CN110046505B - Container security reinforcement method, system and storage medium - Google Patents

Container security reinforcement method, system and storage medium Download PDF

Info

Publication number
CN110046505B
CN110046505B CN201910350168.8A CN201910350168A CN110046505B CN 110046505 B CN110046505 B CN 110046505B CN 201910350168 A CN201910350168 A CN 201910350168A CN 110046505 B CN110046505 B CN 110046505B
Authority
CN
China
Prior art keywords
container
metric
current
value
library
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910350168.8A
Other languages
Chinese (zh)
Other versions
CN110046505A (en
Inventor
段立功
刘峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lenovo Beijing Ltd
Original Assignee
Lenovo Beijing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lenovo Beijing Ltd filed Critical Lenovo Beijing Ltd
Priority to CN201910350168.8A priority Critical patent/CN110046505B/en
Publication of CN110046505A publication Critical patent/CN110046505A/en
Application granted granted Critical
Publication of CN110046505B publication Critical patent/CN110046505B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The application provides a container security strengthening method, a container security strengthening system and a storage medium, under the condition that a container runs, the container security strengthening method measures each container, adopts an expansion mode, writes the obtained measurement value of each container into a container measurement library, so that the measurement value recorded by the container measurement library can represent the historical state and the current state of the corresponding container, namely the measurement value recorded by the container measurement library has traceability, can detect and prevent the possibility that an intruder tampers the container through other means, can accurately identify the tampered container, realizes timely maintenance of the tampered container, and improves the reliability of container protection.

