Nytro Posted July 25, 2017 Report Posted July 25, 2017 Publicat pe 19 iul. 2017 Escaping the (sand)box. The promises and pitfalls of modern computational load isolation techniques for Linux OSUsers of modern Linux containerization technologies are frequently at loss with what kind of security guarantees are delivered by tools they use. Typical questions range from Can these be used to isolate software with known security shortcomings and rich history of security vulnerabilities? to even Can I used such technique to isolate user-generated and potentially hostile assembler payloads? Modern Linux OS code-base as well as independent authors provide a plethora of options for those who desire to make sure that their computational loads are solidly confined. Potential users can choose from solutions ranging from Docker-like confinement projects, through Xen hypervisors, seccomp-bpf and ptrace-based sandboxes, to isolation frameworks based on hardware virtualization (e.g. KVM). The talk will discuss available today techniques, with focus on (frequently overstated) promises regarding their strength. In the end, as they say: “Many speed bumps don’t make a wall". CONFidence: http://confidence.org.pl/ Facebook: https://www.facebook.com/confidence.c... Twitter: https://twitter.com/CONFidence_news Quote
