In a Container, Nobody Hears Your Screams - Next Generation Process Isolation

Explore the next generation of process isolation techniques in this conference talk on container security. Examine the history of safely running unsafe processes, compare emerging isolation and security methods, and understand the design decisions driving each project. Learn about breaking in and out of different technologies, and discover which workloads are best suited for various isolation techniques. Gain insights into the challenges of running untrusted code in containers, the evolution of process isolation, and the blurred boundaries between containers and micro VMs. Understand the implications of different isolation technologies for your applications and how to potentially run diverse workloads on the same cluster using different "container" types.

Intro
Sandboxing Tech
Glossary • untrusted workload: cannot be certified as safe to run
Containers and VMs
What's wrong with containers?
Assumption Maketh the Ass
Rootlessness
Rootless State of Union
History of Virtualisation
Virtual Machine Monitor
KVM vs Xen vs QEMU
Spectrum of Isolation
gVisor vs Firecracker vs Kata
gVisor Sentry
Firecracker Device Model
Kata Containers
Honourable mention: rust-vmm
Docker & Kubernetes RuntimeClass
What are the risks of next gen proc iso?
What should I use?
Conclusion