Description

Container security reinforcement method, system and storage medium
Technical Field
The present application relates generally to the field of communications technologies, and in particular, to a method, a system, and a storage medium for container security enforcement.
Background
Trusted computing is a technology promoted and developed by the Trusted computing group, which utilizes a Trusted Platform Module (TPM) to construct a root of trust in a computer system, and then establishes a trust chain, and measures the root of trust through security application to verify the integrity and whether the root of trust is tampered.
Therefore, in order to ensure the security and integrity of multiple containers running on an operating system, in the prior art, when the container is created, restarted and deleted, corresponding operation information is recorded through an audit log, and the integrity of the audit log is protected by a hardware TPM in a computer device.
However, the existing container processing method often only protects the condition that the container is tampered by normal container operation commands, and cannot detect and prevent an intruder from tampering the container by other means, so that the safety of the container is low; moreover, since the audit log records the operation set of all containers on the host, based on the recorded content of the audit log, a tampered container cannot be identified from the multiple containers, and further container maintenance cannot be performed in a targeted manner.
Disclosure of Invention
In view of this, the present application provides a method, a system, and a storage medium for container security reinforcement, which implement measurement on each container, and update a container metric library in an extended manner, so that metric values recorded by the container metric library can represent a historical state and a current state of a corresponding container, thereby detecting and preventing a possibility that an intruder tampers with the container through other means, and further accurately identifying the tampered container, thereby improving reliability of container protection.
In order to achieve the above object, the present application provides the following technical solutions:
the application provides a container safety reinforcing method, which comprises the following steps
Under the condition that a container runs, measuring the container to obtain a current measurement value of the container, wherein the current measurement value is used for representing the current state of the container;
and writing the current measurement value of the container into a container measurement library in an expansion mode, so that the measurement values recorded by the container measurement library can represent the historical state and the current state of the corresponding container.
Optionally, the measuring the container to obtain a current metric value of the container includes:
measuring each immutable file in the container to obtain a current measurement value of the corresponding immutable file;
and calculating to obtain the current metric value of the container by using the current metric value of each immutable file.
Optionally, the measuring each immutable file of the container to obtain a current metric value of the corresponding immutable file, and calculating the current metric value of the container by using the current metric value of each immutable file includes:
calculating the current hash value of each immutable file in the container;
and calculating the sum of the current hash values of the invariable files to obtain the current hash value of the container.
Optionally, the current metric value of the container is written into a container metric library in an expansion manner;
acquiring historical metric values of the containers in a container metric library; calculating the historical metric value and the current metric value of the container to obtain a new metric value of the container;
replacing the historical metric values for the container in the container metric library with the new metric values for the container.
Optionally, the writing, in an extended manner, the current metric value of the container into a container metric library includes:
calling a management interface of a container metric library, sending the current metric value of the container to a container metric library management component, and writing the current metric value of the container into the container metric library by the container metric management component in an expansion mode.
Optionally, the method further includes:
under the condition of starting the computer system, carrying out integrity measurement on the computer system where the container is located to obtain an integrity measurement result;
and updating the integrity measurement result to a trusted platform.
The present application further provides a container security reinforcement system, the system comprising:
the container management component is used for measuring the container under the condition that the container runs to obtain the current measurement value of the container;
a container metric repository for storing metric values for each container deployed in the computer system;
and the container metric library management component is used for writing the current metric value of the container into a container metric library in an expansion mode.
Optionally, the container management component comprises;
the system comprises a container management module, a storage module and a storage module, wherein the container management module is used for starting and updating each container deployed in a computer system;
the measuring module is used for measuring the container under the condition that any container runs to obtain the current measuring value of the container;
optionally, the system further includes:
and the integrity measurement component is used for carrying out integrity measurement on the computer system where the container is located under the condition that the computer system is started, and updating the obtained integrity measurement result to the trusted platform.
The present application also provides a storage medium having stored thereon a computer program for execution by a processor to perform the steps of the container security enforcement method as described above.
Therefore, compared with the prior art, the method, the system and the storage medium for strengthening the container safety are provided, under the condition that the container runs, the container is measured, the obtained measurement value of each container is written into the container measurement library in an expansion mode, so that the measurement value recorded by the container measurement library can represent the historical state and the current state of the corresponding container, namely the measurement value recorded by the container measurement library has traceability, the possibility that an intruder tampers the container through other tampering means can be detected and prevented according to the traceability, the tampered container can be accurately identified, the timely maintenance of the tampered container is realized, and the reliability of container protection is improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a schematic diagram illustrating the construction of one embodiment of a container security reinforcement system provided herein;
