Syd+Youki=Syd-OCI: Introduction to a Secure Container Runtime for Linux

Day 1 | 16:50 | 00:30 | UD2.218A | Ali Polatel


Note: I'm reworking this at the moment, some things won't work.

The stream isn't available yet! Check back at 16:50.

In this talk, I will introduce Syd-OCI, a secure OCI container runtime for Linux systems (version 5.19 and above). Syd-OCI seamlessly integrates the advanced sandboxing capabilities of Syd -- our rock-solid unikernel designed for sandboxing applications -- into containerized environments by leveraging Youki, a modern container runtime written in Rust.

Syd-OCI operates as a thin wrapper around Youki, utilizing Youki's robust OCI implementation while replacing its default executor with a custom one that runs container processes under Syd's comprehensive sandboxing framework. This integration allows Syd-OCI to provide enhanced security features -- such as Path Sandboxing, Execution Control with SegvGuard, Network Sandboxing, and advanced mechanisms like Lock Sandboxing and Proxy Sandboxing -- within standard OCI-compliant containers.

The presentation will cover Syd-OCI's key features:

  • Integration of Syd and Youki: How Syd-OCI combines Syd's advanced sandboxing mechanisms with Youki's efficient OCI runtime, creating a secure container runtime without requiring extra privileges, SETUID binaries, or privileged kernel context.
  • Technical Architecture: An in-depth look at how Syd-OCI replaces Youki's default executor with a custom executor that runs commands under Syd, enabling seamless integration of Syd's security features into container workflows.
  • Configuration and Usage: Guidance on setting up Syd-OCI with container platforms like Docker, Podman, and CRI-O, including configuring the Syd sandbox using profiles and integrating sandbox configurations into container images.
  • Advanced Sandboxing and Verified Images: Showcasing practical use cases where Syd-OCI enhances container security through advanced features like Force Sandboxing for verified execution and Crypt Sandboxing for transparent file encryption using AES-CTR. We will explore how these mechanisms provide integrity verification for container images and binaries, ensuring that only trusted and securely encrypted code is executed within containers, thereby strengthening protection against unauthorized modification and data breach.

Attendees will gain insights into the design and implementation of Syd-OCI, understanding how the integration of Syd and Youki provides a secure, efficient, and practical solution for container security. This talk will illustrate how Syd-OCI can be seamlessly integrated into existing container workflows, enhancing security without compromising performance or compatibility, and adhering to the UNIX philosophy of doing one thing well with the least privilege necessary.