Towards Efficient End-to-End Encryption for Container Checkpointing Systems
Authors: 
Radostin Stoyanov, Adrian Reber, Daiki Ueno, Michał Clapiński, Andrei Vagin, Rodrigo BrunoAuthors Info & Claims
Radostin Stoyanov, Adrian Reber, Daiki Ueno, Michał Clapiński, Andrei Vagin, Rodrigo BrunoAuthors Info & ClaimsPages 60 - 66
Abstract
Container checkpointing has emerged as a new paradigm for task migration, preemptive scheduling and elastic scaling of microservices. However, as soon as a snapshot that contains raw memory is exposed through the network or shared storage, sensitive data such as keys and passwords may become compromised. Existing solutions rely on encryption to protect data included in snapshots but by doing so prevent important performance optimizations such as memory de-duplication and incremental checkpointing. To address these challenges, we design and implement CRIUsec, an efficient end-to-end encryption scheme for container checkpointing systems built on the open-source CRIU (Checkpoint/Restore In Userspace). Our preliminary evaluation shows that CRIUsec integrates seamlessly with popular container platforms (Docker, Podman, Kubernetes), and compared to existing solutions, achieves an average of 1.57× speedup for memory-intensive workloads, and can be up to 100× faster for compute-intensive workloads.
References
[1]
Adrian Reber. 2023. Forensic container checkpointing in Kubernetes. https://kubernetes.io/blog/2022/12/05/forensic-container-checkpointing-alpha/ Accessed: 2023-08-15.
[2]
Adrian Reber. 2023. Kubelet Checkpoint API. https://kubernetes.io/docs/reference/node/kubelet-checkpoint-api/ Accessed: 2023-08-15.
[3]
Amazon. 2024. Use checkpoints in Amazon SageMaker. https://docs.aws.amazon.com/sagemaker/latest/dg/model-checkpoints.html
[4]
Jason Ansel, Kapil Arya, and Gene Cooperman. 2009. DMTCP: Transparent checkpointing for cluster computations and the desktop. In 2009 IEEE International Symposium on Parallel & Distributed Processing. 1--12. https://doi.org/10.1109/IPDPS.2009.5161063
[5]
CRIU. 2024. Checkpoint/Restore In Userspace. https://criu.org/Accessed: 2024-03-21.
[6]
OpenSSL Project Developers. 2024. OpenSSL. OpenSSL Project. https://www.openssl.org/
[7]
Docker. 2024. Docker Checkpoint. https://docs.docker.com/reference/cli/docker/checkpoint/
[8]
Pavel Emelyanov. 2016. Implement asynchronous mode of reading pages. https://github.com/checkpoint-restore/criu/commit/8f2b2c7f0baa491331bdcde915d3278bf624d459.
[9]
Apache Software Foundation. 2024. Apache Flink Checkpoints. https://nightlies.apache.org/flink/flink-docs-master/docs/ops/state/checkpoints/. Accessed: 2024-07-14.
[10]
The Apache Software Foundation. 2024. ApacheBench - A Benchmarking Tool for HTTP Servers. https://httpd.apache.org/docs/2.4/programs/ab.html Accessed: 21-04-2024.
[11]
Sumer Kohli, Shreyas Kharbanda, Rodrigo Bruno, Joao Carreira, and Pedro Fonseca. 2024. Pronghorn: Effective Checkpoint Orchestration for Serverless Hot-Starts. In Proceedings of the Nineteenth European Conference on Computer Systems (Athens, Greece) (EuroSys '24). Association for Computing Machinery, New York, NY, USA, 298--316. https://doi.org/10.1145/3627703.3629556
[12]
Jack Li, Calton Pu, Yuan Chen, Vanish Talwar, and Dejan Milojicic. 2015. Improving Preemptive Scheduling with Application-Transparent Checkpointing in Shared Clusters. In Proceedings of the 16th Annual Middleware Conference (Vancouver, BC, Canada) (Middleware '15). Association for Computing Machinery, New York, NY, USA, 222--234. https://doi.org/10.1145/2814576.2814807
[13]
Victor Marmol and Andy Tucker. 2018. Task Migration at Scale Using CRIU. Linux Plumbers Conference. https://lpc.events/event/2/contributions/69/ Accessed: 2024-01-30.
[14]
Jayashree Mohan, Amar Phanishayee, and Vijay Chidambaram. 2021. CheckFreq: Frequent, Fine-Grained DNN Checkpointing. In 19th USENIX Conference on File and Storage Technologies (FAST 21). USENIX Association, USA, 203--216. https://www.usenix.org/conference/fast21/presentation/mohan
[15]
Ritesh Naik. 2021. Container Checkpoint/Restore at Scale for Fast Pod Startup Time. https://kccncna2021.sched.com/event/lV0Y/container-checkpointrestore-at-scale-for-fast-pod-startup-time-ritesh-naik-mathworks
[16]
Hyochang Nam, Jong Kim, Sung Je Hong, and Sunggu Lee. 2003. Secure checkpointing. Journal of Systems Architecture 48, 8 (2003), 237--254. https://doi.org/10.1016/S1383-7621(02)00137-6
[17]
National Vulnerability Database (NVD). 2024. CVE-2024-21626. https://github.com/advisories/GHSA-xr7r-f8xq-vfvv GitHub repository.
[18]
CRIU Project. 2019. Statistics. https://criu.org/Statistics Accessed: 2024-04-23.