FIG. 2 is a schematic structural view of another embodiment of a container security reinforcement system provided herein;
FIG. 3 is a schematic flow chart illustrating an embodiment of a method for reinforcing a container according to the present disclosure;
FIG. 4 is a schematic diagram illustrating a comparison of trust chains respectively constructed by the container security strengthening method of the prior art and the container security strengthening method of the present application;
FIG. 5 is a schematic flow chart diagram illustrating another embodiment of a method for security reinforcing a container provided herein;
fig. 6 is a schematic hardware structure diagram of an embodiment of a computer device provided in the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, the present application is described in further detail with reference to the accompanying drawings and the detailed description.
Referring to fig. 1, to implement the system architecture diagram of the container security reinforcing method provided in the present application, the system may include a container management component 11, a container metric library 12, and a container metric library management component 13, where:
the container management component 11 is configured to measure each container deployed by the computer system under the condition that the container is running, and obtain a metric value of the corresponding container, where a specific implementation process may refer to the description of the method embodiment below.
In this embodiment, the container management component 11 may include a container management module 111 and a measurement module 112, where the container management module 111 may be configured to start and update each container deployed in the computer system, and the start process and the update process of the container are not described in detail in this application. The metric module 112 may be configured to perform a metric on any container to obtain a metric value for the container when the container is operating.
It can be seen that the present application may utilize the measurement module 112 to implement measurement on each container, obtain the measurement value of each container in the computer system, and then send the measurement value of the container to the container measurement library management component 13 by using an interface call.
The container metric library 12 may be configured to record metric log data of each container, where the metric log data may include information such as a container ID and a metric value of a corresponding container, and it needs to be described that the metric value in the metric log data can represent a historical state and a current state of the corresponding container, so that the metric value has traceability, and accordingly, a tampered container can be accurately identified.
Optionally, the metric log data may further include field data such as freshness of the corresponding container, which may be used to indicate that the metric log data is the most recently acquired data, rather than the historical data. In the present embodiment, the freshness may be a time stamp indicating the time at which the corresponding metric value is acquired, or the like, but the content of the freshness is not limited to the time stamp.
The metric log data of each container may be recorded in the form of a data table, and each line of data in the data table may be used as one piece of metric log data, as shown in the data table shown in table 1 below.
TABLE 1
Container ID Metric value Freshness degree
2da5-3288-2388-da5e 824d6ca5… 3492012235
Dc34-3475-4ace-f456 239de423… 3456992316
45a6-7783-a53c-c42d 5923cdea… 3598723414
The container metric library constructed by the method can support operations such as query, expansion and deletion to realize the update of the container metric library, and does not support the update operation of the traditional database, namely, operation modes such as adding or directly replacing the historical metric value by the newly acquired current metric value and the like.
Optionally, the above-mentioned expanding operation on the container metric library may be defined as: the method includes the steps of recording a metric value of a certain container in a container metric library as a, recording metric values of all immutable files of the container as B, and expanding (a, B) to SHA1(a, B), that is, if the metric value of the container is a hash value, after a current hash value of the container 1 is newly acquired, performing hash calculation again using a historical hash value of the container 1 in the container metric library and the current hash value to obtain a new hash value of the container 1, and replacing the historical hash value of the container 1 in the container metric library with the new hash value, that is, writing the current hash value of the container 1 in the container metric library in an expansion manner, so that the hash value recorded in the container metric library can represent not only a current state of the container (i.e., a state characterized by the current hash value) but also a historical state of the container (i.e., a state characterized by the historical hash value).
Therefore, the metric values recorded in the container metric library have traceability and can represent the states of the corresponding containers at different times, so that after a certain container is tampered, the metric values of the containers recorded in the container metric library can be analyzed to accurately judge which container is tampered.
It should be noted that the manner in which the container metric library 12 stores data is not limited to the manner of the data table listed above, and the configuration can be flexibly performed according to actual needs.
The container metric library management component 13 is mainly used to manage the container metric library, as described above, the container metric library is updated in an extended manner, and a certain metric log data stored in the container metric library may be queried or deleted according to actual needs.
In this embodiment, the container metric library management component is configured with a management interface, and after the metric module 112 in the container management component 11 obtains the metric value of a certain container, the obtained container metric value may be sent to the container metric library management component by calling the management interface, so as to update the container metric library.
As another alternative embodiment of the present application, referring to the system architecture diagram shown in fig. 2, on the basis of the above embodiment, the system may further include an integrity measurement component 14 and a trusted platform 15, and the present embodiment mainly describes functions of these two parts, and for other components in the system, reference may be made to the description of the above embodiment.
The integrity measurement component 14 may be configured to perform integrity measurement on an operating system (i.e., a computer system) of the computer device when the computer system is started, and in this embodiment, it may be configured to measure a container management component and a container measurement library management system, and update the obtained integrity measurement result to a trusted platform to obtain a complete trusted chain, which is not described in detail in this embodiment.
