Container Attestation with Linux IMA namespaces

In contemporary times, containers play a crucial role in various fields, including cloud computing and microservices, among others. Their popularity continues to grow due to their flexibility, simplified deployment, compatibility with multiple operating systems, rapid availability, and precise allocation of computational resources in microservices. Ensuring the integrity and proper configuration of software on containers is vital for early detection of tampering and breaches, allowing for prompt response to attacks. Remote Attestation is a process through which an external entity evaluates the trustworthiness of a computational node. While effective for physical nodes, it's not yet well-established for virtual nodes, such as containers. Some proposals have been made to address this issue, but they face challenges, such as inability to verify closed containers, scalability and performance concerns. The current direction in Linux development is to create a new namespace for the Integrity Measurement Architecture. This thesis aims to leverage this choice by proposing a solution for conducting container attestation based on the IMA namespace. This proposed solution entails modifications to the IMA mechanism to enable remote attestation of a container without divulging information to external parties independently from its status. To ensure the integrity of the containers' list and prevent the establishment of a namespace for unmonitored program execution each time an event occurs, a record of the event is maintained within its parent chain. This includes the namespace that initiated the target, the one that created the parent, and so on, all the way up to the host. This process is conducted without storing specific details about the nature of the event in a manner that allows for continuous traceability while maintaing containers' privacy. The Keylime framework has been adjusted to support this modified version of IMA for attestation. Tests have demonstrated the low latency of the measurement and attestation mechanism, regardless of the number of containers running on the machine. Importantly, this solution is independent of containerization technology.