Nov 13 – 15, 2018
America/Vancouver timezone

Exploring New Frontiers in Container Technology

Nov 14, 2018, 9:00 AM
Pavillion/Ballroom-AB (Sheraton Vancouver Wall Center)


Sheraton Vancouver Wall Center

Refereed talk LPC Main Track


James Bottomley (IBM)


Containers (or Operating System based Virtualization) are an old
technology; however, the current excitement (and consequent
investment) around containers provides interesting avenues for
research on updating the way we build and manage container technology.
The most active area of research today, thanks to concerns raised by
groups supporting other types of virtualization, is in improving the
security properties of containers.

The first step in improving security is actually being able to measure
it in the first place, so the initial goal of a research programme for
container security involves finding that measure. In this talk I'll
outline one such measure (attack profiles) developed by IBM research,
the useful results that can be derived from it, the problems it has
and the avenues that can be explored to refine future measurements of

Contrary to popular belief, a "container" doesn't describe one fixed
thing, but instead is a collective noun for a group of isolation and
resource control primitives (in Linux terminology called namespaces
and cgroups) the composition of which can be independently varied. In
the second half of this talk, we'll explore how containment can be
improved by replacing some of the isolation primitives with local
system call emulation sandboxes, a promising technique used by both
the Google gVisor and the IBM Nabla secure container systems. We'll
also explore the question of whether sandboxes are the end point of
container security research or merely point the way to the next
Frontier for container abstraction.

I agree to abide by the anti-harassment policy Yes

Primary author

James Bottomley (IBM)

Presentation materials

Platinum sponsors

Gold sponsors

Silver sponsors

Catchbox sponsor
T-Shirt sponsor