In practical applications, the trigger integrity measurement component 14 may enter an active state to perform integrity measurement on an operating system of a computer device, typically when the operating system is started.
The Trusted Platform 15 may be a hardware TPM (Trusted Platform Module), and the Trusted Platform may include a Platform configuration register (PCR10)151 for recording an integrity measurement result, that is, after the integrity measurement Module IMA implements integrity measurement on the container management component and the container metric library management component, the obtained integrity measurement result may be written into a PCR10 in the TPM, and a specific implementation process of this embodiment is not described in detail.
Of course, the trusted platform may also include other components, which are not described in detail herein.
In summary, the present application implements integrity measurement of each container, and writes the result into a trusted platform for storage, thereby establishing a complete trust chain from a hardware TPM, to a boot loader, a BIOS (Basic Input Output System)/UEFI (Unified Extensible Firmware Interface), an operating System kernel, to a container management component, and finally to each container, and solving the technical problem that the state of all containers cannot be updated to the TPM and the measurement of integrity cannot be implemented due to the limitation of the number of PCRs of TPM hardware in the conventional manner (20).
Referring to fig. 3 in conjunction with the system architecture shown in fig. 1, there is a schematic flow chart of a container security enforcement method provided in an embodiment of the present application, where the method may be applied to a computer device, as shown in fig. 3, and the method may include, but is not limited to, the following steps:
step S101, under the condition that the container runs, measuring the container to obtain a current measurement value of the container;
in this embodiment, for each container deployed in the computer device, a container management component is generally used to implement management, such as starting of the container, updating a state, and the like, and compared with the functions of a conventional container management component, the container management component of this embodiment may further have a measurement function, that is, the container management component of the computer device of the present application may include a measurement module, which is used to implement measurement on each container deployed in the computer device, so as to obtain a corresponding measurement value. The function implementation method of the measurement module is not described in detail in the present application.
Optionally, the hash value of each immutable file in the container may be obtained, and the measurement on the container is realized according to the hash value, where the measurement value of the container may be the hash value. The embodiment may use the secure hash algorithm SHA1 to calculate the hash value of the immutable file, but is not limited to this.
It should be noted that, in the present application, the container is measured, which may be for understanding a state of the container, so that the current measurement value of the container obtained in the present embodiment may represent the current state of the container.
And step S102, writing the measurement value of the container into a container measurement library in an expansion mode, so that the measurement value recorded by the container measurement library can represent the historical state and the current state of the corresponding container.
As can be seen from the above description of the container metric library in the embodiment, the container metric library stores metric log data of each container disposed in the computer system, the metric log data includes a container ID and a metric value of the corresponding container, and may further include field data of the current freshness of the container with the corresponding container ID.
In this embodiment, an extended operation mode is adopted, the obtained current metric value of the container is written into a container metric library, that is, a new metric value of the container is calculated by using the historical metric value and the current metric value of the container, and the historical metric value of the container in the container metric library is replaced by the new metric value, so that the historical state and the current state of the container can be represented, and the metric values of the containers recorded in the container metric library have traceability, so that if a certain container is maliciously tampered with other containers through normal container operation, the possibility that an intruder tampers with the container through various means (such as normal container operation, underlying Linux commands, C language, Libc degree and the like) can be accurately detected and prevented, and the safety of the container is improved; meanwhile, which container is tampered with can be accurately judged, so that the corresponding container can be maintained in a targeted manner in time.
Optionally, in practical application of the present application, in combination with the above description of the function of the integrity measurement module, in the case that the operating system of the computer device is started, the present application may further perform integrity measurement on the operating system, and update the obtained integrity measurement result to the trusted platform.
In this embodiment, an integrity measurement technology may be used to measure the integrity of the container, for example, the integrity of the container management component and the container measurement management system is measured, and the obtained integrity measurement result is updated to the trusted platform for storage, and a specific integrity measurement process is not described in detail.
As can be seen from the above, referring to the comparison diagram of the trust chain in the computer device shown in fig. 4, it is obvious that the trust chain established by the existing computer device shown on the left side in fig. 4 is a trust chain established from the operating system boot loader, the BIOS/UEFI, and the operating system kernel by using the TPM as a trust root, which is not complete and is limited by the PCR number limit (for example, 20) of the TPM hardware, and therefore the states of all containers cannot be updated to the TPR, and further the integrity measurement cannot be implemented.
In order to improve the above problems, the present application adopts the above method, establishes the trust chain as shown in the right side of fig. 4, and further adds a more complete measurement from the operating system kernel, to the container management component, and to each container on the basis of the existing trust chain, thereby realizing the real integrity of the trust chain and further realizing the measurement of the container integrity.
