CN114491507A - Design method for realizing lightweight safety container based on embedded real-time operating system - Google Patents
Design method for realizing lightweight safety container based on embedded real-time operating system Download PDFInfo
- Publication number
- CN114491507A CN114491507A CN202210036215.3A CN202210036215A CN114491507A CN 114491507 A CN114491507 A CN 114491507A CN 202210036215 A CN202210036215 A CN 202210036215A CN 114491507 A CN114491507 A CN 114491507A
- Authority
- CN
- China
- Prior art keywords
- container
- configuration
- security
- safety
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 58
- 238000013461 design Methods 0.000 title claims abstract description 21
- 238000013507 mapping Methods 0.000 claims abstract description 28
- 238000002955 isolation Methods 0.000 claims description 33
- 230000008569 process Effects 0.000 claims description 29
- 230000006870 function Effects 0.000 claims description 28
- 238000004806 packaging method and process Methods 0.000 claims description 14
- 238000009434 installation Methods 0.000 claims description 12
- 230000006399 behavior Effects 0.000 claims description 4
- 238000012217 deletion Methods 0.000 claims description 3
- 230000037430 deletion Effects 0.000 claims description 3
- 238000005192 partition Methods 0.000 claims description 3
- 230000004044 response Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 3
- 230000004913 activation Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000013519 translation Methods 0.000 description 2
- 230000000007 visual effect Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45562—Creating, deleting, cloning virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a design method for realizing a lightweight safety container based on an embedded real-time operating system, which comprises the steps of establishing a safety container, and appointing a path and a name of the safety container; configuring a security container by using file path mapping and quota, setting the number of resources which can be used by the security container and access authority, and configuring a host shared library mapping directory; starting the safety container and providing a port which can be accessed from the outside; executing an application program in the safety container, controlling the authority and the behavior of the application program, and limiting the use time of a CPU (Central processing Unit) of the container by using an upper limit of priority; depending on the result of the operation, the safety container can be withdrawn. The invention realizes the support of the container function and the container management in multiple aspects, also solves the problems existing in the current container use scene in a breakthrough way, has advantages in multiple aspects such as safety, resource occupation, system adaptability and the like, and is more in line with the use requirement of the application safety in the industrial control field by combining the real-time property of the operation system.
Description
Technical Field
The invention relates to the technical field of embedded real-time operating systems, in particular to a design method for realizing a lightweight safety container based on an embedded real-time operating system.
Background
At present, a common safety container scheme in the market is Docker or LXC, which has the following disadvantages: 1. the system occupies too large resources, a large amount of data shows that the Docker actually occupies too large memory during operation, and if the Docker needs to smoothly operate, the system environment needs about 1GB memory. The embedded type digital television is not suitable for being used in the embedded type field, the memory of the equipment in the embedded type field is usually extremely small, and dozens of MB are very common. 2. The current container scheme cannot well support one container to run multiple processes, and although many schemes provide strategies for how to run multiple processes in one container, none of them are naturally supported. It brings about a lot of inconvenience and uncertainty in use. 3. The current container scheme is difficult to effectively solve the situation that the running state of other containers is blocked due to abnormal operation of a certain container or illegal occupation of a CPU. 4. The real-time performance of the system is insufficient, and the Linux system is a non-real-time operating system, so that the real-time performance cannot meet the actual requirements of numerous industrial control fields on application of the safety container.
Disclosure of Invention
The invention provides a design method for realizing a lightweight safety container based on an embedded real-time operating system, aiming at solving several problems currently existing in the container used in the embedded field on the basis of realizing the basic function of the current container by adopting a more novel container development design method different from LXC and Docker containers used in Linux in the traditional field and still having real-time system response capability.
In order to achieve the technical purpose and achieve the technical effect, the invention is realized by the following technical scheme:
the invention relates to a design method for realizing a lightweight safety container based on an embedded real-time operating system, which specifically comprises the following steps,
step S1, creating a safety container, and presetting a path and a name of the safety container;
step S2, determining the mapping and quota of the file path, configuring the security container, setting the resource quantity and access authority used by the security container, and configuring the mapping directory of the host shared library;
step S3, starting the safety container and determining an externally accessible port;
step S4, executing application program in the secure container, controlling the authority and behavior of the application program, and limiting the CPU service time of the secure container by using the upper limit of the priority;
in step S5, the safety container may be ejected according to the operation result.
