A Perfect Fit? – Towards Containers on Microkernels (WoC’24)
Containers are a lightweight alternative to virtual machines, building on sandboxed processes whose permissions are restricted by additional security mechanisms such as seccomp-bpf. However, these mechanisms increase the kernel’s attack surface, thus prompting new security challenges. In this paper, we ask the question of whether a system with processes properly restricted by design enables a container infrastructure with better security posture. For instance, microkernels with capability-based access control provide container-style isolation out of the box. On the basis of real-world CVEs, we argue that this conceptual simplicity actually results in a better security posture than that typically found on monolithic systems. We propose Oak, a container engine built on top of L4Re, a state-of-the-art microkernel-based operating system. For startup as well as for network microbenchmarks, containers running on L4Re exposed performance characteristics similar to that of containers on Linux. We thus conclude that building containers on microkernel is an approach worth pursuing further under both a performance and a security perspective.