Cloud Foundry Summit Europe 2018

Providing a safe computing condition to an untrusted application is a very critical task. Insufficiently tested applications can cause a number of problems, especially operating system infections. These issues are often found only post-mortem. Most of these issues can be avoided by sandboxing running environment of these untrusted applications.
We have some interesting use cases where we allow third-party extensions to be loaded into the Service Fabrik broker for doing some pre and post lifecycle activities. Service Fabrik Broker is an OSBAPI compliant cloudfoundry incubator project which takes care of provisioning and management of backing services.
Since we don’t have any direct control over the quality of these extensions, as to What kind of resource usage these extensions trigger? What kind of system calls these extensions do? If they can load a rootkit, use LD_PRELOAD like mechanisms to divert system calls. There can be other potential hazardous implications if one of the extension goes kaput. This can cause a possible outage on the SF Broker which is the most critical component and a control plane for backing services.

To mitigate these possible attacks and still allow extension features, we intend to sandbox the extensions via mechanisms like
1. Apply resource limits in terms of memory, CPU, network
2. Restrict system calls via Seccomp profiling and disabling abilities like loading rootkits etc.
3. Fine-grained Mandatory access controls via SE Linux.

The natural progression for these extensions would be to move to BOSH BPM where we expect to have the right isolation levels needed.
This talk will cover usage, pros and cons of above mentioned mechanisms and A demo on how we used sandboxing to provide secure environment for untrusted extensions.