HETCOM: Heterogeneous Container Migration Based on TEE- or TPM-established Trust
Pages 51 - 60
Abstract
In Cyber-Physical Systems such as Smart Factories, containers are an important building block. In the event of an attack, it is crucial that affected containers can be migrated to a sandboxed environment for further analysis. Containers not affected need to be moved out of reach of the attacker. In this scenario, migration procedures need strong protection, involving protocol and architectural aspects. We therefore propose HETCOM, a holistic approach to secure container migration in heterogeneous computing environments in the presence of strong attackers. HETCOM provides a portable platform architecture for cloud and edge nodes offering primitives that are leveraged by the migration protocol we propose. Additionally, container data is bound to the node's TEE on edge nodes. Thereby, HETCOM achieves secure container migration procedures and protection of sensitive container data on-transit.
References
[1]
OP-TEE Documentation - OP-TEE documentation documentation, retrieved september 20, 2023 from https://optee.readthedocs.io/en/latest/index.html, 15/09/2023.
[2]
Y. Al-Dhuraibi, F. Paraiso, N. Djarallah, and P. Merle. Autonomic Vertical Elasticity of Docker Containers with ELASTICDOCKER. pages 472--479, 2017.
[3]
Fritz Alder, Arseny Kurnikov, Andrew Paverd, and N. Asokan. Migrating SGX Enclaves with Persistent State. In 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 2018.
[4]
Jens Axboe. fio - flexible i/o tester rev. 3.36, retrieved december 22, 2023 from https://fio.readthedocs.io/en/latest/fio_doc.html, December 2023.
[5]
A. Barbalace, R. Lyerly, C. Jelesnianski, A. Carno, H. R. Chuang, V. Legout, and B. Ravindran. Breaking the Boundaries in Heterogeneous-ISA Datacenters. pages 645--659, 2017.
[6]
Gerd S. Brost, Manuel Huber, Michael Weiß, Mykolai Protsenko, Julian Schütte, and SaschaWessel. An Ecosystem and IoT Device Architecture for Building Trust in the Industrial Data Space. In Dieter Gollmann and Jianying Zhou, editors, Proceedings of the 4th ACM Workshop on Cyber-Physical System Security, pages 39--50, New York, NY, USA, 05222018. ACM.
[7]
Dorian Burihabwa, Pascal Felber, Hugues Mercier, and Valerio Schiavoni. SGX-FS: Hardening a File System in User-Space with Intel SGX. In 2018 IEEE International Conference on Cloud Computing Technology and Science (CloudCom). IEEE, 2018.
[8]
E. Cardoso, C. C. Miers, M. A. Pillon, F. F. Redigolo, G. P. Koslovski, and IEEE. Virtual Infrastructures on the Move: Containers and Virtual Network Migration. pages 670--679, 2018.
[9]
A. Carrega and M. Repetto. Coupling energy efficiency and quality for consolidation of cloud workloads. COMPUTER NETWORKS, 174, 2020.
[10]
Intel Corporation. Crypto api toolkit for intel(r) sgx, December 2023.
[11]
D. Hein, J. Winter, and A. Fitzek. Secure Block Device -- Secure, Flexible, and Efficient Data Storage for ARM TrustZone Systems. In 2015 IEEE Trustcom/Big- DataSE/ISPA, pages 222--229, 2015.
[12]
C. Dupont, R. Giaffreda, L. Capra, and IEEE. Edge computing in IoT context: horizontal and vertical Linux container migration. pages 49--52, 2017.
[13]
GyroidOS. Overview, 23/09/2022.
[14]
Manuel Huber, Julian Horsch, Michael Velten, Michael Weiss, and Sascha Wessel. A secure architecture for operating system-level virtualization on mobile devices. In Dongdai Lin, XiaoFeng Wang, and Moti Yung, editors, Information Security and Cryptology, pages 430--450, Cham, 2016. Springer International Publishing.
[15]
Leslie Lamport. Time, clocks, and the ordering of events in a distributed system. Commun. ACM, 21(7):558--565, jul 1978.
[16]
H. L. Liang, Q. Zhang, M. Y. Li, J. Q. Li, and IEEE. Toward Migration of SGXEnabled Containers. pages 713--718, 2019.
[17]
Google LLC. Protocol Buffers Documentation, 10/03/2024.
[18]
Phoronix Media. Flexible io tester, retrieved december 22, 2023 from https://openbenchmarking.org/test/pts/fio, December 2023.
[19]
C. Puliafito, E. Mingozzi, C. Vallati, F. Longo, G. Merlino, and IEEE. Companion Fog Computing: Supporting Things Mobility through Container Migration at the Edge. pages 97--105, 2018.
[20]
rfjakob. gocryptfs: Encrypted overlay filesystem written in Go, retrieved september 19, 2023 from https://github.com/rfjakob/gocryptfs, 19/09/2023.
[21]
Lars Richter, Johannes Götzfried, and Tilo Müller. Isolating operating system components with intel sgx. In Proceedings of the 1st Workshop on System Software for Trusted Execution, SysTEX '16, New York, NY, USA, 2016. Association for Computing Machinery.
[22]
Gursharan Singh, Parminder Singh, Anas Motii, and Mustapha Hedabou. A secure and lightweight container migration technique in cloud computing. Journal of King Saud University - Computer and Information Sciences, 36(1):101887, 2024.
[23]
Mirco Soderi, Vignesh Kamath, Jeff Morgan, and John G. Breslin. Ubiquitous system integration as a service in smart factories. In 2021 IEEE International Conference on Internet of Things and Intelligence Systems (IoTaIS), pages 261--267, Nov 2021.
[24]
Radostin Stoyanov and Martin J. Kollingbaum. Efficient live migration of linux containers. In Rio Yokota, Michèle Weiland, John Shalf, and Sadaf Alam, editors, High Performance Computing, pages 184--193, Cham, 2018. Springer International Publishing.
[25]
K. Takahashi, K. Aida, T. Tanjo, J. T. Sun, and Assoc Comp Machinery. A Portable Load Balancer for Kubernetes Cluster. pages 222--231, 2018.
[26]
Apache Teaclave. Overview, 04/03/2024.
[27]
Toshihiro Uchibayashi, Bernady Apduhan, Takuo Suganuma, and Masahiro Hiji. Toward a Container Migration Data-Auditing Mechanism for Edge Computing Environment. pages 90--102. Springer, Cham, 2022.
[28]
Toshihiro Uchibayashi, Bernady Apduhan, Takuo Suganuma, and Masahiro Hiji. Experiments and evaluation of a container migration data-auditing system on edge computing environment. Computers, 12(2), 2023.
[29]
S. G. Wang, J. L. Xu, N. Zhang, and Y. J. Liu. A Survey on Service Migration in Mobile Edge Computing. IEEE ACCESS, 6:23511--23528, 2018.
[30]
Bethanie Williams, Marena Soulet, and Ambareen Siraj. A taxonomy of cyber attacks in smart manufacturing systems. In Lucia Knap?íková and Dragan Perakovi?, editors, 6th EAI International Conference on Management of Manufacturing Systems, pages 77--97, Cham, 2023. Springer International Publishing.
[31]
Tong Xing, Antonio Barbalace, Pierre Olivier, Mohamed L. Karaoui, Wei Wang, and Binoy Ravindran. H-container: Enabling heterogeneous-isa container migration in edge computing. ACM Trans. Comput. Syst., 39(1--4), jul 2022.
[32]
Bo Xu, SongWu, Jiang Xiao, Hai Jin, Yingxi Zhang, Guoqiang Shi, Tingyu Lin, Jia Rao, Li Yi, and Jizhong Jiang. Sledge: Towards efficient live migration of docker containers. In 2020 IEEE 13th International Conference on Cloud Computing (CLOUD), pages 321--328, Oct 2020.
Index Terms
- HETCOM: Heterogeneous Container Migration Based on TEE- or TPM-established Trust
Recommendations
A secure and lightweight container migration technique in cloud computing
AbstractThe present research has found that container virtualization systems are more effective and more straightforward to handle in contrast to traditional virtualization systems. The live migration processes can be substantially reduced by using ...
Enabling containerized Central Unit live migration in 5G radio access network: An experimental study
Abstract5G mobile networks have gained considerable attention and traction by offering numerous benefits such as high data rates, low latency, reliability, and application specific connectivity. To effectively achieve these milestones mobile network ...
Cross-ISA Container Migration
SYSTOR '16: Proceedings of the 9th ACM International on Systems and Storage ConferenceContainers are a convenient way of encapsulating and isolating applications. They incur less overhead than virtual machines and provide more flexibility and versatility to improve server utilization. Many new cloud applications are being written in the ...
Comments
Information & Contributors
Information
Published In
June 2024
97 pages
ISBN:9798400705557
DOI:10.1145/3643650
- Program Chairs:
- Maanak Gupta,
- Mahmoud Abdelsalam,
- Mir Pritom,
- Feras Awaysheh
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 19 June 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- German Federal Ministry of Education and Research (BMBF)
Conference
CODASPY '24
Sponsor:
CODASPY '24: Fourteenth ACM Conference on Data and Application Security and Privacy
June 21, 2024
Porto, Portugal
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 28Total Downloads
- Downloads (Last 12 months)28
- Downloads (Last 6 weeks)28
Reflects downloads up to 26 Jul 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in