September 27-30, 2021
Seattle, Washington, USA + Virtual
View More Details & Registration

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Open Source Summit + Embedded Linux Conference + OSPOCon 2021 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Pacific Daylight Time (UTC -7). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change.

IMPORTANT NOTE: Timing of sessions and room locations are subject to change.

Back To Schedule
Tuesday, September 28 • 4:00pm - 4:50pm
(IN-PERSON) Restricted Address Spaces for Container Security - Mike Rapoport & James Bottomley, IBM

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Containers are generally perceived less secure than virtual machines. Without doing into a theological argument about the actual state of the affairs, we suggest to explore the possibility of using MMU as the hardware isolation mechanism to make containers even more secure. Traditionally, Linux kernel uses a single page table to manage all its objects and any kernel data is accessible from anywhere in the kernel. From security standpoint, such ability of the kernel to access any memory from any part of the code is a liability. The fundamental mechanism of container isolation - namespaces - makes most of the kernel objects private for a namespace. There is no need for the kernel code that runs outside the namespace to access these private objects. We present restricted kernel address spaces and their use with Linux namespaces to ensure that private objects of a namespace cannot be accessed by other parts of the kernel. A restricted page table is assigned to a namespace in a way that minimizes overhead and allows removing private objects from the default kernel page table. Besides, we present possible optimizations for direct map management to reduce performance penalty caused by the direct map fragmentation.

avatar for James Bottomley

James Bottomley

Distinguished Engineer, IBM
James Bottomley is a Distinguished Engineer at IBM Research where he works on Cloud and Container technology. He is also Linux Kernel maintainer of the SCSI subsystem. He has been a Director on the Board of the Linux Foundation and Chair of its Technical Advisory Board. He went to... Read More →

Mike Rapoport

Researcher, IBM
Mike has lots of programming experience in different areas ranging from medical equipment to visual simulation, but most of all he likes hacking on Linux kernel and low level stuff. Throughout his career Mike promoted use of free and open source software and made quite a few contributions... Read More →

Tuesday September 28, 2021 4:00pm - 4:50pm PDT
Elwha A