Learn more about LinuxCon + ContainerCon + CloudOpen China, happening June 19-20. 

Customize your schedule by experience level and/or presentation language: Refer to the “Filter by Type” list on the right to find a session based on topic and/or experience level. Presentation Language - Sessions are categorized as [C] Chinese, [C,E] Chinese with English Slides or [E] English at the end of each talk title.
Back To Schedule
Monday, June 19 • 13:35 - 14:05
Secure Containers With EPT Isolation [E] - Chunyan Liu, Huawei & Jixing Gu, Intel

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Secure Container solution is to enhance container security by isolating memory between Docker containers inside one VM with Intel VT-x EPT HW, which is highly effective to protect container’s memory and at the meantime defends ret2user privilege escalation attack that exploits kernel vulnerabilities (eg. CVE-2017-6074 UAF (use-after-free) vulnerability). It extends KVM interfaces which the guest OS can leverage to isolate container memory from other containers, and the interfaces rely on Intel VT-x EPT hardware extension and provide memory access protection for the container which sits in an isolated memory region. Each secure container has a dedicated EPT table rather than sharing one EPT table with guest OS, which enforces the cross-EPT memory access protection. The whole solution is user-friendly to fit in the existing cloud server infrastructure with very limited changes.


Jixing Gu

SW Architect, Intel
PhD, Software Architect of Intel CIG SW Engineering. He has worked in Intel for 7+ years, on secure, sensor, and multimedia projects. In this project, Jixing is working on secure container solution architecture design, and KVM support.

Chunyan Liu

Principal Engineer, Intel
Principal Engineer, Huawei Kernel Dep. She is now working in Huawei container team. Before that, she worked in SUSE virtualization team for 6+ years. In this project, Chunyan is working on secure container solution design, guest OS support and docker tooling integration.

Monday June 19, 2017 13:35 - 14:05 HKT
Room 309B
  Cloud Native & Containers, Developer
  • Presentation Language English
  • Experience Level Any