BlackBox - A Container Security Monitor for Protecting Containers on Untrusted Operating Systems

The course aims to teach learners about a new container architecture called BlackBox, designed to enhance the security of containers on shared computing infrastructure. The learning outcomes include understanding how BlackBox provides fine-grain protection of application data confidentiality and integrity without relying on the operating system. Students will learn about the Container Security Monitor (CSM), Protected Physical Address Space (PPAS), and how BlackBox isolates and protects CPU and memory states of containerized applications. The course covers topics such as managing PPAS memory, OS interactions, memory mapping attacks, and implementing PPASes using Arm hardware virtualization support. The teaching method involves a mix of theoretical concepts and practical examples, showcasing how BlackBox offers superior security guarantees over traditional hypervisor and container architectures with minimal performance overhead. This course is intended for individuals interested in container security, operating system security, and system architecture design.