The method comprises the steps of realizing the function of a secure container based on an embedded operating system, modifying the kernel and components of the embedded operating system, controlling codes by introducing a compiling macro related to the secure container, containerizing by an embedded operating system handle, binding an embedded operating system object ID with the secure container ID to isolate resources, and increasing quota limits such as a file system and resources to enable the embedded operating system to support the function of the secure container; the method comprises the steps that a plurality of processes are arranged in a safety container in an operating mode, the process is newly built in a plurality of safety container environments, a plurality of processes in the same safety container share the resource and environment of the same safety container, different system page tables are used by different safety containers, the processes in the same safety container share one page table, and the processes are built in the safety container.
The functions of the security container comprise file storage isolation, equipment isolation, environment variable isolation, posix namespace isolation, IPC isolation, AF _ UNIX isolation and system log isolation, and packaging deployment functions required by the security container are provided, wherein the packaging deployment functions comprise security container mirror image packaging, security container installation deployment and security container upgrading; the file path mapping and quota mode is used as a root file system of the security container and used for improving the file access speed; the file path mapping mode allows multiplexing of the base library for reducing disk occupancy.
In step S2, configuring the secure container includes secure container name configuration, CPU runtime configuration, memory configuration, kernel object configuration, disk space configuration, file path mapping configuration, file permission configuration, and shell command permission configuration; the use time of the CPU of the safety container is limited by the upper limit of the priority configured in the configuration file, so that the design of the lightweight safety container is realized based on the embedded real-time operating system.
The name of the security container is configured as hostname; the configuration of the CPU running time of the safety container is realized by limiting the highest priority used when a thread is created and the highest ceiling priority used when a mutex is created; the memory configuration uses at most 32MB of memory; the kernel object is configured with kernel objects suitable for mutex, msgqueue and semaphore types; the disk space configuration supports tpsfs and yaffs types of disk space and supports at least 163840MB of disk space; the file path mapping configuration supports that the root directory of the security container is mapped to the root directory of a security container file system, and is used for realizing file storage isolation of the security container; the shell command authority configuration is an ls = x configuration item and a shutdown = no configuration item, the ls = x configuration item represents that the security container executes an ls command through a system or pop function, and the shutdown = no configuration item represents that the security container cannot execute a shutdown command; the shell command authority configuration is from a security container configuration file, the configuration file is in an INI format, the configuration file is stored in a root directory of a security container file system, and the security container configuration file cannot be modified when the security container runs.
The invention also comprises MIPS and AARCH64 architectures, wherein the security container carries out two mapping operations on the kernel;
the mapping for the first time is carried out according to the access authority of the kernel mode, the kernel mode of the system TEXT section is provided with read-only and executable authorities, the kernel mode of the system DATA section is provided with read-write authorities, and the system TEXT section and the system DATA section are both provided with inaccessible authorities in the user mode;
and the second mapping is carried out according to the access authority of the user mode, the user mode of the TEXT section of the system is provided with executable authority for partially generating a system call interface page provided by a kernel, and the user mode of the DATA section of the system is provided with read-only authority for a global variable page provided by the kernel and having read-only authority.
7. The design method for realizing the lightweight security container based on the embedded real-time operating system according to claim 1, wherein: the mirror image of the security container is a configuration file of the security container and a zip package of a file system tree, and the steps comprise security container installation, security container deletion, security container packaging and security container upgrading;
the installation of the secure container decompresses a container image zip packet to a path by using an unzip command, and the installation of the secure container is carried out;
after the safe container is deleted and the safe container exits, a disk partition of the safe container is formatted by using an mkfspath command or an rm command is used for deleting a root directory of the safe container;
packaging the secure container into a secure container mirror image zip package by using a zip command to pack a file system tree of the secure container into the secure container mirror image zip package;
and the safe container is upgraded by decompressing the zip packet of the patch image of the safe container to a path where other safe containers are located by using an unzip command.
Compared with the prior art, the invention has the beneficial effects that: the hardware cost of the container used in the invention is low, and the invention can support the scheme of the safety container on the common low-computation-effort and small memory device (such as ARM9@300MHz +16 MBRAM) in the embedded field; the real-time property of the real-time operating system is kept while the container function is realized. The real-time performance of the operating system after the container is used is measured as follows: high priority task response 6us, semaphore activation response 11us, RMS period jitter 10 us; the using and maintenance management modes of the container are more visual and convenient, and the adopted container configuration method is simpler; and the power failure safety is realized, and the adopted TPSFS file system supports a power failure safety strategy and simplifies the hardware design. Based on the invention, after the multi-aspect support on the container function and the container management is realized, a plurality of problems existing in the current container use scene are solved in a breakthrough manner, and the method has advantages in aspects such as safety, resource occupation, system adaptability and the like, and is combined with the instantaneity of the operation system, so that the method is more in line with the use requirement on application safety in the industrial control field.
Drawings
FIG. 1 is a flow chart diagram of a design method for implementing a lightweight secure container in an embodiment of the present invention;
FIG. 2 is a schematic diagram of a frame structure of a safety container according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of the comparison between ECS and Docker in the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, the present invention provides a technical solution: a design method for realizing a lightweight safety container based on an embedded real-time operating system specifically comprises the following steps,
step S1, creating a safety container, and specifying the path and the name of the safety container;
step S2, configuring the safety container, setting the resource quantity and access authority which can be used by the safety container, and configuring the mapping directory of the host shared library;
step S3, starting the safety container and providing a port which can be accessed from the outside;
step S4, executing the application program in the safety container, and controlling the authority and the behavior of the application program;
in step S5, the safety container may be ejected according to the operation result.
The framework of the secure container specifically realizes the function of the container based on the embedded operating system, modifies the kernel and components of the embedded operating system, controls the code by introducing a compiling macro related to the secure container, realizes containerization by the handle of the embedded operating system, binds the object ID of the embedded operating system and the ID of the secure container to isolate resources, and increases quota limits such as file systems, resources and the like to enable the embedded operating system to support the function of the secure container.
As shown in fig. 2, each container (kernel container, normal container) has an independent address space, i.e. an independent MMU context. Multiple processes may be created within a generic container, with the processes within the generic container using system calls to enter the kernel. Specifically, the method supports the operation mode of a plurality of processes in one secure container, supports the process establishment in a plurality of secure container environments, and supports the resource and environment of the same secure container shared by a plurality of processes in the same secure container, and different secure containers use different system page tables, and processes in the same container share one page table, and the process is established in the secure container;
the ASID function is supported, and the overhead of the safety container switching on the system is reduced through the ASID function. The ASID function may improve the performance of the TLB, dividing the TLB into global entries and process-related entries. Global entries refer to mappings that reside in the TLB that are not flushed, e.g., kernel space, and process-specific refers to an address space unique to each process, which part of the TLB may be flushed when a process switch occurs. In order to support the table entries related to the process, taking ARM as an example, a hardware solution of asid (address space id) is proposed, so that the TLB can identify the TLBEntry of the process. ASID is managed by a bitmap, and in AARCH64, a page table base register TTBR register structure is set. The ASID value is assigned when an MMU context is created and is set to the TTBR register when the MMU context switches. When the TLB needs to be invalidated, the ASID number can be transmitted in, and the corresponding TLB table entry related to the process is refreshed through the ASID number. When populating page attributes of the MMU, the ASID needs to be used with the nbbit in the MMUPagetable. The memory translation page table of nG = =0 is a global attribute, and the memory region is accessible to all processes. The memory translation page table of nG = =1 is a process-related attribute, and the memory region is only used by the process of the current ASID.
Further functions of the secure container include file storage isolation, device isolation, environment variable isolation, posix namespace isolation, IPC isolation, AF _ UNIX isolation, and system log isolation, and provide packaging deployment functions required by the secure container, including image packaging of the secure container, installation deployment of the secure container, and upgrade of the secure container.
