Contextual Runtime Security: Implementing Userspace Native Mechanisms

Runtime security is hard to implement as it is difficult to take into account all of the factors and actors in your cloud native infrastructure.

Most of the runtime security tools and techniques currently need direct access to underlying infrastructure of workload environments in order to observe security events and make enforcement decisions.

However with time, cloud native platforms are trying to reduce friction in user journey by taking care of infrastructure management themselves. Examples include AWS Fargate and GKE AutoPilot. One of the side effects of this is reduced access to underlying infrastructure. Some of the distributions even restrict access to common security oriented Linux primitives like eBPF.

The talk presents a couple of techniques for protecting applications using Linux primitives like Seccomp, PTRACE and LD_PRELOAD. These can be used for protecting applications while requiring minimal additional privileges from the underlying infrastructure.