Efficacy of cloud-native sandboxing technologies in containing security threats
Container technology has revolutionized the way applications are deployed and managed in cloud-native environments. By encapsulating applications and their dependencies in lightweight, isolated containers, developers can achieve greater agility, scalability, and resource efficiency. Containers leverage the host operating system’s kernel to provide an efficient execution environment for applications, especially when compared to the performance of full-system virtualization methods. However, this shared kernel introduces certain security challenges. If the OS itself does not run in the container, OS resources with incomplete virtualization are vulnerable and kernel bugs can be exploited through a large attack surface
(over 300 system calls). With hundreds of system calls available for containerized applications to interact with the host kernel, the attack surface becomes significantly larger, increasing the risk of potential security breaches. Therefore, the containers, although efficient, are a security concern due to the fact that they share a common OS. To address these security concerns, secure container technologies, such as gVisor, Kata Containers, and Nabla containers have emerged. They aim to enhance container isolation and security by implementing additional layers of protection and isolation between the containerized applications and the host operating system. In particular, gVisor introduces the mechanism called “system call
interception”. It is employed to control and monitor system call activity. By intercepting and filtering system calls, gVisor’s container runtime, runsc, can provide additional isolation for the containers. While container runtimes strive to strike a balance between security and performance, it’s important to note that “system call interception” introduces some performance overhead. The interception process involves additional context switching which can impact the overall execution time of system
calls. The extent of this performance impact varies depending on the implementation of the container runtime and the specific system calls being intercepted.
These considerations led to stating the following main research questions along with their subquestions:
- How effective are cloud-native sandboxing technologies such as gVisor in containing security threats?
- What are the performance and security trade-offs in sandboxing technologies?
