GB2568967A - Software container application encryption - Google Patents

Software container application encryption Download PDF

Info

Publication number
GB2568967A
GB2568967A GB1720176.5A GB201720176A GB2568967A GB 2568967 A GB2568967 A GB 2568967A GB 201720176 A GB201720176 A GB 201720176A GB 2568967 A GB2568967 A GB 2568967A
Authority
GB
United Kingdom
Prior art keywords
application
container
path
security component
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB1720176.5A
Other versions
GB2568967B (en
GB201720176D0 (en
Inventor
El-Moussa Fadi
Sajjad Ali
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
British Telecommunications PLC
Original Assignee
British Telecommunications PLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by British Telecommunications PLC filed Critical British Telecommunications PLC
Priority to GB1720176.5A priority Critical patent/GB2568967B/en
Publication of GB201720176D0 publication Critical patent/GB201720176D0/en
Publication of GB2568967A publication Critical patent/GB2568967A/en
Application granted granted Critical
Publication of GB2568967B publication Critical patent/GB2568967B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/61Installation
    • G06F8/63Image based installation; Cloning; Build to order
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/61Installation

Abstract

This application is for a method of securing an application executing in a software container 296. It works by having an agent 240 identify an application executing in the container 302. It then determines the application code path 306, which is the location in the container data store 299 where the code for the application at least partially resides. It then generates an application encryption key 308, and then determines a data path for the application 310. It then securely communicates 312 an identifier of the container, the application code path, data path and encryption key 314 to a security component 250. It then securely receives from the security component one or more access control rules 316, 318, defining the components authorised to access the application. It then encryptions the application code and data paths using the generated key 320, and then provides access to the application in accordance with the access control rules by sharing the key with authorised accessors 322.

