IBM researchers have created a new approach to container isolation with the launch of Nabla containers, designed for strong isolation on a host. The containers achieve isolation by adopting a strategy of attack surface reduction to the host and using only nine system calls.
According to the Nabla website, IBM researchers have "measured exactly how much access to the kernel common applications exhibit with Nabla containers and standard containers by measuring the number of system calls containerized applications make and correspondingly how much kernel functions they access.
"A containerized application can avoid making a Linux system call if it links to a library OS component that implements the system call functionality. Nabla containers use library OS - aka unikernel - techniques, specifically those from the Solo5 project, to avoid system calls and thereby reduce the attack surface. Nabla containers only use 9 system calls, all others are blocked via a Linux seccomp policy."
There has been a fierce debate within the industry regarding whether isolated containers or virtual machines (VMs) are more secure. James Bottomley, IBM research engineer and Linux kernel developer, wrote a blog regarding 'one of the biggest problems about container vs Hypervisor security': "No-one has actually developed a way of measuring security, so the debate is all in qualitative terms, but no-one actually has done a quantitative comparison."
The researchers then tested Nabla through the metric of performance, and showed that it is "far and away the best containment technology for secure workloads given that it sacrifices the least performance over docker to achieve the containment." The blog also noted that Nabla was two-times more secure than using hypervisor-based containment.
There are some limitations to Nabla, however, in that Nabla runtime only supports images built for nabla as well as missing features, which the team is currently working on.