The invention provides a container isolation enhancement
system based on an ARM TrustZone. The
system comprise a container management
client side which runs at a
client side; an untrusted operation
system, an untrusted container management module and a trusted execution environment which run in the ordinary world of a
server side; and a
page table management module, a register protection module, asystem call hijacking module, a
file system safety enhancement module, an execution flow synchronous service safety enhancement module, an interprocess communication service safety enhancement module, a trusted container
mirror image downloading module and a safety container starting module which run in the safety world of the
server side. According to the container isolation enhancement system based on the ARM TrustZone, an existing application program safely runs on a malicious operation system which is completely controlled by an attacker so that different applications of different users in the container can perform safe communication and
synchronous control flow; and the users do not need to make any modification on an existing
mirror image.