back to article IBM attempts to graft virtual machine security onto container flexibility

IBM researchers have developed a new flavor of software container in an effort to create code that's more secure than Docker and similar shared kernel container systems. Docker and its ilk are considered less secure than VMs because the compromise of a shared kernel puts all associated containers at risk. With VMs, the kernel …

  1. Anonymous Coward
    Anonymous Coward

    James recently wrote a really nice blog post, praising IBM's approach.

    I found it really misleading. He compared the results of fuzzing attacks to compare the security of the different container approaches. He implied that it represented real-life usage, but the key item was tucked away in the text -- it was a carefully tuned seccomp configuration that was really providing the security. If your containerized application wasn't allowed to make a system call, it couldn't compromise it by using bad parameters.

    BTW, gVisor got a well-deserved ding because passing invalid arguments often crashes the container in a bad way, rather than simply failing and continuing to run.

    I'm leaning towards Kata Containers. With its page de-duplication approach it might be efficient enough to have reasonable resource usage and a modest performance impact.

  2. FrankAlphaXII

    Is it just me, or does it seem like IBM anymore exists to solely take other inventors and innovators ideas, give them stupid marketing drone buzzword-laden descriptions, and then try to pawn them off on Fortune 500 companies' CIOs who don't actually know what the fuck they're doing aside from their overpriced MBA?

    If its just me being cynical, then fine, but that's the way it looks like at the lower levels. Still, I wouldn't go anywhere else for anything Mainframe related, and maybe Db2 just to avoid Oracle, but that's really about it.

  3. stephanh

    2x more secure

    So it was 200 Securons for Nabla while only 100 Securons for Docker?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022