首页|期刊导航|信息安全研究|基于系统调用隔离的安全容器研究综述

基于系统调用隔离的安全容器研究综述OA

Review of Secure Containers Based on System Call Isolation

中文摘要英文摘要

阐述了基于系统调用隔离增强容器安全性的研究进展.首先概述了容器技术的发展背景及其面临的主要安全挑战,随后深入分析了系统调用隔离在提升容器安全性中的作用,包括限制容器应用程序的系统调用以减少攻击面、使用操作系统中间件和硬件保护机制等技术实现对容器的隔离和保护.通过比较这些技术的实现原理、性能以及它们在隔离性、减少攻击面和数据保护方面的效果,揭示了系统调用隔离技术在提升容器安全性方面的优势和局限.

This article elucidates the research progress in enhancing container security through the isolation of system calls.The article firstly outlines the development background of containerization technology and its major security challenges.Subsequently,an in-depth analysis is conducted on the role of system call isolation in enhancing the security of containers,including the techniques of limiting the system calls of containerized applications to reduce the attack surface,and leveraging operating system middleware and hardware protection mechanisms to accomplish the isolation and protection of containers.By comparing the implementation principles,performance,and their effects on isolation,reduction of attack surfaces,and data protection,the article reveals the advantages and limitations of system call isolation technologies in enhancing container security.

Zhang Tian;Zhang Jie;Liu Weijie;Liu Ximeng

College of Computer and Data Science,Fuzhou University,Fuzhou 350108College of Mathematics and Computer Science,Shanxi Normal University,Taiyuan 030031College of Cryptology and Cyber Science,Nankai University,Tianjin 300350College of Computer and Data Science,Fuzhou University,Fuzhou 350108

信息技术与安全科学

安全容器系统调用隔离Seccomp BPF操作系统中间件硬件保护机制

secure containersystem callisolationSeccomp BPFoperating system middlewarehardware protection mechanism

《信息安全研究》 2026 (1)

2-15,14

国家自然科学基金项目(62072109)福建省自然科学基金项目(2021J06013)天津市自然科学基金青年项目(24JCQNJC02140)

10.12379/j.issn.2096-1057.2026.01.01

评论