The configuration system of the container, in step S2, configures the security container, including configuring the name of the security container, configuring the running time of the CPU, configuring the memory, configuring the kernel object, configuring the disk space, configuring the file path mapping, configuring the file permission, and configuring the shell command permission;
specifically, the name of the secure container is configured as hostname; the configuration of the CPU running time is realized by limiting the highest priority which can be used when a thread is created and the highest ceiling priority which can be used when a mutex is created; the memory configuration can use up to 32MB of memory; the kernel object configuration is applicable to kernel objects of mutex, msgqueue and semaphore types; the disk space configuration supports tpsfs and yaffs type disk spaces and supports at least 163840MB of disk space; the file path mapping configuration supports the root directory of the security container to be mapped to the root directory of the container file system; the file storage isolation of the safety container is realized; the shell command authority configuration is an ls = x configuration item and a shutdown = no configuration item, the ls = x configuration item indicates that the security container can execute an ls command through a system or pop function, and the shutdown = no configuration item indicates that the security container cannot execute a shutdown command; the shell command authority configuration is from a security container configuration file, the configuration file is in an INI format, the configuration file is stored in a root directory of a security container file system, and the security container configuration file cannot be modified when the security container runs. The container security isolation system comprises file storage isolation (a configuration system of the container maps directories of/apps, lib and the like of the container to subdirectories of apps, lib and the like in a file system tree of the container, so that the two directories of file storage isolation,/dev,/proc are fixedly mapped by using the system); equipment isolation (containers have equipment subdirectories which are isolated from each other but invisible to the containers, and named pipeline files created by mkfifo functions or mkfifo commands can be automatically stored in the own equipment subdirectories of the containers); environment variable isolation (when the container is started, the environment variable is read from the/etc/profile file of the container file system, and different containers are isolated from each other); posix namespace isolation (posix named message queue, named semaphore, different containers isolated from each other); XSIIPC isolation (XSIIPC isolation between different containers because the keys generated by the ftok function with the real file path do not collide due to container's file system isolation).
Further, the security container also comprises MIPS and AARCH64 architectures, and the security container carries out two mapping operations on the kernel; the mapping is carried out according to the access authority of the kernel state for the first time, the kernel state of the system TEXT section is provided with read-only and executable authorities, the kernel state of the system DATA section is provided with read-write authorities, and the system TEXT section and the system DATA section are both provided with inaccessible authorities in a user state; and the second mapping is carried out according to the access authority of the user mode, the executable authority for partially generating the system call interface page provided by the kernel is set in the user mode of the TEXT section of the system, and the read-only authority for the global variable page provided by the kernel and having the read-only authority is set in the user mode of the DATA section of the system. Through the two mappings, the access of the kernel resource by the user mode can be accelerated while the kernel resource is protected.
The system comprises a container mirror image, a file system tree and a storage module, wherein the container mirror image is a configuration file of a security container and a zip package of the file system tree, and comprises security container installation, security container deletion, security container packaging and security container upgrading; the installation of the safe container uses an unzip command to decompress a zip packet of the container image to a path for the installation of the safe container; deleting the secure container, and after the secure container exits, formatting a disk partition or an rm command of the secure container by using an mkfspath command to delete the root directory of the secure container; packaging the secure container, and using a zip command to pack the file system tree of the secure container into a zip package of a secure container mirror image; and the safe container is upgraded by decompressing the zip packet of the patch image of the safe container to a path where other containers are located by using an unzip command.
And (4) using the container, and sequentially carrying out container starting, container login and program operation in the container.