[19]
GNU Project. 2024. GNU Privacy Guard (GnuPG). GnuPG Project. https://www.gnupg.org/
[20]
Adrian Reber. 2024. Podman Checkpoint. https://docs.podman.io/en/latest/markdown/podman-container-checkpoint.1.html
[21]
Prakhar Sah and Matthew Hicks. 2023. Hitchhiker's Guide to Secure Checkpointing on Energy-Harvesting Systems. In Proceedings of the 11th International Workshop on Energy Harvesting & Energy-Neutral Sensing Systems (ENSsys '23). Association for Computing Machinery, New York, NY, USA, 8--15. https://doi.org/10.1145/3628353.3628542
[22]
Dharma Shukla, Muthian Sivathanu, Srinidhi Viswanatha, Bhargav Gulavani, Rimma Nehme, Amey Agrawal, Chen Chen, Nipun Kwatra, Ramachandran Ramjee, Pankaj Sharma, Atul Katiyar, Vipul Modi, Vaibhav Sharma, Abhishek Singh, Shreshth Singhal, Kaustubh Welankar, Lu Xun, Ravi Anupindi, Karthik Elangovan, Hasibur Rahman, Zhou Lin, Rahul Seetharaman, Cheng Xu, Eddie Ailijiang, Suresh Krishnappa, and Mark Russinovich. 2022. Singularity: Planet-Scale, Preemptive and Elastic Scheduling of AI Workloads. arXiv:2202.07848 [cs.DC]
[23]
Radostin Stoyanov. 2019. Secure Image-less Container Migration. Linux Plumbers Conference. https://lpc.events/event/4/contributions/478/ Accessed: 2023-01-30.
[24]
Radostin Stoyanov and Martin J. Kollingbaum. 2018. Efficient Live Migration of Linux Containers. In High Performance Computing, Rio Yokota, Michèle Weiland, John Shalf, and Sadaf Alam (Eds.). Springer International Publishing, Cham, 184--193.
[25]
Filippo Valsorda. 2024. age: A Simple, Modern and Secure File Encryption Tool. Age Encryption. https://github.com/FiloSottile/age
[26]
Kenton Varda. 2008. Protocol Buffers: Google's Data Interchange Format. Technical Report. Google. https://opensource.googleblog.com/2008/07/protocol-buffers-googles-data.html
[27]
Ranjan Sarpangala Venkatesh, Till Smejkal, Dejan S. Milojicic, and Ada Gavrilovska. 2019. Fast in-memory CRIU for docker containers. In Proceedings of the International Symposium on Memory Systems (Washington, District of Columbia, USA) (MEMSYS '19). Association for Computing Machinery, New York, NY, USA, 53--65. https://doi.org/10.1145/3357526.3357542
[28]
Nicolas Viennot. 2020. Fast checkpointing with criu-image-streamer. Linux Plumbers Conference. https://lpc.events/event/7/contributions/641/ Accessed: 2023-01-30.
[29]
Christian Wimmer, Codrut Stancu, Peter Hofer, Vojin Jovanovic, Paul Wögerer, Peter B. Kessler, Oleg Pliss, and Thomas Würthinger. 2019. Initialize once, start fast: application initialization at build time. Proc. ACM Program. Lang. 3, OOPSLA, Article 184 (oct 2019), 29 pages. https://doi.org/10.1145/3360610
[30]
Diyu Zhou and Yuval Tamir. 2020. Fault-Tolerant Containers Using NiLiCon. In 2020 IEEE International Parallel and Distributed Processing Symposium (IPDPS). Institute of Electrical and Electronics Engineers (IEEE), New Orleans, LA, USA, 1082--1091. https://doi.org/10.1109/IPDPS47924.2020.00114
Index Terms
- Towards Efficient End-to-End Encryption for Container Checkpointing Systems
Index terms have been assigned to the content through auto-classification.
Recommendations
Reliable and Efficient Distributed Checkpointing System for Grid Environments
In Fine-Grained Cycle Sharing (FGCS) systems, machine owners voluntarily share their unused CPU cycles with guest jobs, as long as their performance degradation is tolerable. However, unpredictable evictions of guest jobs lead to fluctuating completion ...
Fast and space-efficient virtual machine checkpointing
VEE '11: Proceedings of the 7th ACM SIGPLAN/SIGOPS international conference on Virtual execution environmentsCheckpointing, i.e., recording the volatile state of a virtual machine (VM) running as a guest in a virtual machine monitor (VMM) for later restoration, includes storing the memory available to the VM. Typically, a full image of the VM's memory along ...
Fast and space-efficient virtual machine checkpointing
VEE '11Checkpointing, i.e., recording the volatile state of a virtual machine (VM) running as a guest in a virtual machine monitor (VMM) for later restoration, includes storing the memory available to the VM. Typically, a full image of the VM's memory along ...
Comments
Information & Contributors
Information
Published In
September 2024
150 pages
ISBN:9798400711053
DOI:10.1145/3678015
Copyright © 2024 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 04 September 2024
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Funding Sources
- EPSRC
Conference
APSys '24
Sponsor:
Acceptance Rates
APSys '24 Paper Acceptance Rate 20 of 44 submissions, 45%;
Overall Acceptance Rate 169 of 430 submissions, 39%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 106Total Downloads
- Downloads (Last 12 months)106
- Downloads (Last 6 weeks)83
Reflects downloads up to 23 Oct 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in