Speaker: Dr. James Bottomley
Time: Thursday, 06/06/2019, 11:30
Place: CS, Taub 337
Title: Exploring New Frontiers in Container Technology
Abstract: Containers (or Operating System based Virtualization) are an old technology; however, the current excitement (and consequent investment) around containers provides interesting avenues for research on updating the way we build and manage container technology. The most active area of research today, thanks to concerns raised by groups supporting other types of virtualization, is in improving the security properties of containers.
The first step in improving security is actually being able to measure it in the first place, so the initial goal of a research programmer for container security involves finding that measure. In this talk I’ll outline one such measure (attack profiles) developed by IBM research, the useful results that can be derived from it, the problems it has and the avenues that can be explored to refine future measurements of containment.
Contrary to popular belief, a “container” doesn’t describe one fixed thing, but instead is a collective noun for a group of isolation and resource control primitives (in Linux terminology called namespaces and cgroups) the composition of which can be independently varied. In the second half of this talk, we’ll explore how containment can be improved by replacing some of the isolation primitives with either local system call emulation sandboxes, a promising technique used by both the Google gVisor and the IBM Nabla secure container systems, or system call strengthening via address space separation within the kernel. We’ll also explore the question of whether sandboxes are the end point of container security research or merely point the way to the next Frontier for container abstraction.
Bio: James Bottomley is a Distinguished Engineer at IBM Research where he works on Cloud and Container technology. He is also Linux Kernel maintainer of the SCSI subsystem. He has been a Director on the Board of the Linux Foundation and Chair of its Technical Advisory Board. He went to university at Cambridge for both his undergraduate and doctoral degrees after which he joined AT&T Bell labs to work on Distributed Lock Manager technology for clustering. In 2000 he helped found SteelEye Technology, a High availability company for Linux and Windows, becoming Vice President and CTO. He joined Novell in 2008 as a Distinguished Engineer at Novell’s SUSE Labs, Parallels (later Odin) in 2011 as CTO of Server Virtualization and IBM Research in 2016.