IBM's new Nabla containers are designed for security first

IBM claims its new container design is more secure than Docker or other containers by cutting operating system calls to the bare minimum and thereby reducing its attack surface as small as possible.

Companies love containers because they enable them to run more jobs on servers. But businesses also hate containers, because they fear they're less secure than virtual machines (VM)s. IBM thinks it has an answer to that: Nabla containers, which are more secure by design than rival container concepts.

James Bottomley, an IBM Research distinguished engineer and top Linux kernel developer, first outlines that there are two kind of fundamental kinds of container and virtual machine (VM) security problems. These are described as Vertical Attack Profile (VAP) and Horizontal Attack Profile (HAP).

Read also: Containers are cool now, but VMs may be eternal - TechRepublic

A VAP is all the code, which is traversed to provide a service all the way from input to database update to output. This code, like all programs, contains bugs. The bug density varies, but the more code you traverse, that is called to run, the greater your chance of exposure to a security hole. For example, it doesn't matter how much code is in an operating system or program if it's not run. Stack security holes exploits, which can jump into either the physical server host or VMs, are HAPs.

HAPs aren't common, but they're system killers. Bottomley calls them "potentially business destroying events."

IBM's answer to HAPs is Nabla. This new secure container's core design goal is to create is a sandbox that emulates the interface between the container runtime and the operating system kernel's syscall interface with as little code as possible. It also provides a narrow interface into the kernel itself.

Nabla works by replacing the typical VM hypervisor interface of hypercalls and vmexits with simple system calls (syscalls). For example, Linux built-in KVM hypervisor interface only has nine hypercalls and all these can be rewritten as syscalls. So, Nabla uses these syscalls while seccomp restricts its interface to being only what the rewritten unikernel runtime actually needs.

Thus, a Nabla containerized application can avoid making a Linux system call by linking to a operating system library component, which implements the system call functionality. Specifically, Nabla containers use Solo5 project unikernel techniques to avoid system calls. All together, Nabla containers only use nine system calls. A Linux secom policy blocks all other calls. This reduces the container's attack surface to a barebones minimum.

Early IBM Research test results show that Nabla is extremely secure. Indeed, besides being more secure than other container technologies, such as Docker and Google's gVisor, a container runtime sandbox. It's as secure, or more so, depending on the applications, than Kata Containers, a new open-source lightweight VM designed to secure containers.

Read also: What is Docker and why is it so darn popular?

Don't believe it? Want to check it out? You can download, install, and run Nabla containers for yourself on Ubuntu Linux.

Considering just how important containers are for modern IT, I think anyone working with containers must give it a try. Nabla could be as much of a game-changer as Docker was when it made containers popular.

Related stories: