{"updated":"2025-01-19T10:14:09.988068+00:00","metadata":{"_oai":{"id":"oai:ipsj.ixsq.nii.ac.jp:00233036","sets":["1164:4088:11480:11520"]},"path":["11520"],"owner":"44499","recid":"233036","title":["異種OS機能連携によるセキュアコンテナ実現に向けたFreeBSD上でのCNI準拠コンテナネットワーキングの実現"],"pubdate":{"attribute_name":"公開日","attribute_value":"2024-03-05"},"_buckets":{"deposit":"90c83906-424c-4cc7-b0ac-d5436387d093"},"_deposit":{"id":"233036","pid":{"type":"depid","value":"233036","revision_id":0},"owners":[44499],"status":"published","created_by":44499},"item_title":"異種OS機能連携によるセキュアコンテナ実現に向けたFreeBSD上でのCNI準拠コンテナネットワーキングの実現","author_link":["632047","632049","632050","632045","632051","632052","632046","632048"],"item_titles":{"attribute_name":"タイトル","attribute_value_mlt":[{"subitem_title":"異種OS機能連携によるセキュアコンテナ実現に向けたFreeBSD上でのCNI準拠コンテナネットワーキングの実現"},{"subitem_title":"Implementing CNI-conformed Container Networking on FreeBSD Toward Container Plantation Among Heterogeneous OSes","subitem_title_language":"en"}]},"item_keyword":{"attribute_name":"キーワード","attribute_value_mlt":[{"subitem_subject":"IOT-B","subitem_subject_scheme":"Other"}]},"item_type_id":"4","publish_date":"2024-03-05","item_4_text_3":{"attribute_name":"著者所属","attribute_value_mlt":[{"subitem_text_value":"公立はこだて未来大学"},{"subitem_text_value":"公立はこだて未来大学"},{"subitem_text_value":"さくらインターネット株式会社"},{"subitem_text_value":"公立はこだて未来大学"}]},"item_4_text_4":{"attribute_name":"著者所属(英)","attribute_value_mlt":[{"subitem_text_value":"Future Uniersity Hakodate","subitem_text_language":"en"},{"subitem_text_value":"Future Uniersity Hakodate","subitem_text_language":"en"},{"subitem_text_value":"SAKURA internet inc.","subitem_text_language":"en"},{"subitem_text_value":"Future Uniersity Hakodate","subitem_text_language":"en"}]},"item_language":{"attribute_name":"言語","attribute_value_mlt":[{"subitem_language":"jpn"}]},"item_publisher":{"attribute_name":"出版者","attribute_value_mlt":[{"subitem_publisher":"情報処理学会","subitem_publisher_language":"ja"}]},"publish_status":"0","weko_shared_id":-1,"item_file_price":{"attribute_name":"Billing file","attribute_type":"file","attribute_value_mlt":[{"url":{"url":"https://ipsj.ixsq.nii.ac.jp/record/233036/files/IPSJ-IOT24064016.pdf","label":"IPSJ-IOT24064016.pdf"},"date":[{"dateType":"Available","dateValue":"2026-03-05"}],"format":"application/pdf","billing":["billing_file"],"filename":"IPSJ-IOT24064016.pdf","filesize":[{"value":"1.0 MB"}],"mimetype":"application/pdf","priceinfo":[{"tax":["include_tax"],"price":"660","billingrole":"5"},{"tax":["include_tax"],"price":"330","billingrole":"6"},{"tax":["include_tax"],"price":"0","billingrole":"43"},{"tax":["include_tax"],"price":"0","billingrole":"44"}],"accessrole":"open_date","version_id":"09b40334-2094-45a4-8439-de781afb6c1c","displaytype":"detail","licensetype":"license_note","license_note":"Copyright (c) 2024 by the Information Processing Society of Japan"}]},"item_4_creator_5":{"attribute_name":"著者名","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"坂口, 颯麻"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"鈴木, 進太郎"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"中田, 裕貴"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"松原, 