Overview
The course aims to teach learners about a new container architecture called BlackBox, designed to enhance the security of containers on shared computing infrastructure. The learning outcomes include understanding how BlackBox provides fine-grain protection of application data confidentiality and integrity without relying on the operating system. Students will learn about the Container Security Monitor (CSM), Protected Physical Address Space (PPAS), and how BlackBox isolates and protects CPU and memory states of containerized applications. The course covers topics such as managing PPAS memory, OS interactions, memory mapping attacks, and implementing PPASes using Arm hardware virtualization support. The teaching method involves a mix of theoretical concepts and practical examples, showcasing how BlackBox offers superior security guarantees over traditional hypervisor and container architectures with minimal performance overhead. This course is intended for individuals interested in container security, operating system security, and system architecture design.
Syllabus
Intro
Container advantages
Motivation
BlackBox
Container Security Monitor (CSM)
Protected Physical Address Space (PPAS)
Container Security Monitor - PPASes
Container Security Monitor ABI - Example
Managing PPAS Memory - Page Fault
OS Interactions - IPC
Memory Mapping lago Attacks
Implementing PPASes
Implementation - Interposing
Implementation - Task Identification
Application Performance
Taught by
USENIX