Explore the intricacies of designing secure containerized applications for embedded Linux devices in this 41-minute conference talk by Sergio Prado from Embedded Labworks. Delve into container fundamentals, their relevance in embedded systems, and essential security measures. Learn to create minimal container images through hands-on examples using Debian, Alpine, and statically linked binaries. Discover techniques for securing container execution, including restricting privileges, managing device files and users, enabling user namespaces, and limiting syscalls. Gain insights into resource management and Linux security modules to enhance the overall security posture of your embedded Linux applications.
Designing Secure Containerized Applications for Embedded Linux Devices
Overview
Syllabus
Intro
DISCLAIMERS
WHAT IS A CONTAINER?
WHY CONTAINERS ON EMBEDDED?
CONTAINER INFRASTRUCTURE
SECURING THE CONTAINER IMAGE
CREATE A MINIMAL CONTAINER IMAGE
HANDS-ON: DEBIAN BASED IMAGE
HANDS-ON: ALPINE WITH MULTI-STAGE BUILD
HANDS-ON: STATICALLY LINKED BINARY
CREATE AND RUN IMAGES YOU TRUST
STATIC ANALYSIS TOOLS
SECURITY SCANNING
EASILY UPDATABLE
SECURING THE CONTAINER EXECUTION
RESTRICT CONTAINER PRIVILEGES
DEVICE FILES INSIDE THE CONTAINER
USERS INSIDE CONTAINERS
HANDS-ON: ENABLING USER NAMESPACE
HANDS-ON: USER NAMESPACE IN CONTAINERS
RESTRICTING SYSCALLS
MANAGING RESOURCE USAGE
LINUX SECURITY MODULES
Taught by
Linux Foundation