Referring to fig. 3, the hardware cost of the container used in the present invention is low, and the solution of the secure container can also be supported on a small memory device (such as ARM9@300MHz +16 MBRAM) with low computation power, which is commonly used in the embedded field; the real-time property of the real-time operating system is kept while the container function is realized. The real-time performance of the operating system after the container is used is measured as follows: high priority task response 6us, semaphore activation response 11us, RMS period jitter 10 us; the using and maintenance management modes of the container are more visual and convenient, and the adopted container configuration method is simpler; and the power failure safety is realized, and the adopted TPSFS file system supports a power failure safety strategy and simplifies the hardware design. Based on the invention, after the multi-aspect support on the container function and the container management is realized, a plurality of problems existing in the current container use scene are solved in a breakthrough manner, and the method has advantages in aspects such as safety, resource occupation, system adaptability and the like, and is combined with the instantaneity of the operation system, so that the method is more in line with the use requirement on application safety in the industrial control field.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (7)
1. A design method for realizing a lightweight safety container based on an embedded real-time operating system is characterized by comprising the following steps: the method specifically comprises the following steps of,
step S1, creating a safety container, and presetting a path and a name of the safety container;
step S2, determining the mapping and quota of the file path, configuring the security container, setting the resource quantity and access authority used by the security container, and configuring the mapping directory of the host shared library;
step S3, starting the safety container and determining an externally accessible port;
step S4, executing application program in the secure container, controlling the authority and behavior of the application program, and limiting the CPU service time of the secure container by using the upper limit of the priority;
in step S5, the secure container can be exited based on the result of the execution of the program in the secure container and the user operation.
2. The design method for realizing the lightweight security container based on the embedded real-time operating system according to claim 1, wherein: the method comprises the steps of realizing the function of a secure container based on an embedded operating system, modifying the kernel and components of the embedded operating system, controlling codes by introducing a compiling macro related to the secure container, containerizing by an embedded operating system handle, binding an embedded operating system object ID with the secure container ID to isolate resources, and increasing quota limits such as a file system and resources to enable the embedded operating system to support the function of the secure container;
the method comprises the steps that a plurality of processes are arranged in a safety container in an operating mode, the process is newly built in a plurality of safety container environments, a plurality of processes in the same safety container share the resource and environment of the same safety container, different system page tables are used by different safety containers, the processes in the same safety container share one page table, and the processes are built in the safety container.
3. The design method for realizing the lightweight security container based on the embedded real-time operating system according to claim 2, wherein: the functions of the security container comprise file storage isolation, equipment isolation, environment variable isolation, posix namespace isolation, IPC isolation, AF _ UNIX isolation and system log isolation, and packaging deployment functions required by the security container are provided, wherein the packaging deployment functions comprise security container mirror image packaging, security container installation deployment and security container upgrading; the file path mapping and quota mode is used as a root file system of the security container and used for improving the file access speed; the file path mapping mode allows multiplexing of the base library for reducing disk occupancy.
4. The design method for realizing the lightweight security container based on the embedded real-time operating system according to claim 1, wherein: in step S2, configuring the secure container includes secure container name configuration, CPU runtime configuration, memory configuration, kernel object configuration, disk space configuration, file path mapping configuration, file permission configuration, and shell command permission configuration; the use time of the CPU of the safety container is limited by the upper limit of the priority configured in the configuration file, so that the design of the lightweight safety container is realized based on the embedded real-time operating system.
5. The design method for realizing the lightweight security container based on the embedded real-time operating system according to claim 4, wherein: the name of the security container is configured as hostname; the configuration of the CPU running time of the safety container is realized by limiting the highest priority used when a thread is created and the highest ceiling priority used when a mutex is created; the memory configuration uses at most 32MB of memory; the kernel object is configured with kernel objects suitable for mutex, msgqueue and semaphore types; the disk space configuration supports tpsfs and yaffs types of disk space and supports at least 163840MB of disk space; the file path mapping configuration supports that the root directory of the security container is mapped to the root directory of a security container file system, and is used for realizing file storage isolation of the security container; the shell command authority configuration is an ls = x configuration item and a shutdown = no configuration item, the ls = x configuration item represents that the security container executes an ls command through a system or pop function, and the shutdown = no configuration item represents that the security container cannot execute a shutdown command; the shell command authority configuration is from a security container configuration file, the configuration file is in an INI format, the configuration file is stored in a root directory of a security container file system, and the security container configuration file cannot be modified when the security container runs.
