Brussels / 2 & 3 February 2019

schedule

A new approach to container isolation with Nabla


Despite its many advantages, containers have not been accepted as isolated sandboxes. In this talk, we present Nabla containers, which uses library OS/unikernel techniques to avoid system calls and thereby reduce the attack surface on the host kernel. We will demonstrate the running of popular applications (node.js, python, redis, etc.) on container ecosystems (kubernetes, etc.) as nabla containers (using < 9 syscalls). In addition, We will compare isolation and performance metrics against other isolation technologies (gvisor, kata, etc.)

Horizontal attacks are an important security concern for cloud providers and its tenants. Despite its many advantages, containers have not been accepted as isolated sandboxes, which is crucial for container-native clouds. The exposure of the syscall interface directly to untrusted workloads has greatly increased the number of exploits possible to the host.

We present Nabla containers, which uses library OS/unikernel techniques to avoid system calls and thereby reduce the attack surface on the host kernel. Using our OCI runtime, runnc (https://github.com/nabla-containers/runnc), we show the running of popular applcations: Node.js, python, redis, etc. permitting the use of < 9 syscalls via seccomp. In this talk, we will discuss and demo how we have leveraged libOS ideas in a novel way and compare isolation and performance metrics against other technologies such as gvisor and Kata Containers. In addition, we will demonstrate the running nabla containers with the existing container ecosystems such as kubernetes.

Speakers

Photo of Brandon Lum Brandon Lum

Links