Containers are the latest infrastructure trend. In 2016, the [SCONE paper](https://www.usenix.org/system/files/conference/osdi16/osdi16-arnautov.pdf) was written and presented at the [USENIX Symposium on Operating Systems Design and Implementation](https://www.usenix.org/conference/osdi16). It outlined how to use Intel Secure Enclaves (https://en.wikipedia.org/wiki/Software_Guard_Extensions) to guard containers against attack. Containers are built on the kernel primitives cgroups and namespaces with additional LSM (Linux Security Module) layers on top, such as AppArmor, SELinux, and seccomp. Intel SGX protects code from modification by using protected areas of memory known as enclaves. With containers and adoption of cloud on the rise, this paper continues to be on the cutting edge of what is to come. Some cloud providers are now starting to expose hardware specific features like GPU and SGX, which would make running containers with Intel's SGX trusted execution a reality in the cloud. With Intel's SGX, you can have a container's process shielded from access by other programs. We'll explore how realistic this is today and in the future as well as what benefits this would have to the security of containers.
paperswelove
manfredsteyer
yusukebe
marokanatani
maruto
ikumatadokoro
memory1994
oheyadam
kakao
ivargrimstad
mayuki
riofujimon
polpielladev
chrislema
lauravandoore
stephaniewalter
malarkey
3n
hatefulcrawdad
erikaheidi
tanoku
holman
chriscoyier
vanstee
philnash
