Measuring container security

Posted Dec 13, 2018 12:03 UTC (Thu) by mato (guest, #964)
In reply to: Measuring container security by bergwolf
Parent article: Measuring container security

> The tests only showed the kernel functions accessed by specific workloads. I'm still missing the attack surface Nabla exposes. Is it something very strictly limited? If so, how many syscalls?

Nabla uses a modified version of Solo5 [1] for its low-level sandbox, using seccomp for the sandboxing instead of hardware virtualization. Through the use of unikernel (to be precise, library operating system) techniques, you can essentially run a POSIX-like environment in the "guest" with just 8 system calls. See our paper [2] for the technical details.

Disclaimer: I'm a co-author of Solo5, also, I do not work for IBM.

[1] https://github.com/Solo5/solo5
[2] https://dl.acm.org/citation.cfm?id=3267845

Measuring container security

Posted Dec 18, 2018 17:29 UTC (Tue) by iwan (subscriber, #108557) [Link]

> [2] https://dl.acm.org/citation.cfm?id=3267845
I was just going to post link to your paper. I found it really interesting!