Highly Efficient and Secure Metadata-Driven Integrity Measurement for Containers

The integrity measurement mechanism (IMM) is key to creating a trusted execution environment (TEE) for containers. It ensures that files inside containers are real and have not been tampered with. However, traditional IMMs are inefficient. This is because they rely on message-digest algorithms (MDAs), which require a lot of time and space. This makes them hard to use in environments where resources are limited. To solve these problems, we present two novel metadata-driven IMMs, the Overlay2 IMM and the Btrfs IMM, which use the built-in metadata structures of the Overlay2 and Btrfs filesystems, respectively. Compared to MDA-based IMMs, these new IMMs are much more efficient in operation. They are also more secure because they use an external validation mechanism that does not depend on the container’s running state. This effectively reduces security risks in dynamic environments. We built complete prototypes of these new IMMs. We tested them on edge servers with Intel CPUs and embedded devices with ARM CPUs. When we compared them with traditional MDA-based methods (including MD5 and SHA256), we found significant improvements. Our methods are more efficient in computation. They reduce the need for space and time by using filesystem metadata instead of hashing entire files. This makes them suitable for environments with limited resources. They run outside the container, so malicious actors inside the container cannot detect them, ensuring robust protection. In addition, they can check file integrity consistently no matter the container’s state (running, paused, or stopped). This is because they use metadata from the container image, which improves the overall reliability and consistency of the integrity measurement process.