Towards the Hardened Cloud-Native Cornerstone: Container Runtime Protection

Explore container runtime protection strategies in this comprehensive conference talk. Delve into the security challenges faced by containers in cloud-native environments, examining attack vectors and existing protection mechanisms like AppArmor, SELinux, and seccomp. Discover recent advancements in kernel-aided and hardware-aided security measures, including Landlock, Core Scheduling, Memory Protection Keys, and Trusted Execution Environments. Learn about necessary adaptations to container runtime and image specifications, policy enforcement, debugging, monitoring, logging, and alerting management. Gain insights into the current state and future developments of hardened two-way sandboxes for both security and privacy in container environments.

Intro
Container Security Risks (Users' View)
(Extended) Container Threat Modeling
Container Attack Vectors (Attackers' View)
Container Attack Scenarios (AS)
Any Best Practice?
What Do We Have So Far?
What Else Can We Apply?
Not Enough Security Deployment!
Weaknesses (Still) Across Every Layer!
Unprivileged Sandboxing
Sandboxing Containers with Landlock
Defend Against Cross-HT Attacks
Containers with Core Scheduling
Can Hardware Assist?
An Augmented Threat Model
Secure - Confidential Containers
Gaps From A Bird's Eye View
A Further Augmented Threat Model?