Description

Software Container Application Encryption
The present invention relates to the security of applications within software containers. In particular, it relates to encryption for software applications in containers.
Software services deployments are increasingly employing operating system functions providing process and namespace isolation. Such isolation allows the containment and execution of application environments in a common base operating system so providing for shared operating system and hardware resources such as kernel, libraries, processor, storage and the like. An example of this approach is the software tool known as “Docker” that employs the Linux operating system-level virtualisation “LXC” (Linux Containers) to provide isolated software application containers executing in a base Linux operating system. Each container can include software applications, libraries and other resources and containers can be shared for installation on other computer systems. This approach provides many benefits over traditional machine virtualisation which requires the instantiation of complete virtualised computing systems in each virtual machine so duplicating common resources.
Containers are increasingly used to package and distribute standardised applications for execution on potentially disparate configurations of a computer operating system. Containers can contain nested containers each of which can be adapted, replaced or removed and new containers may be added. For example, a web application may be formed in a container having a sub-container of particular operating system libraries required, a sub-container for a standardised image of a database installation (such as MySQL), a sub-container for a standardised image of a web server installation etc. Any reconfiguration of any of these subcontainers will result in a new container. Thus, deployment of applications by container will result in variants of an original container shared between, and installed upon, one or more computer systems.
The variability of the container content introduces new security challenges. In particular, the inability to depend on a standardised size, content, checksum or arrangement of the application container precludes many integrity verification or malicious activity detecting mechanisms. The need to control undesirable behaviour such as malicious performance by software is particularly acute where the software executes in a shared computing system with a common operating system kernel, common processor(s), common memory and other common resources. For example, denial of service could arise where one container performs such as to consume resource to the detriment or exclusion of other applications or containers executing in the computer system.
Furthermore, access control for containers and security of applications and data stored in containers can be a priority. Whole container encryption is known but requires that all application and/or data components within the container are encrypted together.
Thus, it is desirable to provide containerised computer system architectures while alleviating the aforementioned challenges.
The present invention accordingly provides, in a first aspect, a computer implemented method of securing an application executing in a software container deployed in a computer system, the method comprising: identifying at least one application executing in the container; determining an application installation path for the application as a location in a container data storage facility at which the code for the application at least partially resides; generating an encryption key for the application; determining a data path for the application as a location in the container data storage facility at which data processed or generated by the application at least partially resides; securely communicating an identifier of the container, the application path, the data path and the generated encryption key for secure storage by a security component external to the container; securely receiving, from the security component, one or more access control rules defining computing components authorised to access the application; encrypting the application path and the data path using the generated key; and providing access to the application selectively in accordance with the access control rules by sharing the encryption key with authorised accessors.
Preferably, the software container is a software process executable in an operating system of a computer system in which operating system software processes are prevented from accessing resources of other second processes executing in the operating system.
Preferably the method further comprises: periodically securely receiving updates to the access control rules from the security component, and responsive to receiving updated rules providing access to the application selectively in accordance with the updated rules.
Preferably the method further comprises: in response to a restart, redeployment or resumption of execution of the container following a cessation of execution, generating a new key for the application and re-encrypting the application path and the data path using the new key.
Preferably the method further comprises securely communicating the new key to the security component.
Preferably, the new key is generated based on an exclusive OR operation applied to a combination of the previous key, a time of recommencement of execution of the container and an identifier of the container, and the method further comprising communicating the time of recommencement to the security component so as to permit the security component to separately determine the new key.
The present invention accordingly provides, in a second aspect, a computer system including a processor and memory storing computer program code for performing the steps of the method set out above.
The present invention accordingly provides, in a third aspect, a computer program element comprising computer program code to, when loaded into a computer system and executed thereon, cause the computer to perform the steps of the method set out above.
Embodiments of the present invention will now be described, by way of example only, with reference to the accompanying drawings, in which:
Figure 1 is a block diagram a computer system suitable for the operation of embodiments of the present invention;
Figure 2 is a component diagram of an arrangement for securing an application executing in a software container in a computer system according to embodiments of the present invention; and
Figure 3 is a flow diagram of a method for securing the application according to embodiments of the present invention.
Figure 1 is a block diagram of a computer system suitable for the operation of embodiments of the present invention. A central processor unit (CPU) 102 is communicatively connected to a storage 104 and an input/output (I/O) interface 106 via a data bus 108. The storage 104 can be any read/write storage device such as a random access memory (RAM) or a non-volatile storage device. An example of a non-volatile storage device includes a disk or tape storage device. The I/O interface 106 is an interface to devices for the input or output of data, or for both input and output of data. Examples of I/O devices connectable to I/O interface 106 include a keyboard, a mouse, a display (such as a monitor) and a network connection.
