RContainer: A Secure Container Architecture through Extending ARM CCA Hardware Primitives
Qihang Zhou
Network and Distributed System Security (NDSS) Symposium 2025 · Day 3 · Confidential Computing 2
The proliferation of containers in modern cloud computing environments has brought significant benefits in terms of efficient deployment and high resource utilization. However, their inherent weak isolation mechanisms have consistently posed substantial security challenges. This talk, "RContainer: A Secure Container Architecture through Extending ARM CCA Hardware Primitives," presented by Qihang Zhou, addresses these critical security concerns by proposing a novel container architecture that leverages the advanced hardware primitives of **ARM Confidential Compute Architecture (CCA)**. The core problem RContainer seeks to solve is achieving strong isolation for containers, even against a compromised host OS, while simultaneously minimizing the **Trusted Computing Base (TCB)** and maintaining low performance overhead.
AI review
Solid systems security research with a genuine novel contribution: using ARM CCA's GPT primitives to enforce per-container isolation through a minimal EL1 mini OS and shim-style 'consum' architecture, with a TCB that's embarrassingly small (130 LoC at EL3) compared to prior art like Shelter. The prototype work is real, the CVE analysis methodology is sound, and the performance numbers are credible and meaningful.