Based on the above conception of the container security reinforcement method proposed by the present application, the present application further provides a refinement of the container security reinforcement method, which refers to a schematic flow chart of another embodiment of the container security reinforcement method shown in fig. 5, and the method may include, but is not limited to, the following steps:
step S201, under the condition that the container runs, calculating the current measurement value of each immutable file of the container;
step S202, calculating the sum of the current measurement values of all the invariable files to obtain the current measurement value of the container;
the immutable file may be a file whose content does not change during the container update process, such as an executable file, some key configuration files, and so on, and the application does not limit the number and types of files included in the immutable file,
optionally, for the measurement of the container, a secure hash algorithm may be used to implement the measurement, that is, the measurement value may be represented by a hash value, so that the hash value of each immutable file in the container may be calculated by using the secure hash algorithm, and the hash value of the container is obtained through summation, where the specific calculation process is not described in detail in this embodiment.
Step S203, acquiring historical measurement values of containers in a container measurement library;
step S204, calculating the historical metric value and the current metric value of the container to obtain a new metric value of the container;
step S205, the historical metric value of the container in the container metric library is replaced with the new metric value of the container.
According to the method and the device, the expansion operation is adopted to replace the traditional updating operation, the container measurement library is updated, the measurement value corresponding to the container ID can be read from the container measurement library by utilizing the container ID of a certain container after the current measurement value of the container is obtained by combining the description of the expansion operation, the measurement value is taken as the historical measurement value of the container, and then the historical measurement value and the current measurement value of the container are recalculated to obtain the new measurement value of the container.
If the metric value is a hash value, the embodiment may perform hash calculation on the historical hash value and the current hash value of the container by using SHA1, and use the obtained hash value as a new hash value of the container to replace the historical hash value of the container in the container metric library. As can be seen, the new hash value obtained in this embodiment can represent the historical hash value and the current hash value of the container, that is, the new hash value can represent the historical state and the current state of the container.
Therefore, the container measurement library is updated through expansion operation, the measurement values of all containers recorded by the container measurement library have traceability, so that the possibility that an intruder tampers the container through various means can be timely detected and prevented through analyzing the measurement values in the container measurement library, the safety of the container is improved, and the tampered container can be accurately judged under the condition that other containers are tampered by normal container operation, so that the targeted maintenance of the tampered container can be timely realized.
The present application further provides a storage medium, on which a computer program is stored, where the computer program is executed by a processor to implement the steps of the container security enforcement method, and specific implementation processes may refer to the description of the embodiments of the method.
The present application further provides a hardware structure of a computer device, referring to the hardware structure diagram of the computer device shown in fig. 6, the computer device may include a communication module 21, a memory 22, a processor 23, and a trusted platform module 24, where:
the number of the communication module 21, the memory 22 and the processor 23 may be at least one, and the communication module 21, the memory 22 and the processor 23 may interact with each other through a communication bus.
The communication module 21 may include a wireless communication module and/or a wired communication module, and is used to implement data communication with other components in the computer device, and may also be used to implement data interaction with other electronic devices, and the type and the operation principle of the communication module 21 are not limited in this application, and may be determined based on actual communication requirements.
The memory 22 is used for storing a program for implementing the container security reinforcement method as described above;
optionally, the memory may include a high-speed RAM memory, and may also include a non-volatile memory (non-volatile memory), such as at least one disk memory. In practical application, the method can also be used for storing a container measurement library and the like, and can be determined according to actual requirements.
The processor 23 may be a central processing unit CPU or an application Specific Integrated circuit asic or one or more Integrated circuits configured to implement embodiments of the present application.
The processor 23 may be configured to load and execute a program stored in the memory 22, so as to implement the steps of the container security enforcement method, and the specific implementation process may refer to the description of the above method embodiment.
The trusted platform module 24 may be the TPM described in the above system embodiment, which may be used as a root of trust for building a trust chain of a computer device, and may be configured with a platform configuration register for storing an integrity measurement result, and the present application does not limit a specific hardware structure of the trusted platform module 24.
It should be understood that the computer device provided in the present application is not limited to the hardware components listed in the present embodiment, and may further include a display device, an input device, and various sensors, etc., which may be determined according to the product type of the computer device and its functions, and are not listed in the present application.
Finally, it should be noted that, in the embodiments, relational terms such as first, second and the like may be used solely to distinguish one operation, unit or module from another operation, unit or module without necessarily requiring or implying any actual such relationship or order between such units, operations or modules. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method or system that comprises the element.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The system and the computer device disclosed by the embodiment correspond to the method disclosed by the embodiment, so that the description is relatively simple, and the relevant points can be referred to the method part for description.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (7)

