CloudABI: Cloud computing meets fine-grained capabilities

  • Posted on: 17 June 2015
  • By: EdSchouten
Track: 
Cloud Technologies
Day: 
Sunday
Author: 
Ed Schouten
Room: 
Track 2 (main)
English
Paper: 

CloudABI is a new runtime environment that attempts to make it easier to use UNIX-like operating systems at the core of a cluster/cloud computing platform.

Instead of offering full machine virtualization (e.g., KVM, Xen, bhyve) or requiring the use of intrusive OS-level virtualization techniques (e.g., LXC, FreeBSD Jails, Solaris Zones), end users can simply provide a set of binaries that communicate with the operating system over a secure and compact POSIX-like interface. CloudABI allows you to run untrusted programs directly on top of a UNIX kernel, without compromising security and without requiring complex configuration.

CloudABI makes strong use of capability-based security. Instead of determining the rights of an application through complex ACLs, access to resources is determined by a set of tokens (in this case, file descriptors) that can be altered at run-time. This allows software engineers to harden their software by applying 'defense in depth'.

In this presentation I will discuss several design aspects of CloudABI and how it can be used to make UNIX software more reliable, more secure and easier to test and deploy.

Time: 
14:00 - 15:00 hrs
field_vote: 
0
No votes yet