6. The design method for realizing the lightweight security container based on the embedded real-time operating system according to claim 1, wherein: the authority and behavior of the application program in the secure container are controlled, and the secure container carries out two mapping operations on a kernel TEXT section and a kernel DATA section in a memory management unit supported by each processor architecture realized by an operating system;
the mapping for the first time is carried out according to the access authority of the kernel mode, the kernel mode of a system TEXT section is provided with read-only and executable authorities, the kernel mode of a system DATA section is provided with read-write authorities, and the system TEXT section and the system DATA section are both provided with inaccessible authorities in a user mode;
the second mapping is carried out according to the access authority of the user mode, the executable authority used for a part of generated system call interface pages provided by the kernel is set in the user mode of the TEXT section of the system, and the read-only authority used for the global variable pages provided by the kernel and having the read-only authority is set in the user mode of the DATA section of the system.
7. The design method for realizing the lightweight security container based on the embedded real-time operating system according to claim 1, wherein: the mirror image of the security container is a configuration file of the security container and a zip package of a file system tree, and the mirror image management functions provided by the security container comprise security container installation, security container deletion, security container packaging and security container upgrading;
the installation of the safe container uses an unzip command to decompress a container mirror image zip packet to a path, and the installation of the safe container is carried out;
after the safe container is deleted and the safe container exits, a disk partition of the safe container is formatted by using an mkfspath command or an rm command is used for deleting a root directory of the safe container;
packaging the secure container into a secure container mirror image zip package by using a zip command to pack a file system tree of the secure container into the secure container mirror image zip package;
and the safe container is upgraded by decompressing the zip packet of the patch image of the safe container to a path where other safe containers are located by using an unzip command.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210036215.3A CN114491507A (en) | 2022-01-13 | 2022-01-13 | Design method for realizing lightweight safety container based on embedded real-time operating system |
| PCT/CN2022/079239 WO2023133990A1 (en) | 2022-01-13 | 2022-03-04 | Design method for implementing lightweight secure container on the basis of embedded real-time operating system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210036215.3A CN114491507A (en) | 2022-01-13 | 2022-01-13 | Design method for realizing lightweight safety container based on embedded real-time operating system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114491507A true CN114491507A (en) | 2022-05-13 |
Family
ID=81511358
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210036215.3A Pending CN114491507A (en) | 2022-01-13 | 2022-01-13 | Design method for realizing lightweight safety container based on embedded real-time operating system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN114491507A (en) |
| WO (1) | WO2023133990A1 (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115098227A (en) * | 2022-08-24 | 2022-09-23 | 中诚华隆计算机技术有限公司 | Method and device for updating dynamic information of security equipment |
| CN115756743A (en) * | 2022-11-21 | 2023-03-07 | 南京翼辉信息技术有限公司 | Method and device for generating container mirror image file, computer equipment and storage medium |
| CN116932146A (en) * | 2023-07-25 | 2023-10-24 | 北京凯思昊鹏软件工程技术有限公司 | Method and system for realizing containerization of small embedded system |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116737445B (en) * | 2023-08-14 | 2023-10-27 | 南京翼辉信息技术有限公司 | Control method for realizing resource isolation by using pseudo container |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190258782A1 (en) * | 2017-06-12 | 2019-08-22 | Daniel Maurice Lerner | Securing temporal digital communications via authentication and validation for wireless user and access devices with securitized containers |
| CN110471647A (en) * | 2019-08-13 | 2019-11-19 | 上海航天计算机技术研究所 | Embedded partitions operating system and its design method based on microkernel architecture |
