10-03-2018, 02:08 AM
A New Method of Containment: IBM Nabla Containers
<div style="margin: 5px 5% 10px 5%;"><img src="http://www.sickgaming.net/blog/wp-content/uploads/2018/10/a-new-method-of-containment-ibm-nabla-containers.png" width="300" height="157" title="" alt="" /></div><div><div class="lcom-stacked__main">
<div class="panel-pane pane-entity-field pane-node-body">
<div class="field field-name-body field-type-text-with-summary field-label-hidden">
<div class="field-items">
<div class="field-item even">
<p><em>By James Bottomley </em></p>
<p>In the previous post about <a href="https://blog.hansenpartnership.com/containers-and-cloud-security/">Containers and Cloud Security</a>, I noted that most of the tenants of a Cloud Service Provider (CSP) could safely not worry about the Horizontal Attack Profile (HAP) and leave the CSP to manage the risk. However, there is a small category of jobs (mostly in the financial and allied industries) where the damage done by a Horizontal Breach of the container cannot be adequately compensated by contractual remedies. For these cases, a team at IBM research has been looking at ways of reducing the HAP with a view to making containers more secure than hypervisors. For the impatient, the full open source release of the Nabla Containers technology is <a href="https://nabla-containers.github.io/">here</a> and <a href="https://github.com/nabla-containers/">here</a>, but for the more patient, let me explain what we did and why. We’ll have a follow on post about the <a href="https://blog.hansenpartnership.com/measuring-the-horizontal-attack-profile-of-nabla-containers">measurement methodology for the HAP</a> and how we proved better containment than even hypervisor solutions.</p>
<p>The essence of the quest is a sandbox that emulates the interface between the runtime and the kernel (usually dubbed the syscall interface) with as little code as possible and a very narrow interface into the kernel itself.</p>
<h3>The Basics: Looking for Better Containment</h3>
<p><a href="https://blog.hansenpartnership.com/a-new-method-of-containment-ibm-nabla-containers/standard-containers/"><img alt="" class="alignleft wp-image-498" height="159" src="http://www.sickgaming.net/blog/wp-content/uploads/2018/10/a-new-method-of-containment-ibm-nabla-containers.png" width="302" /></a>The HAP attack worry with standard containers is shown on the left: that a malicious application can breach the containment wall and attack an innocent application. </p>
<p>Read more at <a href="https://blog.hansenpartnership.com/a-new-method-of-containment-ibm-nabla-containers/">Hansen Partnership</a></p>
</div>
</div>
</div></div>
</p></div>
<p><a href="https://www.linux.com/popup/nojs" class="ctools-use-modal ctools-modal-subscription-modal-style element-invisible" title="">Click Here!</a> </p>
</div>
<div style="margin: 5px 5% 10px 5%;"><img src="http://www.sickgaming.net/blog/wp-content/uploads/2018/10/a-new-method-of-containment-ibm-nabla-containers.png" width="300" height="157" title="" alt="" /></div><div><div class="lcom-stacked__main">
<div class="panel-pane pane-entity-field pane-node-body">
<div class="field field-name-body field-type-text-with-summary field-label-hidden">
<div class="field-items">
<div class="field-item even">
<p><em>By James Bottomley </em></p>
<p>In the previous post about <a href="https://blog.hansenpartnership.com/containers-and-cloud-security/">Containers and Cloud Security</a>, I noted that most of the tenants of a Cloud Service Provider (CSP) could safely not worry about the Horizontal Attack Profile (HAP) and leave the CSP to manage the risk. However, there is a small category of jobs (mostly in the financial and allied industries) where the damage done by a Horizontal Breach of the container cannot be adequately compensated by contractual remedies. For these cases, a team at IBM research has been looking at ways of reducing the HAP with a view to making containers more secure than hypervisors. For the impatient, the full open source release of the Nabla Containers technology is <a href="https://nabla-containers.github.io/">here</a> and <a href="https://github.com/nabla-containers/">here</a>, but for the more patient, let me explain what we did and why. We’ll have a follow on post about the <a href="https://blog.hansenpartnership.com/measuring-the-horizontal-attack-profile-of-nabla-containers">measurement methodology for the HAP</a> and how we proved better containment than even hypervisor solutions.</p>
<p>The essence of the quest is a sandbox that emulates the interface between the runtime and the kernel (usually dubbed the syscall interface) with as little code as possible and a very narrow interface into the kernel itself.</p>
<h3>The Basics: Looking for Better Containment</h3>
<p><a href="https://blog.hansenpartnership.com/a-new-method-of-containment-ibm-nabla-containers/standard-containers/"><img alt="" class="alignleft wp-image-498" height="159" src="http://www.sickgaming.net/blog/wp-content/uploads/2018/10/a-new-method-of-containment-ibm-nabla-containers.png" width="302" /></a>The HAP attack worry with standard containers is shown on the left: that a malicious application can breach the containment wall and attack an innocent application. </p>
<p>Read more at <a href="https://blog.hansenpartnership.com/a-new-method-of-containment-ibm-nabla-containers/">Hansen Partnership</a></p>
</div>
</div>
</div></div>
</p></div>
<p><a href="https://www.linux.com/popup/nojs" class="ctools-use-modal ctools-modal-subscription-modal-style element-invisible" title="">Click Here!</a> </p>
</div>