Towards a trustworthy container platform and orchestration framework
I will start the PhD with a project where I investigate the state of theart for in-process isolation techniques for enclaves that execute inTrusted Execution Environments and that are used in the context ofcontainerizedservice deployments in mobile edge computing. Edgecomputing is a paradigm that provides execution resources (compute andstorage) for applications with networking close to the end users,typically within or at the boundary of operator networks. Edge computingIn 5G systems, many enterprise and IoT services will rely on edgecomputing. Of course, these services require built-in security andprivacy-preserving techniques at the architectural level. TrustedExecution Technology readily provides such support by means of remoteattestation and run-time protection of services, albeit the granularityof isolation could be improved by further compartmentalizinga service,and minimizingthat service's Trusted Computing Base.My initial research project aims to answer the question, to which extentcontainers can be efficiently deployed in enclaves with additional, morefine granular, isolation primitives in place. Based on a 5G-related usecase that involves a security-or privacy-critical cloud/edge service, Iwill study the effects of enclaved container deployment and additionalin-enclave compartmentalizationwith processor features such as MemoryProtection Keys. Use cases for this idea are currently developed in5GhOSTS, together with specific security and performance requirements.My research hypothesis is that such an extended enclaved can help toimplement stringent security requirements with acceptable performancepenalties.