| CN111857951A (en) * | 2020-07-07 | 2020-10-30 | 海尔优家智能科技(北京)有限公司 | Containerized deployment platform and deployment method |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6026402A (en) * | 1998-01-07 | 2000-02-15 | Hewlett-Packard Company | Process restriction within file system hierarchies |
| CN101226487B (en) * | 2008-01-30 | 2010-06-02 | 中国船舶重工集团公司第七〇九研究所 | Method for implementing inner core level thread library based on built-in Linux operating system |
| US8271557B1 (en) * | 2009-04-20 | 2012-09-18 | Xilinx, Inc. | Configuration of a large-scale reconfigurable computing arrangement using a virtual file system interface |
| CN108733455B (en) * | 2018-05-31 | 2020-08-18 | 上海交通大学 | Container isolation enhancing system based on ARM TrustZone |
-
2022
- 2022-01-13 CN CN202210036215.3A patent/CN114491507A/en active Pending
- 2022-03-04 WO PCT/CN2022/079239 patent/WO2023133990A1/en unknown
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190258782A1 (en) * | 2017-06-12 | 2019-08-22 | Daniel Maurice Lerner | Securing temporal digital communications via authentication and validation for wireless user and access devices with securitized containers |
| CN110471647A (en) * | 2019-08-13 | 2019-11-19 | 上海航天计算机技术研究所 | Embedded partitions operating system and its design method based on microkernel architecture |
| CN111857951A (en) * | 2020-07-07 | 2020-10-30 | 海尔优家智能科技(北京)有限公司 | Containerized deployment platform and deployment method |
Non-Patent Citations (1)
| Title |
|---|
| 李孝成: "SylixOS支持的安全容器功能概述", 《单片机与嵌入式系统应用》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115098227A (en) * | 2022-08-24 | 2022-09-23 | 中诚华隆计算机技术有限公司 | Method and device for updating dynamic information of security equipment |
| CN115756743A (en) * | 2022-11-21 | 2023-03-07 | 南京翼辉信息技术有限公司 | Method and device for generating container mirror image file, computer equipment and storage medium |
| CN116932146A (en) * | 2023-07-25 | 2023-10-24 | 北京凯思昊鹏软件工程技术有限公司 | Method and system for realizing containerization of small embedded system |
| CN116932146B (en) * | 2023-07-25 | 2024-07-19 | 北京凯思昊鹏软件工程技术有限公司 | Method and system for realizing containerization of small embedded system |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2023133990A1 (en) | 2023-07-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114491507A (en) | Design method for realizing lightweight safety container based on embedded real-time operating system | |
| EP3324296B1 (en) | File data access method and computer system | |
| CN102455942B (en) | Method and system for dynamic migration of WAN virtual machines | |
| EP3514689A1 (en) | Memory management method and apparatus | |
| US10176007B2 (en) | Guest code emulation by virtual machine function | |
| US20100138479A1 (en) | Software operating system and the software-operating method thereof | |
| EP0239181B1 (en) | Interrupt requests serializing in a virtual memory data processing system | |
| CN101324850B (en) | LINUX inner core dynamic loading method | |
| US4943913A (en) | Operating system accessing control blocks by using home address space segment table to control instruction and operand fetch and store operations | |
| EP3376380A2 (en) | Architecture and method for managing interrupts in a virtualized environment | |
| US20050204357A1 (en) | Mechanism to protect extensible firmware interface runtime services utilizing virtualization technology | |
| GB2386715A (en) | Method for the use of a stack in a Java accelerator device | |
| US20100251260A1 (en) | Pre-emptible context switching in a computing device | |
| US9678984B2 (en) | File access for applications deployed in a cloud environment | |
| CN104699537A (en) | Program control method, activity module scheduling method and corresponding devices thereof | |
| CN104202332A (en) | Mobile equipment virtual system based on Linux kernel and instant installing method | |
| CN115408099A (en) | Virtual machine data access method, storage medium and device | |
| CN103782273A (en) | Memory allocation method, program, and system | |
| CN108647087B (en) | Method, device, server and storage medium for realizing reentry of PHP kernel | |
| CN114816665B (en) | Hybrid arrangement system and virtual machine container resource hybrid arrangement method under super-fusion architecture | |
| CN113225344B (en) | Access control method, device, equipment and readable storage medium | |
| CN112214277B (en) | Operating system partitioning method, device and medium based on virtual machine | |
| KR101108078B1 (en) | Network switching system of multi-user computer | |
| CN112559117B (en) | Timer processing method and device, electronic equipment and computer storage medium | |
| JP3898650B2 (en) | Multi-operating system control method, program for causing computer to execute the method, and multi-operating system control device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20220513 |
|
| RJ01 | Rejection of invention patent application after publication |