2019-05-19, 12:15–12:45, Main Hall
In late 2017 and throughout 2018 we witnessed the advent of a new class of CPU-level information disclosure vulnerabilities, commonly known as “Spectre”, “Meltdown”, and (later in 2018) “Level 1 Terminal Fault” (l1tf in short, also known as “Foreshadow”).
This talk will give a brief introduction of related CPU design concepts and their concrete exploitation by the above-mentioned vulnerabilities, and discuss available mitigations.
After we’ve established (or refreshed) our knowledge of the problem field, the main part of the talk will focus on keeping your Kubernetes clusters secured from those vulnerabilities: we will take a full-stack approach and look at common OS and container abstraction layers in cloud-native scenarios individually - bare metal kernel space, user space, (optional) virtualization, and container runtime - to discuss weaknesses and mitigations at each of the layers.
The talk aims to raise awareness as well as spread in-depth understanding of the impact CPU information disclosure flaws have on Kubernetes and its workloads.
Our motivation is to educate our audience to empower folks to be able able to judge by themselves whether their workloads are secure, and to provide options and mitigations should workloads be at risk. Knowledge from this session will help the community to better understand this new vulnerability class, and to maintain security in Kubernetes deployments.
The talk will roughly follow the path of our blog post on the impact of hardware security vulnerabilities in cloud-native environments: https://kinvolk.io/blog/2019/03/hardware-vulnerabilities-in-cloud-native-environments/ .