Towards the Hardened Cloud-Native Cornerstone: Container Runtime Protection from Security to Privacy - Kailun Qin, Intel
Abstract
Containers, the defacto Cloud-Native vehicles carrying complex workloads today, are yet facing increasing threats owing to their weaker threat model and isolation guarantees. The security concerns and mutual distrust over the inter-container relations spread from the network to the system level, even to the intra-container or against Cloud admins and infrastructure. In this talk, we’ll start by reviewing attack vectors of the container runtime and revisiting the existing protection such as AppArmor, SELinux, seccomp and their limitations. Next, we’ll deep dive into the most recent advances of enabling kernel-aided (Landlock, Core Scheduling) and hardware-aided (Memory Protection Keys, Trusted Execution Environment) “magic” with containers against more advanced exploits. The adaptations required to the runtime and image specs of containers, also to their policy enforcement, debugging, monitoring, logging, and alerting management will be further discussed. Finally, we’ll share the “Now and next” and the real scenarios of the hardened two-way sandboxes for both security and privacy.Click here to view captioning/translation in the MeetingPlay platform!