{"id":51982,"date":"2018-10-02T12:50:36","date_gmt":"2018-10-02T12:50:36","guid":{"rendered":"http:\/\/www.sickgaming.net\/blog\/2018\/10\/02\/a-new-method-of-containment-ibm-nabla-containers\/"},"modified":"2018-10-02T12:50:36","modified_gmt":"2018-10-02T12:50:36","slug":"a-new-method-of-containment-ibm-nabla-containers","status":"publish","type":"post","link":"https:\/\/sickgaming.net\/blog\/2018\/10\/02\/a-new-method-of-containment-ibm-nabla-containers\/","title":{"rendered":"A New Method of Containment: IBM Nabla Containers"},"content":{"rendered":"<div class=\"lcom-stacked__main\">\n<div class=\"panel-pane pane-entity-field pane-node-body\">\n<div class=\"field field-name-body field-type-text-with-summary field-label-hidden\">\n<div class=\"field-items\">\n<div class=\"field-item even\">\n<p><em>By James Bottomley <\/em><\/p>\n<p>In the previous post about\u00a0<a href=\"https:\/\/blog.hansenpartnership.com\/containers-and-cloud-security\/\">Containers and Cloud Security<\/a>, I noted that most of the tenants of a Cloud Service Provider (CSP) could safely not worry about the Horizontal Attack Profile (HAP) and leave the CSP to manage the risk.\u00a0 However, there is a small category of jobs (mostly in the financial and allied industries) where the damage done by a Horizontal Breach of the container cannot be adequately compensated by contractual remedies.\u00a0 For these cases, a team at IBM research has been looking at ways of reducing the HAP with a view to making containers more secure than hypervisors.\u00a0 For the impatient, the full open source release of the Nabla Containers technology is\u00a0<a href=\"https:\/\/nabla-containers.github.io\/\">here<\/a>\u00a0and\u00a0<a href=\"https:\/\/github.com\/nabla-containers\/\">here<\/a>, but for the more patient, let me explain what we did and why.\u00a0 We\u2019ll have a follow on post about the\u00a0<a href=\"https:\/\/blog.hansenpartnership.com\/measuring-the-horizontal-attack-profile-of-nabla-containers\">measurement methodology for the HAP<\/a>\u00a0and how we proved better containment than even hypervisor solutions.<\/p>\n<p>The essence of the quest is a sandbox that emulates the interface between the runtime and the kernel (usually dubbed the syscall interface) with as little code as possible and a very narrow interface into the kernel itself.<\/p>\n<h3>The Basics: Looking for Better Containment<\/h3>\n<p><a href=\"https:\/\/blog.hansenpartnership.com\/a-new-method-of-containment-ibm-nabla-containers\/standard-containers\/\"><img loading=\"lazy\" decoding=\"async\" alt=\"\" class=\"alignleft wp-image-498\" height=\"159\" src=\"http:\/\/www.sickgaming.net\/blog\/wp-content\/uploads\/2018\/10\/a-new-method-of-containment-ibm-nabla-containers.png\" width=\"302\" \/><\/a>The HAP attack worry with standard containers is shown on the left: that a malicious application can breach the containment wall and attack an innocent application.\u00a0\u00a0<\/p>\n<p>Read more at <a href=\"https:\/\/blog.hansenpartnership.com\/a-new-method-of-containment-ibm-nabla-containers\/\">Hansen Partnership<\/a><\/p>\n<\/div>\n<\/div>\n<\/div><\/div>\n<\/p><\/div>\n<p><a href=\"https:\/\/www.linux.com\/popup\/nojs\" class=\"ctools-use-modal ctools-modal-subscription-modal-style element-invisible\" title=\"\">Click Here!<\/a> <\/p>\n","protected":false},"excerpt":{"rendered":"<p>By James Bottomley In the previous post about\u00a0Containers and Cloud Security, I noted that most of the tenants of a Cloud Service Provider (CSP) could safely not worry about the Horizontal Attack Profile (HAP) and leave the CSP to manage the risk.\u00a0 However, there is a small category of jobs (mostly in the financial and [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":51983,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[40],"tags":[],"class_list":["post-51982","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux-freebsd-unix"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/51982","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=51982"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/51982\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media\/51983"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=51982"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=51982"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=51982"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}