulnerability scanning and management components, under the control of the shell script 60 delivered from the orchestrator, and any other standard scripts 68 maintained by the agent 6. A container daemon (processor) 61 such as Docker or Rocket is hosted on a physical host or virtual machine, and generates the required container functions according to the shell script 60 received from the orchestrator, and any internal scripts. The Container Agent 6 also provides extra capabilities such as virtual switches 62 and virtual private network (VPN) capabilities 63 for extended networking, virtualisation tools (64) configuration elements 65 and intrusion tools 66 that allow for more secure and robust deployment and operation of containers. The Container Agent 6 also provides an event manager interface 67 that extracts details such as network monitoring, container daemon processing load, and security logs from data for handling by an event management system 7. The shell script 60 executes commands to perform actions on the other components 62-68 depicted in Figure 3. The rules for operating iptables 65 are also set through the Shell. The Event Manager 67 extracts security logs, container logs, and network information from the containers and sends the required data to the Event Handler 7 (Figure 1).
The Event manager 67 also provides a registration or deregistration facility that notifies the Event Handler 7 and subsequently Event Interpreter 8 of the Container Agent’s capability. A heartbeat event may be sent periodically to prove that services are still running well. The Container Agent 6 also has responsibilities for restarting failed containers.
An event handler 7 comprises components for receiving and logging events, both reported by the container agents 6, 6a, 6b......and also external events such as attacks on data centres and networks, reported through an external interface 70. These events are reported to an Event Interpreter 8, which is a component for determining actions/commands based on the events reported by the event handler 7 and developing further deployment specifications 4 to be applied by the orchestrator 5.
Inputs from the event interpreter 8 are also used to provide data relating to live loads on resources, and any security threats, to determine what resources are to be used. In particular, if a threat is perceived, stronger protection systems may be required, such as greater encryption, using more resources.
In a similar manner to the command interpreter 2, the event interpreter 8 handles incoming events such as Registration of new container agents 6, 6a,6b, loss of container agents, recovery of container agents, security threats to the system, region or individual container agents, and failure or overload of networks or containers. In a similar approach to the Command interpreter, a deployment script 40 is first created that is validated against existing resources. The deployment script can be sent to the orchestrator 5 to restart container agents 6, 6a, etc, or apply further security or network constraints. For instance, if a port scanning or hacking attack is detected on a container agent, then that container agent may be suspended and a new one installed and configured to replace it. If a security alert is received from an external source 70, countermeasures can be applied autonomously or on instruction from the orchestrator, as specified in the policy 3.
Such countermeasures can be executed through the Shell script 60 commands, which implement actions or apply rules to the other components, for example to change the rules in the iptables 65, execute specified scripts, or restart an individual container. This allows the container agent 6, on detecting a suspect Structured Query Language (SQL) command, to remove the source of the attack locally. Depending on the nature of the threat, the container agent may apply countermeasures autonomously, or it may prepare a script ready to run on instruction from the orchestrator 5 if it subsequently determines that the instructions need to be executed.

Claims (8)

1. An orchestrator for containerised processes, comprising
- an Input Interpreter, for interpreting user commands and user profile data to build a deployment specification specifying functions to be run by a containerised process,
- an orchestration processor to generate a shell script to operate the functions specified by the input interpreter
- and a virtualisation agent to run the shell script on a host virtualisation container, using computer resources associated with the orchestrator
- an event interpreter for identifying inputs relating to external events affecting utilisation of the computer resources, and wherein the orchestration processor is responsive to the event interpreter to generate a shell script in accordance with the external inputs.
2. An orchestrator according to Claim 1, in which the event interpreter is arranged to identify security threats, and the orchestration processor is arranged to generate a shell script providing defences appropriate to the level and type of threats identified.
3. An orchestrator according to Claim 1 or claim 2, in which the event interpreter is arranged to identify resource overloads, and the orchestration processor is arranged to generate a shell script appropriate to the available resources.
4. A method of operating a computerised system to generate a containerised processing function, in which:
user commands and user profile data are interpreted to build a deployment specification specifying functions to be run by a containerised process,
- a shell script is generated suitable for operating functions specified by an input interpreter
- and the shell script is run on a host virtualisation container to run the containerised process,
- wherein the shell script is generated by an orchestration processor in response to inputs relating to external events affecting utilisation of the computer resources
5. A method according to Claim 4, in which the inputs are responsive to security threats and the orchestration processor generates a shell script providing defences appropriate to the level and type of threats identified.
5
6. A method according to Claim 4 or claim 5, in which the inputs relate to computing resource overloads and the orchestration processor generates a shell script appropriate to the available resources.
7. A computer system including a processor and memory storing computer program code io for performing the steps of the process of Claim 1, Claim 2, Claim 3, Claim 4, Claim 5,, or claim
6.
8. A computer program element comprising computer program code to, when loaded into a computer system and executed thereon, cause the computer to perform the steps of a
15 process as claimed in any of Claim 1, Claim 2, Claim 3, Claim 4, Claim 5, or Claim 6.
GB1709133.1A 2017-06-08 2017-06-08 Containerised programming Withdrawn GB2563385A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB1709133.1A GB2563385A (en) 2017-06-08 2017-06-08 Containerised programming

