BPFContain: Fixing the Soft Underbelly of Container Security
This addresses security vulnerabilities in container systems for users and administrators, though it is incremental as it builds on existing eBPF and container technologies.
The authors tackled the limited isolation guarantees in Linux containers by introducing BPFContain, a new confinement mechanism that integrates with existing systems, resulting in benchmarks showing improved security and performance compared to current technologies.
Linux containers currently provide limited isolation guarantees. While containers separate namespaces and partition resources, the patchwork of mechanisms used to ensure separation cannot guarantee consistent security semantics. Even worse, attempts to ensure complete coverage results in a mishmash of policies that are difficult to understand or audit. Here we present BPFContain, a new container confinement mechanism designed to integrate with existing container management systems. BPFContain combines a simple yet flexible policy language with an eBPF-based implementation that allows for deployment on virtually any Linux system running a recent kernel. In this paper, we present BPFContain's policy language, describe its current implementation as integrated into docker, and present benchmarks comparing it with current container confinement technologies.