Basel, Switzerland
October 10–11, 2018
Click Here For Information & Registration
Back To Schedule
Wednesday, October 10 • 14:30 - 15:00
Running Isolated and Secure Workloads via BOSH - Subhankar Chattopadhyay & Shashank Jain, SAP

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Providing a safe computing condition to an untrusted application is a very critical task. Insufficiently tested applications can cause a number of problems, especially operating system infections. These issues are often found only post-mortem. Most of these issues can be avoided by sandboxing running environment of these untrusted applications.
We have some interesting use cases where we allow third-party extensions to be loaded into the Service Fabrik broker for doing some pre and post lifecycle activities. Service Fabrik Broker is an OSBAPI compliant cloudfoundry incubator project which takes care of provisioning and management of backing services.
Since we don’t have any direct control over the quality of these extensions, as to What kind of resource usage these extensions trigger? What kind of system calls these extensions do? If they can load a rootkit, use LD_PRELOAD like mechanisms to divert system calls. There can be other potential hazardous implications if one of the extension goes kaput. This can cause a possible outage on the SF Broker which is the most critical component and a control plane for backing services.

To mitigate these possible attacks and still allow extension features, we intend to sandbox the extensions via mechanisms like
1. Apply resource limits in terms of memory, CPU, network
2. Restrict system calls via Seccomp profiling and disabling abilities like loading rootkits etc.
3. Fine-grained Mandatory access controls via SE Linux.

The natural progression for these extensions would be to move to BOSH BPM where we expect to have the right isolation levels needed.
This talk will cover usage, pros and cons of above mentioned mechanisms and A demo on how we used sandboxing to provide secure environment for untrusted extensions.

avatar for Subhankar Chattopadhyay

Subhankar Chattopadhyay

Development Architect, SAP
Subhankar Chattopadhyay holds a Master of Computer Science and working at SAP for about 10 years. He is currently working in the area of SAP Business Technology Platform. His interests include Cloud Computing, Virtualization and containerization.
avatar for Shashank Mohan Jain

Shashank Mohan Jain

Chief Architect, SAP
Shashank has 20 years of work experience with 8 years in cloud and distributed systems domain. Shashank holds more then 30 patents and has been a speaker in various cloud foundry summits and other conferences.

Wednesday October 10, 2018 14:30 - 15:00 CEST
Kairo 1 & 2