Design Scheme of a Docker Container File Isolation against Computer Virus Spreading

With the spread of computers and Internet of Things, the destructive power of viruses gradually becomes stronger, which threaten the daily life of people. In order to eﬀectively restrain the virus spreading and reduce economic losses, humans need to hold the law and control of the virus distribution. Docker has obtained signiﬁcant attention as a lightweight virtualization container technology. Compared to traditional virtualization technologies, docker possesses the advantages of fast deployment, low resource consumption, and high migration capability. Given that the diﬀerences between various virtualization technologies and combining the characteristics in electric power systems, this paper designs a scheme of the ﬁle isolation system based on docker containers. The isolation scheme could reduce the highly dependence on the underlying operating system in the current application deployment of electric power systems and facilitate the security access to the ﬁle system between containers.


Introduction
e spreading dynamics based on computer virus becomes a new interdisciplinary subject.
rough dynamic system modeling, we can understand the law of virus distribution and provide an effective virus containment strategy. e different kinds of computer viruses possess different functions, which can cause huge losses to national security and property security. Some computer viruses can damage software and hardware resources, including invading the financial systems and stealing finances, tamper data, and misleading administrators. Moreover, some computer viruses can implant medical chips and harm human health.
erefore, more and more researchers propose schemes to prevent the spread of the virus.
A virus attack on the power system would potentially bring down the power infrastructure and thus affect daily life. In Ukraine, an attack on the power system led to widespread power outages in 2015 [1]. It is therefore important to monitor the power grid [2], to remove the risk of potential attack. While detecting, appropriate risk assessment strategies should be developed to quantify the risk thresholds [3] so that possible risks can be addressed promptly. At the same time, setting different security levels for nodes in the grid system can also contain the spread of viruses to a certain extent [4]. Among current research solutions, most of the attacks on the grid are detected using more advanced artificial intelligence algorithms [5]. However, the detection of the system does not allow for the complete isolation of viruses between systems, and it is possible that viruses can only be detected when they are already a serious threat to the operational security of the power system.
With the development of information technology and the construction of national information projects, more application systems and related software are gradually not satisfied with the current deployment method [6]. In order to improve the utilization of each hardware resource, as well as to get rid of the situation of over reliance on the grassroots operating system in the power system, the national grid information system is vigorously promoting the solution of deploying traditional application systems to the cloud through virtualization technology. e cloud-based deployment solution also enables the formation of different security levels between different power systems, which will effectively stop the spread of viruses between power systems by forming different security differentials.
Traditional application deployment based on power systems does not show too many shortcomings in a single application deployment and a small number of task management. However, when the amount of management tasks needs to dynamically change and migrate tasks, this deployment scheme will show its shortcomings of the bulky deployment.
e problems can be effectively resolved by deploying applications in docker containers [7], which is the mainstream solution in the current virtualization direction [8]. However, docker container-based application deployment solutions have their own potential problems. For example, docker container technology as an operating system-level virtualization technology itself will appear between the container and the host with incomplete isolation, cumbersome security reinforcement, and other problems so that there may be isolation between the container escape, the container and the host paralysis, and the potential danger of core data leakage [9]. e construction of electric power systems, as a national infrastructure level construction, is particularly important in terms of security requirements. In this paper, based on the current potential dangers of docker containers in file isolation and the high security performance requirements in the construction, we design a docker container-based file system isolation scheme and prove through theoretical derivation that the scheme can effectively guarantee the isolation requirements of the file system in docker containers.

Docker System Architecture
Docker is a high-level container engine technology based on LXC (Linux Container), developed and opensourced by DotCloud, which is the main stream solution for virtualization processes [10]. LXC [11] is a kernel virtualization technology that provides lightweight virtualization for resource and process isolation. Docker and traditional virtualization technologies are both based on the isolation and reallocation of host resources, but docker's virtualization solution is fundamentally different from the traditional ones.

