Seccomp - What Can It Do For You?
Offered By: CNCF [Cloud Native Computing Foundation] via YouTube
Course Description
Overview
Explore the capabilities and applications of Seccomp, a system call filtering tool built into Linux, in this 34-minute conference talk by Justin Cormack from Docker. Gain insights into Seccomp's role as a security layer in Docker and its journey towards becoming a default feature in Kubernetes. Learn about the practical benefits of Seccomp for enhancing real-world security and discover best practices for its implementation. Examine the reworking of Docker's default Seccomp policy based on security vulnerabilities encountered over the past five years. Understand how Seccomp can be utilized both as a policy in runtime environments and directly by applications. Delve into the challenges and pitfalls associated with Seccomp usage, particularly as syscalls evolve over time. Analyze case studies of security vulnerabilities and usability issues related to Seccomp implementation.
Syllabus
Intro
Justin Cormack
Secure Computing
In theory
seccomp in practise
In Docker and Kubernetes
Do not use
User namespaces
CVE 2016-3134
CVE 2020-8835
The war on Emacs
Accidentally broke Steam!
Performance
CVE 2018-17182
Don't use it?
Are small blocklists better?
Is it better to push to runtime? 3 Virtual
gVisor
Lambda like?
eBPF LSM
Prediction
Taught by
CNCF [Cloud Native Computing Foundation]
Related Courses
Introduction to LinuxLinux Foundation via edX 操作系统原理(Operating Systems)
Peking University via Coursera Internet of Things: Setting Up Your DragonBoard™ Development Platform
University of California, San Diego via Coursera Information Security-3
Indian Institute of Technology Madras via Swayam Introduction to Embedded Systems Software and Development Environments
University of Colorado Boulder via Coursera