Security by Isolation

Subash SNsns [a] vuln.in

2

Approaches to Security

Correctness

Obfuscation

Isolation

3

Isolation

Sandboxes

Containers

Virtual Machines

Physical

4

Containers 101

Like FreeBSD Jails and Solaris Zones, Linux containers are self-contained execution environments -- with their own, isolated CPU, memory, block I/O, and network resources -- that share the kernel of the host operating system. The result is something that feels like a virtual machine, but sheds all the weight and startup overhead of a guest operating system.

5

Containers? Which one?

LXC

Docker

OpenVZ

6

7

How containers isolate?

cgroups and namespaces

Additionally:

SELinux

AppArmor

Seccomp

8

Sandboxing

Firejail

Subuser

Chrome ( chrome://sandbox )

9

10

Container, VM escape

11

Nothing beats Physical Isolation? Right?

Attacks on Air-gapped systems

→ Fan

→ Electromagnetic radiation

→ LED

→ Speaker/Mic

Just anything a software can affect.

12

13

QubesOS

14

Proxmox

15

Thank you

Subash

sns@vuln.in