CN113383330B - 安全容器的创建和执行 - Google Patents

安全容器的创建和执行 Download PDF

Info

Publication number
CN113383330B
CN113383330B CN202080012580.XA CN202080012580A CN113383330B CN 113383330 B CN113383330 B CN 113383330B CN 202080012580 A CN202080012580 A CN 202080012580A CN 113383330 B CN113383330 B CN 113383330B
Authority
CN
China
Prior art keywords
secure
encrypted
container image
layer
blocks
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202080012580.XA
Other languages
English (en)
Chinese (zh)
Other versions
CN113383330A (zh
Inventor
U·巴赫尔
R·宾德根
P·默简
J·弗兰克
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Publication of CN113383330A publication Critical patent/CN113383330A/zh
Application granted granted Critical
Publication of CN113383330B publication Critical patent/CN113383330B/zh
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/11File system administration, e.g. details of archiving or snapshots
    • G06F16/116Details of conversion of file system types or formats
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45583Memory management, e.g. access or allocation
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/61Installation
    • G06F8/63Image based installation; Cloning; Build to order

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)
  • Stored Programmes (AREA)
CN202080012580.XA 2019-02-06 2020-01-31 安全容器的创建和执行 Active CN113383330B (zh)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
EP19155755.2 2019-02-06
EP19155755 2019-02-06
PCT/IB2020/050789 WO2020161577A1 (en) 2019-02-06 2020-01-31 Creation and execution of secure containers

Publications (2)

Publication Number Publication Date
CN113383330A CN113383330A (zh) 2021-09-10
CN113383330B true CN113383330B (zh) 2025-05-09

Family

ID=65351936

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202080012580.XA Active CN113383330B (zh) 2019-02-06 2020-01-31 安全容器的创建和执行

Country Status (6)

Country Link
US (1) US11475138B2 (https=)
JP (1) JP7368476B2 (https=)
CN (1) CN113383330B (https=)
DE (1) DE112020000694T5 (https=)
GB (1) GB2594225B (https=)
WO (1) WO2020161577A1 (https=)

Families Citing this family (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102223141B1 (ko) * 2019-02-12 2021-03-04 성균관대학교산학협력단 컨테이너 환경에서의 스토리지 드라이버의 동작 방법 및 스토리지 드라이버 장치
US11062022B1 (en) * 2019-05-01 2021-07-13 Intuit Inc. Container packaging device
US10901704B1 (en) * 2020-07-19 2021-01-26 Xmodn Security, Llc Computer-aided design, simulation, and code generation for cryptography
US11455405B2 (en) * 2020-08-07 2022-09-27 EMC IP Holding Company LLC Optimizing docker image encryption—tradeoff between performance and protection level
US11675913B2 (en) * 2020-09-18 2023-06-13 EMC IP Holding Company LLC Optimizing container image encryption
US11455429B2 (en) * 2020-12-03 2022-09-27 International Business Machines Corporation Container-based cryptography hardware security module management
US11874926B2 (en) * 2020-12-07 2024-01-16 Hewlett Packard Enterprise Development Lp Measuring containers
CN113296887B (zh) * 2021-03-31 2023-12-08 阿里巴巴(中国)有限公司 安全容器启动的方法以及装置
CN113391880B (zh) * 2021-06-21 2023-04-07 超越科技股份有限公司 一种分层双重哈希验证的可信镜像传输方法
US12056512B2 (en) 2021-06-25 2024-08-06 Microsoft Technology Licensing, Llc Secure computing mechanism
CN113569232A (zh) * 2021-08-13 2021-10-29 中国光大银行股份有限公司 容器的可信度量方法、装置及数据系统
CN114329442B (zh) * 2021-12-27 2025-12-23 奇安信科技集团股份有限公司 安全防护方法及装置
US20230315678A1 (en) * 2022-03-29 2023-10-05 International Business Machines Corporation Storage driver for managing a multiple layer file system on the cloud
CN114780139B (zh) * 2022-04-01 2025-07-01 上海安势信息技术有限公司 一种镜像成分的分析方法、系统及存储介质
US20220335139A1 (en) * 2022-05-30 2022-10-20 Intel Corporation Method and apparatus for improved container image deployment
US12242879B2 (en) * 2022-07-06 2025-03-04 International Business Machines Corporation Protecting container images and runtime data
CN115344854A (zh) * 2022-07-26 2022-11-15 厦门服云信息科技有限公司 一种容器内监控其他容器文件的方法、终端设备及介质
US12608237B2 (en) * 2022-11-23 2026-04-21 Red Hat, Inc. Detecting and migrating a rogue user application to avoid functional safety interference
US12189572B1 (en) * 2023-01-10 2025-01-07 Palantir Technologies Inc. Streamlining processing and transport of artifacts in air-gapped networks
US12321473B2 (en) * 2023-05-19 2025-06-03 Red Hat, Inc. On-demand encrypted container image download
US12314124B2 (en) 2023-07-12 2025-05-27 Bank Of America Corporation System and method for resolving a system alarm
US12242363B2 (en) 2023-07-12 2025-03-04 Bank Of America Corporation System and method for securing resolution of a system alarm
EP4506843A1 (en) * 2023-08-08 2025-02-12 Intel Corporation Methods and apparatus for container deployment in a network-constrained environment
US12579296B2 (en) * 2024-06-11 2026-03-17 Sylabs IP Holdings, LLC, Series G Data security transactions using software container machine readable configuration data