Comparison of Docker and Traditional Virtualization
Solutions. Among the traditional virtualization solutions (VMware, KVM), VMware is based on a fully virtualized design architecture, which is designed with the idea that the virtual machine virtualizes the entire underlying environment [12]. But KVM is an architecture based on hardwareassisted virtualization design, which implements virtualization operations through hardware-assisted support for processing sensitive instructions. Both of these make the operating system of the virtual machine completely independent from the host, and although this architecture virtual machines are very isolated, they are very heavy virtualization operations. In contrast, docker's design architecture of hostlevel kernel-based virtualization allows for more lightweight virtualization. Figure 1 shows how the design architecture of docker container virtualization differs from the design architecture of traditional technologies [13].

Namespaces.
e basis for the isolation between Linux containers, containers, and hosts is the namespace (NameSpace) in the Linux kernel. e mutual isolation of resources between different namespaces in Linux is the basis for container virtualization [14]. Linux supports the following six different namespaces [15].
(1) UTS Namespace: system information such as host name, system version number, and system name is recorded in the UTS namespace, which enables the isolation of host names and domain names between containers, allowing each to have its own host name and domain name. is enables each container to be seen as an independent node in the overall network architecture.
(2) Network NameSpace: the role of this namespace is to achieve the isolation of the container's network resources so that each container has its own independent network environment including IP routing tables, firewalls, and network devices (3) PID NameSpace: e role of this namespace is to achieve the isolation of process numbers between different containers, to ensure that the process numbers between containers are not visible to each other which is of great significance for resource isolation. Its tree structure is to achieve process number isolation, the same PID namespace processes that are visible to each other, cross-PID namespace process isolation from each other, and at the same time, to achieve the isolation of the processes in the container and the host process. (4) Mount NameSpace: is namespace enables each container to have a separate file system and also enables the container to open a shared dire (5) IPC NameSpace: this namespace restricts access to the file system within containers and between containers and the host through the Mount namespace but still enables interaction between file systems by means of thread passages. IPC stands for thread communication, which is carried out in Linux systems by means of semaphores, shared memory, and message queues. e IPC namespace allows containers to have identifiers to isolate intercontainer process communication. (6) User NameSpace: e namespace can achieve the isolation of security-related identifiers, mainly system user IDs, user group IDs related to user permissions, etc., to facilitate the management between their users and groups, and the root user in the container does not have special privileges on the host, in order to achieve the security of the operation in the host.

Resource Isolation Design in Grid systems
(1) e construction of virtualization in the power grid system makes the virtualization of devices and clouding of applications become the current trend. How to design the file isolation scheme between applications deployed in different docker containers, and the file isolation scheme in different docker clusters is crucial to guarantee the secure operation of the file system in the power system. e file isolation mechanism of docker itself may have the problem of spanning interaccess to file resources between different containers in a complex grid system [16]. To address this problem, this paper proposes a file resource isolation scheme for docker containers in power grid systems.

Multilevel Container Resource Isolation Method Design.
Before designing the scheme, we define the subject and object of the file isolation scheme. e subject of file isolation is different clusters R i (1 < i < n), and docker containers C i (1 < i < n) in different clusters. e object and isolation objects are the disk files in different clusters, and these disk files belonging to different subjects can be specifically divided into: disk files isolated between clusters SF i (1 < i < n), disk files shared between clusters RF i (1 < i < n), files inside containers CF i (1 < i < n), and shared data volumes between containers and disks DF i (1 < i < n).
In the text, cluster (R, O) denotes the cluster environ- in container i, and O denotes the set of isolated guests, and specifying the relation READ : R⟶O denotes the set of readable files of R, and WRITE : R⟶O denotes the set of files that R can write; and using AU : R � P denotes the security level of R, and AU : D � P denotes the security level of D, where P ∈ P 1 , P 2 . . . , P 1 , and P 1 > P 2 denotes the P 1 security level above P 2 .

Multilevel Container Resource Isolation Policy Design.
e container file resource isolation policy is customized based on the subject-object relationship of container isolation above.

Policy 1.
e range of reading and writeable files for a container is the container's own files and the shared files of the host to which the container belongs.
Policy 2. When multiple containers are at different security levels, when operating on their shared data volumes, only the highest security level container has write operations, and the other security level containers only have read operations.
According to the proposed policy, when different containers access the files of a shared data volume with a common host, the proposed policy permission restriction makes it possible that in some sensitive files, when containers with different permission levels access them together, only the highest level container has write permission, while  Mathematical Problems in Engineering other containers only have read permission, and the read operation does not change the file content, thus ensuring the security of the file content. Figure 2 shows the flowchart of isolated file identification.

