Explore a conference talk on BlackBox, a novel container architecture designed to enhance security for containerized applications without relying on the operating system. Learn about the Container Security Monitor, a small trusted computing base that creates Protected Physical Address Spaces (PPASes) for each container, preventing direct information flow between containers and the operating system. Discover how BlackBox leverages Arm hardware virtualization support to implement PPASes, supports Linux containers with minimal kernel modifications, and offers superior security guarantees compared to traditional hypervisor and container architectures. Examine the implementation details, including interposing, task identification, and application performance, while understanding how BlackBox addresses the security risks posed by large operating system codebases containing vulnerabilities.
BlackBox - A Container Security Monitor for Protecting Containers on Untrusted Operating Systems
Overview
Syllabus
Intro
Container advantages
Motivation
BlackBox
Container Security Monitor (CSM)
Protected Physical Address Space (PPAS)
Container Security Monitor - PPASes
Container Security Monitor ABI - Example
Managing PPAS Memory - Page Fault
OS Interactions - IPC
Memory Mapping lago Attacks
Implementing PPASes
Implementation - Interposing
Implementation - Task Identification
Application Performance
Taught by
USENIX
