PC-TDA: a policy-customized trusted Docker architecture based on attribute-based signature

Abstract

Docker has become the main service deployment mode of cloud platform because of its lightweight and portable characteristics. With the popularity of cloud services, the security of Docker becomes an increasingly concerned issue. On one hand, the security capability of Docker is insufficient currently. Docker is designed to reduce the attack surface mainly by simplifying the system functions. Meanwhile, there are only limited built-in security mechanisms for Docker which are incapable of controlling the runtime security for Docker. On the other hand, there lacks personalized security policy deployment and enforcement mechanism in Docker which cannot meet the special security needs of users for cloud services. Focusing on the above problems, this paper proposes a new security-on-demand framework for Docker called a “Policy-Customized Trusted Docker Architecture” (PC-TDA), which forces cloud service providers to provide secure Docker services satisfying the user customized security policies by introducing the attribute-based encryption mechanism. At the same time, PC-TDA uses the attribute-based signature mechanism to support the verification of the security status and security policies of cloud services. Based on the Kylin cloud, the PC-TDA is preliminarily implemented, and the verification results show the availability and rationality of our proposed architecture which can provide greater flexibility for cloud users to control Dockers.