CloudABI: Cloud computing meets fine-grained capabilities

Speaker: Ed Schouten

Abstract

CloudABI is a new runtime environment that attempts to make it easier to use UNIX-like operating systems at the core of a cluster/cloud computing platform.

Instead of offering full machine virtualization (e.g., KVM, Xen, bhyve) or requiring the use of intrusive OS-level virtualization techniques (e.g., LXC, FreeBSD Jails, Solaris Zones), end users can simply provide a set of binaries that communicate with the operating system over a secure and compact POSIX-like interface. CloudABI allows you to run untrusted programs directly on top of a UNIX kernel, without compromising security and without requiring complex configuration.

CloudABI makes strong use of capability-based security. Instead of determining the rights of an application through complex ACLs, access to resources is determined by a set of tokens (in this case, file descriptors) that can be altered at run-time. This allows software engineers to harden their software by applying 'defense in depth'.

In this presentation I will discuss several design aspects of CloudABI and how it can be used to make UNIX software more reliable, more secure and easier to test and deploy.

Slides

Biography

Ed Schouten started contributing to FreeBSD back in 2005, when he helped porting FreeBSD to the Microsoft Xbox. After re-implementing the TTY layer (that's part of FreeBSD 8 and later), he worked on various other projects that eventually made their way into FreeBSD. Ed was the author of FreeBSD's "ClangBSD" branch, aimed at importing Clang into FreeBSD's base system. Later on he developed an initial prototype of a new console driver that's now imported into the system, called vt(4).

Last year, Ed started his own IT company called Nuxi, based in the Netherlands. He is currently working on developing new infrastructure aimed at making cluster/cloud computing easier, more robust and more secure.