Containers offer speed, performance, and portability, but do they actually contain? While they try their best, the shared kernel is a disturbing attack surface: a mere kernel vulnerability may allow containerized processes to escape and compromise the host. This issue prompted a new wave of sandboxing tools that use either unikernels, lightweight VMs or userspace-kernels to separate the host OS from the container’s OS.
By Yuval Avrahami
Full Abstract & Presentation Materials: https://www.blackhat.com/us-20/briefings/schedule/#escaping-virtualized-containers-20514