Software applications executing in software containers in computer systems and data associated with such applications are exposed to the threat of unauthorised or malicious access by third parties, other applications, containers, privileged users (such as root users) or other computing components. Container encryption offers some protection but this is at the expense of the flexibility of containers to execute potentially multiple different applications each having different access control provisions. Embodiments of the present invention provide application specific encryption and access control such that potentially multiple applications executing in a single deployed software container can be secured differently (using different encryption keys) and, thus, access control can be more granular on a perapplication basis.
Figure 2 is a component diagram of an arrangement for securing an application executing in a software container in a computer system according to embodiments of the present invention. A container host 200 is provided as a computing environment suitable for deployment and execution of software containers. For example, the container host 200 can be a physical, virtual or combination computer system and may be communicatively connected with one or more other computer systems via one or more network connections such as wired or wireless network connections including connections via an intermediate network such as a wide area network or the internet.
The container host 200 includes a kernel providing computing facilities such as access to processing, storage, memory and input/output (I/O) interfaces of a computer system constituting the container host 200. Further, an operating system having, being interfaced with, provided with or operable with a container management system 220 is provided that provides isolation between software processes executing therein such as application container 296. For example, the container host 200 can include a container manager executed at least in part by an operating system 220 for receiving, installing and executing software containers. An example of such a container manager is Docker such as the Docker Engine that includes one or more daemon processes for interface by a Docker client through which the Docker Engine is instructed to retrieve and instantiate software containers. The Docker architecture is described in detail at docs.docker.com and in the document “Understanding the architecture” at “docs.docker.com/engine/understanding-docker”. The operating system 220, in conjunction with a container manager, thus provide isolation between software processes such that two processes cannot access each other’s resources. Such isolation could take a number of forms, such as namespace isolation, address space isolation or the like. All processes execute in the common operating system and on the common computer system 200 so avoiding duplication and redundancy as can be the case in fully virtualised environments employing, for example, a hypervisor.
Examples of resources that are isolated between processes executing in the operating system and are therefore not accessible between processes include, inter alia: processing resources; storage resource; and input/output resources. For example, resources to which access is prevented between isolated processes can include: threads of execution; tasks executing; memory and/or address space; data stores such as data storage devices;
libraries, utilities, functions and procedures; network protocols; network connections and facilities; network ports; stack data structures; heap data structures; peripheral devices; and input/output devices such as displays, user interface devices, printers and the like.
Preferably the process isolation provided by the container management system includes namespace isolation where processes or groups of processes are separated such that resources of other processes or groups are not accessible. Such a facility can be combined with, for example, the Linux “cgroups” (control groups) facility for isolating the resource usage of one or more processes. Thus, in use, the computer system 200 executes processes such as application container 296 providing isolation therebetween.
Notably, while the container management system provides isolation between containers as hereinbefore described, containers may still be capable of intercommunication such as by way of network connections or the like between the processes in the same way as unrelated and isolated computer systems can communicated via a network if configured and permitted to do so. Such communication is not necessarily precluded by the operating system. Rather it is the execution environment - the process, task, memory, storage, input/output resources and the like for which isolation is effected.
The instantiation of a software container will now be briefly described. A container definition is received by a container manager for instantiation, installation and/or execution in the container host 200. The container definition is a software component for execution as an isolated process in the operating system 220. For example, the container definition can be a Docker container obtained from a container repository such as the Docker Hub. The container definition can be an image or template from which a container can be instantiated by or with the container manger for execution as one or more processes in the operating system 220. For example, the container definition can include a definition, identification or specification of one or more parts including nested containers, software applications, services, functions, libraries, drivers and the like. For example, a union file system can be employed to provide a single image of an application or process where multiple file system directories corresponding to different applications are represented in a combined form to provide a merged image of multiple parts of a container.
An exemplary instantiated container 296 is illustrated. Once instantiated, the container 296 executes in the operating system 220 of the container host 200 and one or more applications 298 executed therein, enjoying the protections and isolations of the container environment.
The container 296 provides isolated data storage 299 for applications. The data store can be a virtualised storage and is suitable for storing application code and data, such as executable files, libraries, configuration scripts and the like for the application 298, along with data to be processed by or data generated by the application 298.
The operating system 220 further includes an agent 240 as a software component configured to operate in a privileged mode of operation with the operating system 220 and the container management system. The agent 240 is capable of accessing containers instantiated in the container host 200, to read and write to storage of such containers. In some embodiments, the agent 240 is also capable of accessing configuration information for containers so as to identify applications executing or installed therein. In use, the agent 240 determines the applications installed and/or executing in containers of the container host 200 in order to provide security facilities for those applications on a per-application basis, such as encryption and access control.
