Columbia Technology Ventures

BlackBox: Secure containers for untrusted operating systems

This technology is a container architecture algorithm paired with Arm virtualization hardware that protects application data confidentiality and integrity on untrusted operating systems.

Unmet Need: Efficient method to safeguard application data on shared computing infrastructure

Conventional container architectures allow direct information flow from containers to operating systems that can be susceptible to malicious attacks, leading to high security risks. Approaches developed to enhance security of application memory include hardware solutions and add-ons to hardware-based mechanisms, but these methods suffer from strict requirements in the writing of the applications and large memory requirements, respectively. While hypervisors also offer protection via the encryption of application memory, these require enormous trusted computing bases.

The Technology: Algorithm to secure containers with minimized trusted computing base

This technology utilizes a container security monitor that eliminates the direct channel of information between the containers and the operating system by creating distinct physical address spaces for each container and the operating system. Paired with Arm virtualization hardware, this algorithm has been shown to prevent attacks more effectively as compared to conventional methods, while incurring only modest overheads.

Applications:

  • Protection of computer secrets and application data
  • Privacy and security enhancement
  • Prevention of malicious computer attacks

Advantages:

  • Improved security guarantee
  • Minimization of computing requirements
  • Isolated container architectures

Lead Inventor:

Jason Nieh, Ph.D.

Patent Information:

Patent Issued

Related Publications:

Tech Ventures Reference: