III. SCONE MECHANISM
The main goal of this study is to provide security in containers on the top of an untrusted operating system. Actually, services which are containerized need to protect by attackers from secure containers. Also, secure containers need to suit in Docker’s container environments. In order to do so, it is necessary to secure container images by system administrators using Docker in a trusted environment (e.g. EPC memory, operating system) and execute secure containers in an untrusted environment (e.g. DRAM memory).
The Secure CONtainer Environment (SCONE) design offers a an interface which is rely on system calls to the central operation system (OS), which is proteced from malicious users. SCONE mechanism also execute logic checks and copies all based on memory returning values into the enclave while initially arguments have go through the application. This is similar of what was mentioned above that is operating system’s kernel which has the feature of protection of malicious users. SCONE also offers encryption and authentication of data in order to protect probity and trustness of data that were processed through files descriptors. In the figure 1. below there is an overview of the SCONE architecture.
In order to avoid the enclave’s transitions (where cause performance overhead) that are not necessary SCONE mechanism is proving threading implementation. Enclave bound application threads are multiplexed across operating system’s (OS) threads. SCONE mechanism is configured is configured in such a way it can manage systems calls of the systems. Specifically, when a system call is incuredd by an application thread, SCONE is checking if some other application thread that it is available and can execute until the result of the system call is available.
As it was mentioned before SCONE mechanism can handle system calls. This feature is called asynchronous system calling. So SCONE produce container processes with asynchronous system call interface to the central operating system. SCONE’s implementation use a shared memory for copying system call argument and returning the results back and to signal the implementation of the system call. Into the SCONE kernel module system calls are implemented by individual threads running. Therefore, threads that are existing into the enclaves there is no need to be out of the enclave when system calls executed.
SCONE mechanism also, is related with existing Docker container environments, and guarantee that secure containers are suitable for the Linux containers standard. The cantra l operating system need to use a Linux SGX driver in order to increase the performance, a SCONE kernel module. Is remarkable that, SCONE mechanism does not need any functionality from the Intel Linux SDK except from the Linux SGX driver.