The agent 240 is operable in communication with a security component 250 as a hardware, software, firmware or combination component arranged to manage access control rules for applications executing in containers within the container host 200. The security component 250 can be a physical or virtualised computing device or a software application executing on such a device. In one embodiment the security component 250 is provided external to the container host 200 such that, for example, the security component 250 may be operated with potentially multiple container hosts. In such embodiments, communication between the security component 250 and the agent 240 can be provided via a network connection, for example. In one embodiment the security component 250 is provided within the container host 200 as, for example, a component or application executing in the operating system 220 or as a function of the kernel 230. In all configurations, communications between the agent 240 and the security component 250 can be secure communications such as encrypted communications.
The arrangement of Figure 2 will now be considered in use with reference to Figure 3. Figure 3 is a flow diagram of a method for securing the application 298 of Figure 2 according to embodiments of the present invention. Initially, at step 302, the agent 240 identifies applications executing in the container 296. This identification can be made based on application information 304 provided by or available from the container 296. Alternatively, the identification can be made by the agent 240 proactively monitoring, scanning, searching or processing the container 296 or configuration information for the container 296 such as by accessing the store 299 of the container, one or more registries of the container 299, a process list of the container 299 or the like. Subsequently, at step 306, an application code path for the application is determined. The application code path is a location in the store 299 of the container 296 at which the application code is at least partially stored, such as application executable files, scripts, libraries, configuration files and the like. The location of the application code path can be determined, for example, either with reference to application or container configuration information or by scanning the store 299 of the container 296. At step 308 the agent 240 generates an encryption key specific to the application 298. At step 310 the agent 240 determines an application data path for the application 298 as a location in the container store 299 at which data processed or generated by the application 296 is at least partially stored. The location of the data path can be identified using techniques similar to that for the application code path.
At step 312 the agent 240 securely communicates an identifier of the container 296, the application code path, the application data path and the generated encryption key to the security component 250. On the basis of the information supplied, the security component 250 securely communicates one or more access control rules 318 for the application 298 to the agent 240 at step 316. The access control rules define entities such as software, hardware, firmware, combination components or, indeed, users, computer systems, containers, applications and the like that are authorised and/or not authorised to access the application 298 in the container 296. Such rules can be determined based on a profile, such as a security profile, defined for any of the application 298, container 296, or container host 200. For example, such rules can be defined by an operator of the security component 250.
At step 320 the agent 240 encrypts the application using the generated key. The application is encrypted by encrypting the data stored at the application code path and the data stored at the application data path. In this way access to the application (both code and data) is protected. Subsequently, at step 322, the agent 240 provides access control for the application 298 in the container 296 by providing or precluding access by requesting entities based on the access control rules.
Preferably, the agent 240 is further responsive to periodically securely receive updates to the access control rules from the security component, such updates being reflected by the agent 240 and effected in its provision of the access control service.
Where execution of the container is interrupted or ceases, such as by the container being actively or incidentally terminated, a restart, redeployment or other resumption of execution of the container will ensue. In a preferred embodiment, such an occurrence results in the generation of a new encryption key for the application by the agent 240 and a re-encryption of the application (both the code and data paths) using the new key. Accordingly, in such embodiments, the new key can be securely communicated to the security component 250.
Alternatively, the new key can be generated based on the former key, such as by an exclusive or operation of each of: the former key; an identifier of the container 296; and a time of the resumption of the container execution. In such a embodiments there may be no need to communicate the new key to the security component but instead only to communicate the time of resumption in order that the security component can determine the new key independently.
Insofar as embodiments of the invention described are implementable, at least in part, using a software-controlled programmable processing device, such as a microprocessor, digital signal processor or other processing device, data processing apparatus or system, it will be appreciated that a computer program for configuring a programmable device, apparatus or system to implement the foregoing described methods is envisaged as an aspect of the present invention. The computer program may be embodied as source code or undergo compilation for implementation on a processing device, apparatus or system or may be embodied as object code, for example.
Suitably, the computer program is stored on a carrier medium in machine or device readable form, for example in solid-state memory, magnetic memory such as disk or tape, optically or magneto-optically readable memory such as compact disk or digital versatile disk etc., and the processing device utilises the program or a part thereof to configure it for operation. The computer program may be supplied from a remote source embodied in a communications medium such as an electronic signal, radio frequency carrier wave or optical carrier wave. Such carrier media are also envisaged as aspects of the present invention. It will be understood by those skilled in the art that, although the present invention has been described in relation to the above described example embodiments, the invention is not limited thereto and that there are many possible variations and modifications which fall within the scope of the invention. The scope of the present invention includes any novel features or combination of features disclosed herein. The applicant hereby gives notice that new claims may be formulated to such features or combination of features during prosecution of this application or of any such further applications derived therefrom. In particular, with reference to the appended claims, features from dependent claims may be combined with those of the independent claims and features from respective independent claims may be combined in any appropriate manner and not merely in the specific combinations enumerated in the claims.

