L12 - Lightweight sandboxes Flashcards
(30 cards)
Containers vs VMs
containers:
- use Linux primitives
- share linux kernel
- fast starts, minimal overhead
- flexible isolation
VMs:
- virtualize hardware components
- use separate kernels
- slower starts, must boot kernel and set-up hardware
What is CRI?
Container Runtime Interface
- Kubernetes API
- defines the way that Kubernetes interacts with different container runtimes
container runtime
software components that can run containers on a host operating system
OCI
Open Container Initiative specifications for container images and running containers.
runc
runc is an OCI-compliant tool for spawning and running containers. Implements the OCI specifications.
What is Containerd
- container runtime
- manages complete container lifecycle of its host system (image transfer and storage)
What is a shim?
- piece of software that resides between containerd and a low-level container runtime (runc)
- abstracts low-level runtimes
- lives as long as the container process
internet:
- By providing compatibility between different components, shims make it easier to use different container runtimes with a variety of container images.
Why is there need for more isolation?
Prevention of kernel bugs.
What are three types of exploits concerning the kernel?
- System API (bugs within the kernel can be exploited via the API)
- System Application Binary Interface (ABI) (Hardware and software exploits targeting the execution path in response to events)
- Side Channels (exploit indirect effects of the system)
Sandbox
internet:
A sandbox is a secure, isolated environment that enables the execution of untrusted or potentially malicious code without affecting the host system. In computer security, a sandbox acts as a protective barrier between an application and the host system, limiting the application’s access to system resources and preventing it from making harmful changes to the system. Sandboxes are used for various purposes, including software testing, application isolation, and security.
gVisor
- secure-container runtime writting in Go
- minimizes the system API attack vectors
internet:
gVisor is an open-source project that provides a secure sandbox for containers. It acts as a lightweight runtime, isolating containers from the host system and potentially untrusted applications, while still providing access to the host system’s resources. gVisor enhances the security of containers by limiting the system calls a container can make and by providing additional security features such as process isolation and file system protection.
drawbacks of gVisor
- not well suited for syscall heavy workload
- not all syscalls are implemented
KVM
Kernel-based Virtual Machine (KVM) is a virtualization module in the Linux kernel that allows the kernel to function as a hypervisor.
kernel
The kernel is a computer program at the core of a computer’s operating system and generally has complete control over everything in the system.
VMM
Virtual Machine Manager (VMM): Also called a “hypervisor,”
What is AWS Firecracker?
Firecracker, a new virtualization technology that makes use of KVM. You can launch lightweight micro-virtual machines (microVMs) in non-virtualized environments in a fraction of a second, taking advantage of the security and workload isolation provided by traditional VMs and the resource efficiency that comes along with containers.
AWS Firecracker advantages
- designed for serverless computing
- minimalist design
- enhanced security and workload isolation
- reduces startup time and memory footprint
- open source
Where does Firecracker sit?
MicroVM (Guest OS and Container Workload)
Firecracker
Linux Kernel
Hardware
What is a sandbox in security?
Sandbox is a security mechanism for separating running programs, usually in an effort to mitigate system failures and/or software vulnerabilities from spreading
What are Kata Conainers
Kata Containers is an open source community working to build a secure container runtime with lightweight virtual machines that feel and perform like containers, but provide stronger workload isolation using hardware virtualization technology as a second layer of defense.
Characteristics of Kata Containers
- Runs in a dedicated kernel
- OCI compliant
- one Kata Agent per VM that manages user containers and their workloads
- one shim per pod
WebAssemly
WebAssembly is a binary instruction format and virtual machine that brings near-native performance to web browser applications, and allows developers to build high-speed web apps in the language of their choice
internet:
It is meant to provide a portable, efficient, and secure alternative to JavaScript for running high-performance web applications. Wasm allows developers to write code in languages like C, C++, and Rust, and then compile it to Wasm binary format for deployment on the web.
Characteristics of WebAssembly
- written in binary format but can also be represented human-readable
- isolated from host by default
WebAssembly Module
A WebAssembly Module object contains stateless WebAssembly code that has already been compiled by the browser
- defines functions, globals, memories, imports, exports, static data
