Threat Detection in gVisor

By Fabricio Voznika on 31 August 2022

gVisor helps users secure their infrastructure by running containers in a dedicated kernel that is isolated from the host. But wouldn’t it be nice if you could tell when someone attempts to break out? Or get an early warning that your web server might have been compromised? Now you can do it with gVisor! We are pleased to announce support for runtime monitoring. Runtime monitoring provides the ability for an external process to observe application behavior and detect threats at runtime. Using this mechanism, gVisor users can watch actions performed by the container and generate alerts when something unexpected occurs.

Full Post »

Running gVisor in Production at Scale in Ant

By Jianfeng Tan and Yong He on 02 December 2021

This post was contributed by Ant Group, a large-scale digital payment platform. Jianfeng and Yong are engineers at Ant Group working on infrastructure systems, and contributors to gVisor.

Full Post »

gVisor RACK

By Nayana Bidari on 31 August 2021

gVisor has implemented the RACK (Recent ACKnowledgement) TCP loss-detection algorithm in our network stack, which improves throughput in the presence of packet loss and reordering.

Full Post »

Platform Portability

By Ian Lewis and Michael Pratt on 22 October 2020

Hardware virtualization is often seen as a requirement to provide an additional isolation layer for untrusted applications. However, hardware virtualization requires expensive bare-metal machines or cloud instances to run safely with good performance, increasing cost and complexity for Cloud users. gVisor, however, takes a more flexible approach.

Full Post »

Containing a Real Vulnerability

By Fabricio Voznika on 18 September 2020

In the previous two posts we talked about gVisor’s security design principles as well as how those are applied in the context of networking. Recently, a new container escape vulnerability (CVE-2020-14386) was announced that ties these topics well together. gVisor is not vulnerable to this specific issue, but it provides an interesting case study to continue our exploration of gVisor’s security. While gVisor is not immune to vulnerabilities, we take several steps to minimize the impact and remediate if a vulnerability is found.

Full Post »

If you would like to contribute to the gVisor blog check out the instructions.