Claims (8)

1. A computer implemented method of securing an application executing in a software container deployed in a computer system, the method comprising:
identifying at least one application executing in the container;
determining an application installation path for the application as a location in a container data storage facility at which the code for the application at least partially resides;
generating an encryption key for the application;
determining a data path for the application as a location in the container data storage facility at which data processed or generated by the application at least partially resides;
securely communicating an identifier of the container, the application path, the data path and the generated encryption key for secure storage by a security component external to the container;
securely receiving, from the security component, one or more access control rules defining computing components authorised to access the application;
encrypting the application path and the data path using the generated key; and providing access to the application selectively in accordance with the access control rules by sharing the encryption key with authorised accessors.
2. The method of claim 1 wherein the software container is a software process executable in an operating system of a computer system in which operating system software processes are prevented from accessing resources of other second processes executing in the operating system.
3. The method of any preceding claim further comprising: periodically securely receiving updates to the access control rules from the security component, and responsive to receiving updated rules providing access to the application selectively in accordance with the updated rules.
4. The method of any preceding claim further comprising:
in response to a restart, redeployment or resumption of execution of the container following a cessation of execution, generating a new key for the application and re-encrypting the application path and the data path using the new key.
5. The method of claim 4 further comprising securely communicating the new key to the security component.
6. The method of claim 4 wherein the new key is generated based on an exclusive OR operation applied to a combination of the previous key, a time of recommencement of execution of the container and an identifier of the container, and the method further comprising communicating the time of recommencement to the security component so as to
5 permit the security component to separately determine the new key.
7. A computer system including a processor and memory storing computer program code for performing the steps of any preceding claim.
10
8. A computer program element comprising computer program code to, when loaded into a computer system and executed thereon, cause the computer to perform the steps of a method as claimed in any of claims 1 to 6.
GB1720176.5A 2017-12-04 2017-12-04 Software container application encryption Active GB2568967B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB1720176.5A GB2568967B (en) 2017-12-04 2017-12-04 Software container application encryption

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB1720176.5A GB2568967B (en) 2017-12-04 2017-12-04 Software container application encryption

Publications (3)

Publication Number Publication Date
GB201720176D0 GB201720176D0 (en) 2018-01-17
GB2568967A true GB2568967A (en) 2019-06-05
GB2568967B GB2568967B (en) 2020-06-24

Family

ID=60950163

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1720176.5A Active GB2568967B (en) 2017-12-04 2017-12-04 Software container application encryption

Country Status (1)

Country Link
GB (1) GB2568967B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
SE2050617A1 (en) * 2020-05-29 2021-11-02 Christian Gehrmann Generation of container protection profiles

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170124320A1 (en) * 2015-11-02 2017-05-04 Red Hat, Inc. Enabling resource access for secure application containers
US20170300697A1 (en) * 2016-04-13 2017-10-19 International Business Machines Corporation Enforcing security policies for software containers
GB2550178A (en) * 2016-05-11 2017-11-15 British Telecomm Software container access control

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170124320A1 (en) * 2015-11-02 2017-05-04 Red Hat, Inc. Enabling resource access for secure application containers
US20170300697A1 (en) * 2016-04-13 2017-10-19 International Business Machines Corporation Enforcing security policies for software containers
GB2550178A (en) * 2016-05-11 2017-11-15 British Telecomm Software container access control

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
SE2050617A1 (en) * 2020-05-29 2021-11-02 Christian Gehrmann Generation of container protection profiles
SE544020C2 (en) * 2020-05-29 2021-11-02 Christian Gehrmann Generation of container protection profiles
WO2021242160A1 (en) * 2020-05-29 2021-12-02 Christian Gehrmann Generation of container protection profiles

Also Published As

Publication number Publication date
GB2568967B (en) 2020-06-24
GB201720176D0 (en) 2018-01-17

Similar Documents

Publication Publication Date Title
US11461460B2 (en) Software container application encryption
US11171933B2 (en) Logic repository service using encrypted configuration data
CN107977573B (en) Method and system for secure disk access control
KR101152227B1 (en) Method for providing computing environment for client
US8397245B2 (en) Managing loading and unloading of shared kernel extensions in isolated virtual space
US11151244B2 (en) Software container profiling
US10007534B2 (en) Methods and apparatus to manage asset capabilities in a computing environment using a common agent framework
US11151268B2 (en) Software container access control
US8527989B2 (en) Tracking loading and unloading of kernel extensions in isolated virtual space
US10146942B2 (en) Method to protect BIOS NVRAM from malicious code injection by encrypting NVRAM variables and system therefor
US8448169B2 (en) Managing unique electronic identification for kernel extensions in isolated virtual space
CN114402295A (en) Secure runtime system and method
GB2550178A (en) Software container access control
GB2568967A (en) Software container application encryption
US20230114687A1 (en) Self-deploying encrypted hard disk, deployment method thereof, self-deploying encrypted hard disk system and boot method thereof
EP4182826B1 (en) A method of attesting a state of a computing environment
EP3408779B1 (en) Disk encryption
WO2022013244A1 (en) A storage module for storing a data file and providing its hash
GB2550177A (en) Software container profiling
WO2022013238A1 (en) Computing device for establishing a trusted execution environment