克弥"}],"nameIdentifiers":[{}]}]},"item_4_creator_6":{"attribute_name":"著者名(英)","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"Souma, Sakaguchi","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Shintaro, Suzuki","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Yuki, Nakata","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Katsuya, Matsubara","creatorNameLang":"en"}],"nameIdentifiers":[{}]}]},"item_4_source_id_9":{"attribute_name":"書誌レコードID","attribute_value_mlt":[{"subitem_source_identifier":"AA12326962","subitem_source_identifier_type":"NCID"}]},"item_4_textarea_12":{"attribute_name":"Notice","attribute_value_mlt":[{"subitem_textarea_value":"SIG Technical Reports are nonrefereed and hence may later appear in any journals, conferences, symposia, etc."}]},"item_resource_type":{"attribute_name":"資源タイプ","attribute_value_mlt":[{"resourceuri":"http://purl.org/coar/resource_type/c_18gh","resourcetype":"technical report"}]},"item_4_source_id_11":{"attribute_name":"ISSN","attribute_value_mlt":[{"subitem_source_identifier":"2188-8787","subitem_source_identifier_type":"ISSN"}]},"item_4_description_7":{"attribute_name":"論文抄録","attribute_value_mlt":[{"subitem_description":"クラウドコンピューティング基盤における軽量なアプリケーション実行環境として，コンテナ型仮想化が広く活用されている．コンテナをマルチテナント・クラウドで利用する場合，OS カーネル共有に起因する脆弱性回避のために，追加で堅牢なコンテナ間隔離が必要となる．著者らは，FreeBSD 上で Linux コンテナ実行環境を実現することで，追加の隔離にかかるオーバヘッドを最小化しつつ，OS カーネルの脆弱性に対する攻撃の回避を行う手法を提案している．本提案手法では，コンテナ内のアプリケーションやユーザから異種 OS 上で動作していることを隠蔽できることが，攻撃回避成功の要となっている．しかし，本手法が異種 OS として採用する FreeBSD では，コンテナのネットワーク分離を実現できる vnet 機能が，Linux コンテナでネットワーク分離に用いられている Network Namespace 機能と互換性がないことが課題となっている．特に，Kubernates の Pod などで必要となる，複数のコンテナ間で共有されたネットワーク空間を実現することが難しい．本研究では，jail の入れ子構造の仕組みを活用して，FreeBSD 上で Linux Network Namespace 互換機能を実装し，コンテナランタイムから CNI 仕様に準拠したコンテナネットワーキング制御を可能にすることで，異種 OS 上での動作を隠蔽できる Linux 互換コンテナネットワーキングを実現する．","subitem_description_type":"Other"}]},"item_4_description_8":{"attribute_name":"論文抄録(英)","attribute_value_mlt":[{"subitem_description":"Container-based virtualization is widely used as a lightweight application execution environment in cloud computing platforms. When containers are used in a multi-tenant cloud, Containers need additional isolation to avoid vulnerabilities caused by OS kernel sharing. We have proposed a method to realize a Linux container execution environment on FreeBSD to avoid attacks against containers. The key to the success of the proposed method is to hide the fact that it is running on heterogeneous OS from the applications or users in the container. FreeBSD, a heterogeneous OS, provides container network isolation with vnet. However, the issue is that vnet is not compatible with Network Namespace, which is used for network isolation in Linux. We implement Linux container networking compatible by Network Namespace-compatible implementation and container networking control compliant with the CNI specification.","subitem_description_type":"Other"}]},"item_4_biblio_info_10":{"attribute_name":"書誌情報","attribute_value_mlt":[{"bibliographicPageEnd":"7","bibliographic_titles":[{"bibliographic_title":"研究報告インターネットと運用技術（IOT）"}],"bibliographicPageStart":"1","bibliographicIssueDates":{"bibliographicIssueDate":"2024-03-05","bibliographicIssueDateType":"Issued"},"bibliographicIssueNumber":"16","bibliographicVolumeNumber":"2024-IOT-64"}]},"relation_version_is_last":true,"weko_creator_id":"44499"},"created":"2025-01-19T01:34:14.805540+00:00","id":233036,"links":{}}