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB1709133.1A GB2563385A (en) 2017-06-08 2017-06-08 Containerised programming

Publications (2)

Publication Number Publication Date
GB201709133D0 GB201709133D0 (en) 2017-07-26
GB2563385A true GB2563385A (en) 2018-12-19

Family

ID=59358254

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1709133.1A Withdrawn GB2563385A (en) 2017-06-08 2017-06-08 Containerised programming

Country Status (1)

Country Link
GB (1) GB2563385A (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109960634B (en) * 2019-03-29 2023-10-31 新华三技术有限公司 Application program monitoring method, device and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090222880A1 (en) * 2008-03-03 2009-09-03 Tresys Technology, Llc Configurable access control security for virtualization
US9122562B1 (en) * 2014-06-19 2015-09-01 Amazon Technologies, Inc. Software container recommendation service
US20160283713A1 (en) * 2015-03-25 2016-09-29 International Business Machines Corporation Security within a software-defined infrastructure
US20170054759A1 (en) * 2015-08-19 2017-02-23 Samsung Sds Co., Ltd. Method and apparatus for security checking of image for container

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090222880A1 (en) * 2008-03-03 2009-09-03 Tresys Technology, Llc Configurable access control security for virtualization
US9122562B1 (en) * 2014-06-19 2015-09-01 Amazon Technologies, Inc. Software container recommendation service
US20160283713A1 (en) * 2015-03-25 2016-09-29 International Business Machines Corporation Security within a software-defined infrastructure
US20170054759A1 (en) * 2015-08-19 2017-02-23 Samsung Sds Co., Ltd. Method and apparatus for security checking of image for container

Also Published As

Publication number Publication date
GB201709133D0 (en) 2017-07-26

Similar Documents

Publication Publication Date Title
US11620145B2 (en) Containerised programming
US11652852B2 (en) Intrusion detection and mitigation in data processing
EP3203373B1 (en) Harmonized governance system for heterogeneous agile information technology environments
US10678935B2 (en) Identifying container file events for providing container security
US11222123B2 (en) Securing privileged virtualized execution instances from penetrating a virtual host environment
US8910238B2 (en) Hypervisor-based enterprise endpoint protection
US8689282B1 (en) Security policy enforcement framework for cloud-based information processing systems
US9021546B1 (en) Systems and methods for workload security in virtual data centers
JP6055574B2 (en) Context-based switching to a secure operating system environment
US10325116B2 (en) Dynamic privilege management in a computer system
AU2020235010B2 (en) Starting a secure guest using an initial program load mechanism
US20240005021A1 (en) Virtualizing secure storage of a baseboard management controller to a host computing device
US20210344719A1 (en) Secure invocation of network security entities
US11645400B2 (en) Secured interprocess communication
GB2563385A (en) Containerised programming
US9696940B1 (en) Technique for verifying virtual machine integrity using hypervisor-based memory snapshots
Tariq et al. Information security framework for cloud and virtualization security
US20240143708A1 (en) Dynamic transitioning among device security states based on server availability
US11507408B1 (en) Locked virtual machines for high availability workloads
US20230168911A1 (en) Customized initialization code delivery over network for zero-trust virtual machine
Thorat et al. Offline management in virtualized environments

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)