Securely running processes that require the entire syscall interface
https://queue.acm.org/detail.cfm?id=3301253 [queue.acm.org]
2018-12-20 21:23
While evidence has shown that “a container with a well-crafted seccomp (secure computing mode) profile (which blocks unexpected system calls) provides roughly equivalent security to a hypervisor” (https://blog.hansenpartnership.com/measuring-the-horizontal-attack-profile-of-nabla-containers/), methods are still needed for securely running those processes that require the entire syscall interface. Solving this problem has led to some interesting research.
Let’s take a look at some of the research being done in these areas.