Archivio Istituzionale della RicercaContainerization techniques have become essential to develop and deploy distributed applications in a Cloud Computing scenario. Containers' popularity continues to grow due to their flexibility, lightness, and availability. Despite their advantages, containers offer less isolation than virtual machines since they share the host's kernel. Therefore, attacks on a container could compromise other containers on the same node, or the host system itself. Trustworthiness in containers' operations is strictly related to demonstration of their software integrity and proper configuration, as these things are vital for early detection of tampering and breaches, and for fast response to attacks. The Trusted Computing paradigm offers techniques to attest the trustworthiness of a physical node, but they are not directly usable to attest containers due to the virtualization layer. Our work leverages the recently introduced Linux IMA namespace to achieve container attestation. Since attestation reveals the list of software components and configurations, the privacy of this operation is crucial in a multi-tenant scenario. Our solution ensures that a tenant authorized to attest a given container has access exclusively to the information of that container and its dependencies. We integrated this solution into an existing attestation framework to create a complete solution for privacy-preserving container integrity verification in a multi-tenant scenario. Our approach offers low latency for event measurement and a fast verification process, regardless of the number of containers or the containerization technology used.
Privacy-Preserving Container Attestation / Ferro, Lorenzo; Bravi, Enrico; Sisinni, Silvia; Lioy, Antonio. - In: JOURNAL OF NETWORK AND SYSTEMS MANAGEMENT. - ISSN 1064-7570. - 34:(2026). [10.1007/s10922-025-09982-5]
Privacy-Preserving Container Attestation
Ferro, Lorenzo;Bravi, Enrico;Sisinni, Silvia;Lioy, Antonio
2026
Abstract
Containerization techniques have become essential to develop and deploy distributed applications in a Cloud Computing scenario. Containers' popularity continues to grow due to their flexibility, lightness, and availability. Despite their advantages, containers offer less isolation than virtual machines since they share the host's kernel. Therefore, attacks on a container could compromise other containers on the same node, or the host system itself. Trustworthiness in containers' operations is strictly related to demonstration of their software integrity and proper configuration, as these things are vital for early detection of tampering and breaches, and for fast response to attacks. The Trusted Computing paradigm offers techniques to attest the trustworthiness of a physical node, but they are not directly usable to attest containers due to the virtualization layer. Our work leverages the recently introduced Linux IMA namespace to achieve container attestation. Since attestation reveals the list of software components and configurations, the privacy of this operation is crucial in a multi-tenant scenario. Our solution ensures that a tenant authorized to attest a given container has access exclusively to the information of that container and its dependencies. We integrated this solution into an existing attestation framework to create a complete solution for privacy-preserving container integrity verification in a multi-tenant scenario. Our approach offers low latency for event measurement and a fast verification process, regardless of the number of containers or the containerization technology used.
| File | Dimensione | Formato | |
|---|---|---|---|
|
s10922-025-09982-5.pdf
accesso aperto
Tipologia:
2a Post-print versione editoriale / Version of Record
Licenza:
Creative commons
Dimensione
1.8 MB
Formato
Adobe PDF
|
1.8 MB | Adobe PDF | Visualizza/Apri |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
https://hdl.handle.net/11583/3003454