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109190386A (zh) * 2018-04-04 2019-01-11 中国电子科技网络信息安全有限公司 基于Device Mapper的容器镜像分层加密存储方法

Family Cites Families (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5129082A (en) * 1990-03-27 1992-07-07 Sun Microsystems, Inc. Method and apparatus for searching database component files to retrieve information from modified files
CN101847184A (zh) 2009-12-16 2010-09-29 深圳市虹安信息技术有限公司 采用加密沙箱的文件加密方法
US9176677B1 (en) * 2010-09-28 2015-11-03 Emc Corporation Virtual provisioning space reservation
US8412945B2 (en) 2011-08-09 2013-04-02 CloudPassage, Inc. Systems and methods for implementing security in a cloud computing environment
US9740583B1 (en) * 2012-09-24 2017-08-22 Amazon Technologies, Inc. Layered keys for storage volumes
US9652631B2 (en) * 2014-05-05 2017-05-16 Microsoft Technology Licensing, Llc Secure transport of encrypted virtual machines with continuous owner access
CN105069353B (zh) * 2015-08-11 2017-10-24 武汉大学 一种基于Docker的可信容器安全加固方法
US20170130192A1 (en) * 2015-11-09 2017-05-11 Organovo, Inc. Methods for tissue fabrication
US10002247B2 (en) 2015-12-18 2018-06-19 Amazon Technologies, Inc. Software container registry container image deployment
WO2017111843A1 (en) * 2015-12-24 2017-06-29 Intel Corporation Trusted deployment of application containers in cloud data centers
US10460124B2 (en) * 2016-06-20 2019-10-29 Netapp, Inc. Per-volume tenant encryption and external key manager
EP3267351A1 (en) 2016-07-07 2018-01-10 Gemalto Sa Method for securely managing a docker image
US10554690B2 (en) 2016-11-10 2020-02-04 International Business Machines Corporation Security policy inclusion with container deployment
US10572226B2 (en) 2016-12-21 2020-02-25 Aon Global Operations Ltd (Singapore Branch) Methods, systems, and portal using software containers for accelerating aspects of data analytics application development and deployment
CN107729020B (zh) * 2017-10-11 2020-08-28 北京航空航天大学 一种实现大规模容器快速部署的方法
US10997283B2 (en) * 2018-01-08 2021-05-04 Aqua Security Software, Ltd. System for securing software containers with encryption and embedded agent

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109190386A (zh) * 2018-04-04 2019-01-11 中国电子科技网络信息安全有限公司 基于Device Mapper的容器镜像分层加密存储方法

Also Published As

Publication number Publication date
JP7368476B2 (ja) 2023-10-24
US11475138B2 (en) 2022-10-18
GB202112113D0 (en) 2021-10-06
JP2022520703A (ja) 2022-04-01
GB2594225B (en) 2022-03-02
CN113383330A (zh) 2021-09-10
GB2594225A (en) 2021-10-20
US20200250319A1 (en) 2020-08-06
WO2020161577A1 (en) 2020-08-13
DE112020000694T5 (de) 2021-10-21

Similar Documents

Publication Publication Date Title
CN113383330B (zh) 安全容器的创建和执行
US11159518B2 (en) Container independent secure file system for security application containers
US12105805B2 (en) Binding secure keys of secure guests to a hardware security module
JP7546675B2 (ja) セキュア・ゲストへのセキュリティ・モジュールのセキュア・オブジェクトのバインディング
US8694786B2 (en) Virtual machine images encryption using trusted computing group sealing
US7908476B2 (en) Virtualization of file system encryption
US11366894B1 (en) Secure computing resource deployment using homomorphic encryption
US9779032B2 (en) Protecting storage from unauthorized access
TWI737172B (zh) 用於安全作業系統映像之增量解密及完整度驗證之電腦系統、電腦程式產品及電腦實施方法
US11755721B2 (en) Trusted workload execution
GB2515536A (en) Processing a guest event in a hypervisor-controlled system
US11093272B2 (en) Virtual machine allocation and migration between hardware devices by destroying and generating enclaves using transmitted datafiles and cryptographic keys
WO2024007733A1 (en) Protecting container images and runtime data
US11829495B2 (en) Confidential data provided to a secure guest via metadata
US9772954B2 (en) Protecting contents of storage
TWI840804B (zh) 相關於安全客體資源之延後取回之電腦程式產品、電腦系統及電腦實施方法
US11645092B1 (en) Building and deploying an application
Al Said et al. Analysing virtual machine security in cloud systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant