The daily cybersecurity news and analysis industry leaders depend on. Published each weekday, the program also includes interviews with a wide spectrum of experts from industry, academia, and research organizations all over the world.
https://thecyberwire.com/podcasts/daily-podcast
episode 155: It's still possible to find ways to break out. [Research Saturday]
Containers offer speed, performance, and portability, but do they actually contain? While they try their best, the shared kernel is a disturbing attack surface: a mere kernel vulnerability may allow containerized processes to escape and compromise the host. This issue prompted a new wave of sandboxing tools that use either unikernels, lightweight VMs or userspace-kernels to separate the host OS from the container's OS.
One of these solutions is Kata Containers, a container runtime that spawns each container inside a lightweight VM, and can function as the underlying runtime in Docker and Kubernetes. Kata's virtualized containers provide two layers of isolation: even if an attacker breaks out of the container, he is still confined to the microVM.
Joining us in this week's Research Saturday to discuss the research is Yuval Avrahami from Palo Alto Networks Unit 42.
The research presented at Black Hat USA 2020 can be found here:
- Escaping Virtualized Containers
Learn more about your ad choices. Visit megaphone.fm/adchoices