Implementation of Resource Isolation in Grid Systems
In the cloud environment, various grid devices (such as energy meters, collection terminals, and digital meters) and related processes can rely on the docker deployment and use the above-designed multipole container resource isolation scheme to ensure that each software has an independent space, as well as the security of the files of containers with high security level during the interaction between different software. As shown in Figure 3, the containers of different hosts set the security level of the containers inside the host through the configuration file of the host, and the containers inside the host hook up their files to the host through the shared files with the host and set the security level between the internal files according to the security level of the containers. e host interacts its own files with the host configuration file with the highest security level in the cluster to realize the interaction of file systems in the cluster.

Container File Isolation Security Check.
e operation of the interaction between the hosts in a multipolar container system and between the hosts and containers is defined in a centralized manner. In grid systems, information read and write operations between devices always have a tendency to aggregate information from the bottom device to the top device, while the bottom device often does not have write access to the file system for the top device. e distribution of device instructions is often the higher-level devices to the bottom-level devices to communicate.
We set R 0 as the host that represents the center of the cluster and implement the aggregation of other host files in the cluster and the files of containers in other hosts. e configuration in the global configuration file can set the security level of each host. e security level of different containers inside the host is set by the host's configuration file. Let there be containers D 1 , D 2 , D 3 , D 4 inside the R 1 host. AU(D 1 ) > AU(D 2 ), AU(D 1 ) > AU(D 4 ), AU(D 2 ) > AU(D 3 )，and AU(D 2 ) > AU(D 4 ). According to strategy I and strategy II, it is obtained that From the above derivation, we can see that the container with the highest security level can modify its own shared files mounted on the host and the shared files on the host of other containers with lower security level than itself. Containers with lower security level cannot modify the shared files, thus ensuring the isolated security of the shared files of the container with the highest security level. e other security level containers can read the shared files of the containers and write the files of the lower security level containers to ensure that the higher security level containers can distribute commands to the lower security level containers.

Host File Isolation Security
e host with the highest security level has the responsibility of aggregating files from other hosts and configuring the security policy between hosts to distribute instructions downwards. e file interaction between hosts is through intercluster communication, so it is also necessary to ensure the security of file isolation during communication between hosts of different security levels according to Policy 1 and Policy 2. e file read/ write relationship between different hosts is From the above documented relationship, it follows that en from the above, file relationship can be obtained that the low security level of the host can read the corresponding file from R 0 , to achieve the function of instructions, while part of the high security level of the file low security level of the host does not have permission to access, in the write operation level R 0 can be read and write to all the low level of the host in the file, so as to achieve the cluster file information will flow and the function of instructions. At the same time, the data gathered can be saved in a file that is accessible only by itself.  Mathematical Problems in Engineering e access to each file system in the cluster is ensured by a two-tier file isolation policy with a file isolation policy between containers within the hosts and a file isolation policy between hosts.

Conclusion
In recent years, the spreading dynamics of computer viruses as a popular research in network science has entered a period of rapid development. rough dynamic system modeling, we can explore the propagation law of computer viruses and provide a formulating countermeasures.
By deploying the applications in the grid system with docker containers, using the file scheme designed in this paper based on the isolation feature of docker, we can effectively ensure the independence and security of the file system between different containers, realize the security level of containers and hosts according to the security level set by the configuration file, and realize the file isolation of containers and hosts with different security levels. By achieving isolation between containers of different security levels, the spread of viruses between containers is thus isolated to a certain extent and the grid system is protected. However, when the grid system is not deployed as docker, the isolation scheme proposed in this paper will not be possible.
At the same time, in further exploration, more than just a file system isolation will be carried out; the design of an isolation method for system operation rights has not been explored in the current study, and in future exploration, the isolation of operation rights, combined with the isolation of the file system studied in this paper, can be achieved to further protect the security of the power system.

Data Availability
e datasets used in this study are available from the corresponding author upon request (zhengfeng@bupt.edu.cn (Feng Zheng)).

Conflicts of Interest
e authors declare that they have no conflicts of interest.