CN-121996361-A - Lightweight trusted container sandbox construction method, system, terminal and medium

Abstract

The invention discloses a light-weight trusted container sandbox construction method, a system, a terminal and a medium, relating to the technical field of trusted computing, and the technical scheme is characterized by comprising the following steps of constructing a very simple container basic environment; integrating built-in trusted measurement mechanism, realizing kernel-level static measurement, realizing user-state dynamic measurement and constructing trusted sandbox isolation. The invention solves the problems of insufficient security, insufficient isolation, missing trusted mechanism, high resource consumption, large system overhead and the like of the prior container technology by creating the container image in a rootfs mode under the system environment, greatly simplifying the system components, building the hardware-level trusted root, realizing the full-link trusted measurement and the like, and realizes the high security, high reliability and light deployment of the container environment.

Inventors

• LIU YI
• WU HUAIGU
• ZHANG NANXIN
• ZHA MING

Assignees

• 天府绛溪实验室

Dates

Publication Date

20260508

Application Date

20260410

Claims (10)

1. 1. The construction method of the lightweight trusted container sandbox is characterized by comprising the following steps of: Constructing a very simple container basic environment, wherein the very simple container basic environment is realized by constructing rootfs under a virtual machine environment of a system, the rootfs only reserves core components necessary for container operation, removes unnecessary system services, drivers and/or equipment files, compiles the core components by adopting static links and simplifies a system call interface; Integrating a built-in trusted measurement mechanism, wherein the built-in trusted measurement mechanism comprises an integrated hardware-level trusted root, performing white list scanning on a container file and establishing a file integrity baseline; Realizing kernel-level static measurement, wherein the kernel-level static measurement comprises trusted measurement and static whitelist verification of a container starting process; realizing user state dynamic measurement, wherein the user state dynamic measurement comprises real-time monitoring and measurement of files, catalogues and processes in a container; And constructing a trusted sandbox isolation, wherein the trusted sandbox isolation realizes multidimensional isolation of computation, network and storage based on a hardware virtualization technology, and dynamically adjusts an isolation strategy by combining a trusted measurement result.
2. 2. The method for constructing a lightweight trusted container sandbox according to claim 1, wherein said constructing a very simple container base environment specifically comprises: Creating a minimized rootfs directory structure by a rootfs construction unit, only containing necessary system directories, copying binary files and libraries, compiling core components by adopting static links, creating necessary equipment files and configuring minimized system configuration files; unnecessary system services, drivers and/or device files are removed through the system component reduction unit, and system calls are limited through seccomp filters; and integrating hardware virtualization support, optimizing a starting flow and pre-distributing resources when the lightweight container runtime unit designs the runtime supporting hardware credibility measurement.
3. 3. The method for constructing a lightweight trusted container sandbox according to claim 1, wherein said integrated built-in trusted metric mechanism specifically comprises: Integrating a trusted platform module as a hardware trusted root through a hardware trusted root integration unit, initializing the trusted platform module and configuring a communication mechanism of the trusted platform module and a container in operation; and scanning all files in the container construction process through a container file white list scanning unit, calculating a hash value, recording authority and a time stamp, establishing a file integrity baseline to form a white list, and supporting dynamic updating of the white list and signature verification.
4. 4. The method for constructing a lightweight trusted container sandbox according to claim 1, wherein said implementing a kernel-level static metric specifically comprises: Verifying the mirror image signature and the integrity in the container starting process through a trusted measurement unit in the starting process, measuring the starting key steps and storing the result in a platform configuration register to realize remote certification; And carrying out static whitelist verification on the executable files, the dynamic library and the configuration files in the container through a static whitelist verification unit, and supporting national encryption algorithm signature verification and certificate management.
5. 5. The method for constructing a lightweight trusted container sandbox according to claim 1, wherein said implementing a user state dynamic metric specifically comprises: Monitoring file creation, modification and deletion operations in a user mode through a file-level dynamic measurement unit, measuring in real time, comparing with a white list, intercepting unauthorized operations and alarming; monitoring access of a key directory through a directory-level dynamic measurement unit, implementing directory authority control and a white list mechanism, and recording authority change; and monitoring the creation, execution and termination of the process by a process-level dynamic measurement unit, verifying the process permission, measuring the process memory regularly and detecting abnormality.
6. 6. The method for constructing a lightweight trusted container sandbox according to claim 1, wherein said constructing a trusted sandbox barrier specifically comprises: The independent virtual CPU, the memory, the network card and the storage space are distributed to the container based on the hardware virtualization technology through the multidimensional isolation mechanism unit, so that the isolation of computing, network and storage resources and the policy control are realized; And dynamically adjusting an isolation strategy by combining the trusted enhancement isolation unit with the trusted measurement result, isolating an untrusted container, providing access to a secure terminal, limiting file transmission, and recording an operation log.
7. 7. The method for constructing a lightweight trusted container sandbox of claim 1, further comprising: Providing a security terminal access container through a security terminal access unit, limiting file transmission and copy-paste operation, and recording a terminal operation log; supporting hardware key equipment through a hardware key integration unit so as to realize data access control; And the remote attestation unit is used for realizing the full-link remote trusted verification of the container environment and supporting the generation and verification of the attestation report.
8. 8. A lightweight trusted container sandbox construction system for implementing a lightweight trusted container sandbox construction method as claimed in any one of claims 1 to 7, comprising: The container environment construction module is configured to construct a very simple container basic environment, the very simple container basic environment is realized by constructing rootfs under a virtual machine environment of a system, the rootfs only reserves core components necessary for container operation, removes unnecessary system services, drivers and/or equipment files, compiles the core components by adopting static links and simplifies a system call interface; the built-in measurement integration module is configured to integrate a built-in trusted measurement mechanism, wherein the built-in trusted measurement mechanism comprises an integrated hardware-level trusted root, performs white list scanning on a container file and establishes a file integrity baseline; the kernel measurement realizing module is configured to realize kernel-level static measurement, wherein the kernel-level static measurement comprises credible measurement and static whitelist verification of a container starting process; the user measurement realization module is configured to realize user state dynamic measurement, wherein the user state dynamic measurement comprises real-time monitoring and measurement of files, catalogues and processes in a container; The sandbox isolation construction module is configured to construct trusted sandbox isolation, the trusted sandbox isolation is used for realizing multi-dimensional isolation of computation, network and storage based on a hardware virtualization technology, and an isolation strategy is dynamically adjusted by combining a trusted measurement result.
9. 9. A computer terminal comprising a memory, a processor and a computer program stored in the memory and operable on the processor, wherein the processor implements a lightweight trusted container sandbox construction method as claimed in any one of claims 1 to 7 when executing the computer program.
10. 10. A computer readable medium having stored thereon a computer program, wherein execution of the computer program by a processor implements a lightweight trusted container sandbox construction method as claimed in any one of claims 1 to 7.

