Analyzing and Improving code and data integrity in an OS-level virtualization solution

Description

Protecting confidentiality of data is crucial in most IT domains. Therefore, storage encryption has
become prevalent. The protection of data integrity, however, is often overlooked. Without proper
measures to ensure integrity, a system is vulnerable to accidental corruption and intentional manipulation
of data.
In this thesis we analyze and improve code and data integrity in the open source OS-level virtualization
solution trust|me. The analysis of trust|me’s existing security mechanisms reveals that the integrity of
containers is only partially measured and enforced. Therefore, we propose a design to improve the integrity
protection of containers. The design utilizes the device mapper subsystem of the Linux kernel to combine
container encryption and authentication using Authenticated Encryption with Associated Data.