1. A method of securing a container, the method comprising
Under the condition that the container runs, measuring the container to obtain a current measurement value of the container, wherein the measurement comprises the following steps: measuring each immutable file in the container to obtain a current measurement value of the corresponding immutable file; calculating to obtain a current metric value of the container by using the current metric value of each immutable file, wherein the current metric value is used for representing the current state of the container, and the immutable file is a file of which the content of the file is not changed in the updating process of the container;
writing the current metric value of the container into a container metric library in an expansion mode, wherein the method comprises the following steps: acquiring historical metric values of the containers in a container metric library; calculating the historical metric value and the current metric value of the container to obtain a new metric value of the container; and replacing the historical metric values of the containers in the container metric library with the new metric values of the containers, so that the metric values recorded by the container metric library can represent the historical state and the current state of the corresponding containers.
2. The method of claim 1, wherein the measuring each immutable file of the container to obtain a current metric value of the corresponding immutable file, and the calculating the current metric value of the container using the current metric values of the immutable files comprises:
calculating the current hash value of each immutable file in the container;
and calculating the sum of the current hash values of the invariable files to obtain the current hash value of the container.
3. The method of claim 1, wherein the writing, in an expanded manner, the current metric value of the container to a container metric library comprises:
calling a management interface of a container metric library, sending the current metric value of the container to a container metric library management component, and writing the current metric value of the container into the container metric library by the container metric management component in an expansion mode.
4. The method of any of claims 1-3, further comprising:
under the condition of starting the computer system, carrying out integrity measurement on the computer system where the container is located to obtain an integrity measurement result;
and updating the integrity measurement result to a trusted platform.
5. A container security reinforcement system, the system comprising:
the container management component is configured to measure the container to obtain a current metric value of the container when the container is running, and includes: measuring each immutable file in the container to obtain a current measurement value of the corresponding immutable file; calculating to obtain a current metric value of the container by using the current metric value of each immutable file, wherein the immutable file is a file of which the content of the file is not changed in the updating process of the container;
a container metric repository for storing metric values for each container deployed in the computer system;
the container metric library management component is used for writing the current metric value of the container into a container metric library in an expansion mode, and comprises the following steps: acquiring historical metric values of the containers in a container metric library; calculating the historical metric value and the current metric value of the container to obtain a new metric value of the container; replacing the historical metric values for the container in the container metric library with the new metric values for the container;
the container management assembly comprises: the system comprises a container management module, a storage module and a storage module, wherein the container management module is used for starting and updating each container deployed in a computer system; and the measurement module is used for measuring the container under the condition that any container runs to obtain the current measurement value of the container.
6. The system of claim 5, further comprising:
and the integrity measurement component is used for carrying out integrity measurement on the computer system where the container is located under the condition that the computer system is started, and updating the obtained integrity measurement result to the trusted platform.
7. A storage medium having stored thereon a computer program for execution by a processor for carrying out the steps of the method of security enforcement of containers according to any one of claims 1 to 4.
CN201910350168.8A 2019-04-28 2019-04-28 Container security reinforcement method, system and storage medium Active CN110046505B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910350168.8A CN110046505B (en) 2019-04-28 2019-04-28 Container security reinforcement method, system and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910350168.8A CN110046505B (en) 2019-04-28 2019-04-28 Container security reinforcement method, system and storage medium

