Migration of Operating System Containers in Secure Encrypted Virtual Machines

Description

With the widespread use of Docker and Kubernetes, OS-level virtualization has become a key technology in data centers and cloud environments. Containers are the predominant deployment mechanism for software in this area. They are self-contained and can be used in a resource-efficient manner. At the same time, trends towards resource-sharing in such environments emerge. Data centers and cloud providers offer computing resources on demand which can be used dynamically, for example, in overload situations occurring due to attacks or increased loads. This results in requirements regarding functionality and security, which are addressed in this thesis.

We present a concept and an implementation to migrate operating system containers in secure encrypted virtual machines so that these are protected from the operator and administrator of the destination platform. Concepts for execution environments protected in such a manner are also known as confidential computing. In our approach, processes inside of the containers remain intact, i.e., they keep their state and do not have to be restarted. Network services inside of the containers remain unchanged and reachable. This is typically called live migration. Integrity and confidentiality of the data inside of the containers is enforced during migration as well as on the destination platform, i.e., in transit, in use and at rest. The authenticity and integrity of the destination platform is verified using remote attestation before any data is transferred.

The base technology used in this thesis is AMD SEV. Our proof of concept implementation is based on - in partly modified versions of - Linux, QEMU, OVMF, grub, SEV-tool, SSH, WireGuard, CRIU and Docker. We evaluated our implementation regarding our functional and security as well as performance requirements. Our implementation is fully functional and fulfills all security requirements and the performance impact is negligible.