SNAPPY: Programmable Kernel-Level Policies for Containers - Ecole Centrale de Nantes Accéder directement au contenu
Communication Dans Un Congrès Année : 2021

SNAPPY: Programmable Kernel-Level Policies for Containers

Résumé

Compared to full virtualization, containerization reduces virtualization overhead and resource usage, offers reduced deployment latency and improves reusability. For these reasons, containerization is massively used in an increasing number of applications. However, because containers share a full kernel with the host, they are more vulnerable to attacks that may compromise the host and the other containers on the system.In this paper, we present SNAPPY (Safe Namespaceable And Programmable PolicY), a new framework that allows even unprivileged processes such as containers to safely and dynamically enforce in the kernel fine-grained, stackable and programmable eBPF security policies at runtime. This is done by making working coordinately a new LSM (Linux Security Module) Module, a new security Linux namespace abstraction (policy_NS) and eBPF policies enriched with ’dynamic helpers’. This design especially allows to minimize containers’ attack surface. Our design may be applied to any processes but is particularly suitable for container-based use cases. We show that SNAPPY can effectively increase the security level of containers for different use cases, can be easily integrated with the most relevant norms (OCI, Open Container Initiative) and containerization engines (Docker and runC) and has a performance overhead lower than 0.09% in realistic scenarios.
Fichier principal
Vignette du fichier
SACBelair.pdf (565.5 Ko) Télécharger le fichier
Origine : Fichiers produits par l'(les) auteur(s)

Dates et versions

hal-03108231 , version 1 (13-01-2021)

Identifiants

Citer

Maxime Belair, Sylvie Laniepce, Jean-Marc Menaud. SNAPPY: Programmable Kernel-Level Policies for Containers. SAC 2021: 36th ACM/SIGAPP Symposium On Applied Computing, Mar 2021, Gwangju / Virtual, South Korea. pp.1636-1645, ⟨10.1145/3412841.3442037⟩. ⟨hal-03108231⟩
635 Consultations
1084 Téléchargements

Altmetric

Partager

Gmail Facebook X LinkedIn More