Publications (2)

Publication Number Publication Date
CN110046505A CN110046505A (en) 2019-07-23
CN110046505B true CN110046505B (en) 2021-07-16

Family

ID=67280034

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910350168.8A Active CN110046505B (en) 2019-04-28 2019-04-28 Container security reinforcement method, system and storage medium

Country Status (1)

Country Link
CN (1) CN110046505B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11580199B2 (en) 2019-09-20 2023-02-14 International Business Machines Corporation Correspondence of external operations to containers and mutation events
CN111857967B (en) * 2020-07-29 2022-04-12 中科方德软件有限公司 Container integrity checking method
CN112364343B (en) * 2020-11-16 2022-05-06 支付宝(杭州)信息技术有限公司 Method and device for protecting secrets of virtual machine monitor and electronic equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104573507A (en) * 2015-02-05 2015-04-29 浪潮电子信息产业股份有限公司 Secure container and design method thereof
CN104951708A (en) * 2015-06-11 2015-09-30 浪潮电子信息产业股份有限公司 File measurement and protection method and device

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101458743A (en) * 2007-12-12 2009-06-17 中国长城计算机深圳股份有限公司 Method for protecting computer system
US9152793B2 (en) * 2012-09-28 2015-10-06 Intel Corporation Methods, systems and apparatus to self authorize platform code
CN105069353B (en) * 2015-08-11 2017-10-24 武汉大学 A kind of credible vessel safety reinforcement means based on Docker
US10635821B2 (en) * 2017-10-13 2020-04-28 Baidu Usa Llc Method and apparatus for launching a device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104573507A (en) * 2015-02-05 2015-04-29 浪潮电子信息产业股份有限公司 Secure container and design method thereof
CN104951708A (en) * 2015-06-11 2015-09-30 浪潮电子信息产业股份有限公司 File measurement and protection method and device

Also Published As

Publication number Publication date
CN110046505A (en) 2019-07-23

Similar Documents

Publication Publication Date Title
CN108446407B (en) Database auditing method and device based on block chain
CN110046505B (en) Container security reinforcement method, system and storage medium
US9250951B2 (en) Techniques for attesting data processing systems
CN103020522B (en) For correcting anti-virus record to minimize the system and method for Malware flase drop
CN103093150A (en) Dynamic integrity protection method based on credible chip
US11275835B2 (en) Method of speeding up a full antivirus scan of files on a mobile device
US8768896B2 (en) Setting information database management
CN110647750B (en) File integrity measurement method and device, terminal and security management center
US8418161B2 (en) System and method for loading a called class file table with data indicating a highest version of a class file
CN106326735B (en) Method and apparatus for preventing injection
CN104850792A (en) Establishment method and apparatus of trust chain of server
US11422916B2 (en) Usage amount monitoring method and monitoring unit of electronic control unit for vehicle
CN106843947B (en) Method and device for processing code defects
CN111008034A (en) Patch generation method and device
CN112068874B (en) Continuous integration method and device for software items, terminal equipment and storage medium
WO2021082831A1 (en) Log storage method and apparatus, server, and computer-readable storage medium
WO2018122890A1 (en) Log analysis method, system, and program
CN111966630B (en) File type detection method, device, equipment and medium
US20090259835A1 (en) System and method for tracking and recording system configurations of electronic devices
CN113820649B (en) Method and device for testing service life reliability of firmware of electric energy meter
CN116737526A (en) Code segment dynamic measurement method and device and electronic equipment
CN111897559B (en) Hot update code detection method and device, electronic equipment and storage medium
CN114253825B (en) Memory leak detection method, device, computer equipment and storage medium
CN113918384A (en) Data saving method, device, equipment and storage medium
KR101893504B1 (en) A file integrity test in linux environment device and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant