| 引用本文: |
-
孔同,王利明,徐震,马多贺.轻量级虚拟化技术安全研究综述[J].信息安全学报,2026,11(2):273-288 [点击复制]
- KONG Tong,WANG Liming,XU Zhen,MA Duohe.Survey on Lightweight Virtualization Technology Security[J].Journal of Cyber Security,2026,11(2):273-288 [点击复制]
|
|
| 摘要: |
| 随着以容器技术为代表的轻量级虚拟化技术飞速发展,其在云计算领域中的地位也越来越重要。轻量级虚拟化技术不为虚拟实例创建单独的操作系统,而是使用各种内核机制来进行实现CPU、内存、网络和文件系统的隔离,可以更高效、灵活地实现硬件基础设施资源的充分利用、合理分配和有效调度,为云计算带来了云原生等新的技术架构和运维模式。同时由于同一宿主机上的轻量化虚拟实例间共享操作系统内核、缺乏针对镜像库的有效检测手段等,轻量级虚拟化技术相较于传统虚拟机技术安全隔离手段较弱且引入了新的安全风险,为云计算技术带来了新的安全挑战,引起学术界和工业界的广泛关注,但其安全性缺少系统性的研究。为体系化了解轻量级虚拟化技术的安全研究进展和现状,本文对轻量级虚拟化技术的安全问题以及解决方案进行了深入研究分析。首先对轻量级虚拟化技术的架构特点和应用场景进行了概述,按照分层模型对轻量级虚拟实例层、宿主机层及硬件层等对象面临的攻击威胁进行了分类综述,并概述了镜像库及其他配套系统存在的安全脆弱性。然后,根据安全解决方案所属的系统层次对已有的安全防御方法和机制进行了深入介绍,并对其防御原理、可应对的网络攻击类型、实现方案及优缺点进行了详细分析和总结。最后,展望了轻量级虚拟化技术安全未来的发展趋势和后续的研究方向,认为强化虚拟隔离、保障镜像安全检测、统一安全评估技术标准是提高轻量级虚拟化技术安全性的有效方法。 |
| 关键词: 云计算 轻量级虚拟化 容器技术 网络安全 |
| DOI:10.19363/J.cnki.cn10-1380/tn.2026.03.17 |
| 投稿时间:2020-12-24修订日期:2021-03-08 |
| 基金项目:本课题得到国家重点研发计划项目(No.2019YFB1005200)的资助。 |
|
| Survey on Lightweight Virtualization Technology Security |
|
KONG Tong1,2,3, WANG Liming1, XU Zhen1, MA Duohe1
|
| (1.Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;2.School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China;3.China Industrial Control System Cyber Emergency Response Team, Beijing, 100040, China) |
| Abstract: |
| With the rapid development of lightweight virtualization technology represented by container technology, its position in the cloud computing is becoming more and more important. Lightweight virtualization technology does not create independent operating systems for virtual instances but uses some kernel features to realize the isolation of CPU, memory, network, and file system, which can achieve the full utilization, reasonable allocation, and effective scheduling of hardware resources more efficiently and flexibly. It has brought new technical architectures and operation and maintenance models such as cloud-native to the cloud computing industry. Meanwhile, due to lightweight virtual instances on the same host machine sharing the kernel of the operating system and images in the public repository lack effective security detection, the security isolation mechanism of lightweight virtualization technology is weaker than traditional virtual machine technology. It also brought about new security risks and introduced new security challenges to cloud computing technology, which have received widespread attention in both academia and industry. But its security problems lack systematic research. To understand the security research progress of lightweight virtualization technology, this paper deeply studies and analyzes the security problems and solutions of lightweight virtualization technology. Firstly, we introduce the architecture and application scenarios of lightweight virtualization technology. And we summarize the attack threats of the lightweight virtual instance layer, host machine layer, and hardware layer by the hierarchical model, and generalize the security vulnerability of the image repository and other auxiliary systems. Then, the principle, implementation scheme, types of network attacks that can be defended against, advantages and disadvantages of the existing security defense methods and mechanisms are introduced and analyzed. Finally, this survey paper discusses the future work and suggested security research directions of lightweight virtualization technology. We believe that it is an effective method to improve the security of lightweight virtualization technology by enhancing virtual isolation, ensuring image security detection, and unifying security evaluation criteria. |
| Key words: cloud computing lightweight virtualization container technology network security |