Description

Lightweight trusted container sandbox construction method, system, terminal and medium Technical Field The invention relates to the technical field of trusted computing, in particular to a lightweight trusted container sandbox construction method, a lightweight trusted container sandbox construction system, a lightweight trusted container sandbox construction terminal and a lightweight trusted container sandbox construction medium. Background The container technology is an operating system level virtualization technology, and the decoupling of the application and the underlying operating system and hardware is realized by packing the application program and all the dependencies thereof into a standardized container mirror image. The container mirror image can be rapidly deployed in any environment supporting the running of the container to form independent and isolated running units, and consistency of the application in development, test and production environments is ensured. The current container technology (such as Docker, kubernetes and the like) has the following defects of 1) poor image security in data security and privacy protection, namely, the traditional container image is usually built based on an official base image, contains a large number of unnecessary components and dependencies, increases the image volume, enlarges the attack surface, and particularly in the domestic system environment, a plurality of systems do not provide the official container image, so that the image source is uncontrollable and potential safety hazards exist. At the same time, the mirror image is huge, the starting is slow, and the resource occupation is high. 2) The isolation is insufficient, the traditional container technology realizes isolation based on the namespaces of Linux kernels and cgroups, but the host kernels are shared, so that the risk of container escape exists, and the requirement of a high-security scene cannot be met. 3) The trusted mechanism is lacking, that the existing container technology lacks a full link trusted metric mechanism from hardware to application, and cannot ensure the integrity of the container environment and the runtime security. Therefore, research and design of a lightweight trusted container sandbox construction method, system, terminal and medium capable of overcoming the defects are the problems which are needed to be solved at present. Disclosure of Invention In order to solve the defects in the prior art, the invention aims to provide a lightweight trusted container sandbox construction method, a lightweight trusted container sandbox construction system, a lightweight trusted container sandbox construction terminal and a lightweight trusted container sandbox construction medium, which solve the problems of insufficient mirror image safety, insufficient isolation, reliability mechanism deletion, high resource consumption, high system overhead and the like in the prior container technology by creating a container mirror image in a rootfs mode under a system environment, greatly simplifying system components, constructing a hardware-level trusted root, realizing full-link trusted measurement and the like, and realize high-safety, high-reliability and lightweight deployment of the container environment. The method can be widely applied to the scenes of enterprise joint research and development, AI model training reasoning, trusted data space and the like, and has obvious safety performance advantages and commercial application value. The technical aim of the invention is realized by the following technical scheme: in a first aspect, a method for constructing a lightweight trusted container sandbox is provided, including the following steps: Constructing a very simple container basic environment, wherein the very simple container basic environment is realized by constructing rootfs under a virtual machine environment of a system, the rootfs only reserves core components necessary for container operation, removes unnecessary system services, drivers and/or equipment files, compiles the core components by adopting static links and simplifies a system call interface; Integrating a built-in trusted measurement mechanism, wherein the built-in trusted measurement mechanism comprises an integrated hardware-level trusted root, performing white list scanning on a container file and establishing a file integrity baseline; Realizing kernel-level static measurement, wherein the kernel-level static measurement comprises trusted measurement and static whitelist verification of a container starting process; realizing user state dynamic measurement, wherein the user state dynamic measurement comprises real-time monitoring and measurement of files, catalogues and processes in a container; And constructing a trusted sandbox isolation, wherein the trusted sandbox isolation realizes multidimensional isolation of computation, network and storage based on a hardware virtualization technology, and d