Deep Dive into Firecracker Using Lightweight Virtual Machines to Enhance the Container Security Boundary - AWS Summit Sydney

Amazon Web Services
Amazon Web ServicesAmazon Web Services
S U M M I T SYDNEY
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Deep Dive in to Firecracker: Using lightweight virtual machines to enhance the container security boundary Mitch Beaumont Senior Solutions Architect Amazon Web Services
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Serverless compute at AWS
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Running containers and serverless at scale Different security boundaries than instances Inefficient resource utilisation
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Running containers and serverless at scale Different security boundaries than instances Inefficient resource utilisation
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. What would a virtual machine look like if it were designed for today’s world of containers and function based services?
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Virtualisation <_start>: e9 59 e1 17 00 jmpq ffff82d08037e15e 0f 1f 00 nopl (%rax) <multiboot1_header_start>: 02 b0 ad 1b 03 00 add 0x31bad(%rax),%dh 00 00 add %al,(%rax) fb sti 4f 52 rex.WRXB push %r10 e4 0f in $0xf,%al <multiboot1_header_end>: 0f 1f 40 00 nopl 0x0(%rax) <multiboot2_header_start>: d6 (bad) 50 push %rax 52 push %rdx e8 00 00 00 00 callq ffff82d080200020 88 00 mov %al,(%rax)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T <_start>: e9 59 e1 17 00 jmpq ffff82d08037e15e 0f 1f 00 nopl (%rax) <multiboot1_header_start>: 02 b0 ad 1b 03 00 add 0x31bad(%rax),%dh 00 00 add %al,(%rax) fb sti 4f 52 rex.WRXB push %r10 e4 0f in $0xf,%al <multiboot1_header_end>: 0f 1f 40 00 nopl 0x0(%rax) <multiboot2_header_start>: d6 (bad) 50 push %rax 52 push %rdx e8 00 00 00 00 callq ffff82d080200020 88 00 mov %al,(%rax) Virtualisation
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T <_start>: e9 59 e1 17 00 jmpq ffff82d08037e15e 0f 1f 00 nopl (%rax) <multiboot1_header_start>: 02 b0 ad 1b 03 00 add 0x31bad(%rax),%dh 00 00 add %al,(%rax) fb sti 4f 52 rex.WRXB push %r10 e4 0f in $0xf,%al <multiboot1_header_end>: 0f 1f 40 00 nopl 0x0(%rax) <multiboot2_header_start>: d6 (bad) 50 push %rax 52 push %rdx e8 00 00 00 00 callq ffff82d080200020 88 00 mov %al,(%rax) Virtualisation
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T <_start>: e9 59 e1 17 00 jmpq ffff82d08037e15e 0f 1f 00 nopl (%rax) <multiboot1_header_start>: 02 b0 ad 1b 03 00 add 0x31bad(%rax),%dh 00 00 add %al,(%rax) fb sti 4f 52 rex.WRXB push %r10 e4 0f in $0xf,%al <multiboot1_header_end>: 0f 1f 40 00 nopl 0x0(%rax) <multiboot2_header_start>: d6 (bad) 50 push %rax 52 push %rdx e8 00 00 00 00 callq ffff82d080200020 88 00 mov %al,(%rax) Virtualisation
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T <_start>: e9 59 e1 17 00 jmpq ffff82d08037e15e 0f 1f 00 nopl (%rax) <multiboot1_header_start>: 02 b0 ad 1b 03 00 add 0x31bad(%rax),%dh 00 00 add %al,(%rax) fb sti 4f 52 rex.WRXB push %r10 e4 0f in $0xf,%al <multiboot1_header_end>: 0f 1f 40 00 nopl 0x0(%rax) <multiboot2_header_start>: d6 (bad) 50 push %rax 52 push %rdx e8 00 00 00 00 callq ffff82d080200020 88 00 mov %al,(%rax) Virtualisation
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T What just happened? Ring 0 Ring 1 Ring 2 Ring 3
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Trap and emulate: virtual machine monitor <_start>: e9 59 e1 17 00 jmpq ffff82d08037e15e 0f 1f 00 nopl (%rax) <multiboot1_header_start>: 02 b0 ad 1b 03 00 add 0x31bad(%rax),%dh 00 00 add %al,(%rax) fb sti 4f 52 rex.WRXB push %r10 e4 0f in $0xf,%al <multiboot1_header_end>: 0f 1f 40 00 nopl 0x0(%rax) <multiboot2_header_start>: d6 (bad) 50 push %rax 52 push %rdx e8 00 00 00 00 callq ffff82d080200020 88 00 mov %al,(%rax)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Trap and emulate: virtual machine monitor <_start>: e9 59 e1 17 00 jmpq ffff82d08037e15e 0f 1f 00 nopl (%rax) <multiboot1_header_start>: 02 b0 ad 1b 03 00 add 0x31bad(%rax),%dh 00 00 add %al,(%rax) fb sti 4f 52 rex.WRXB push %r10 e4 0f in $0xf,%al <multiboot1_header_end>: 0f 1f 40 00 nopl 0x0(%rax) <multiboot2_header_start>: d6 (bad) 50 push %rax 52 push %rdx e8 00 00 00 00 callq ffff82d080200020 88 00 mov %al,(%rax)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Trap and emulate: virtual machine monitor <_start>: e9 59 e1 17 00 jmpq ffff82d08037e15e 0f 1f 00 nopl (%rax) <multiboot1_header_start>: 02 b0 ad 1b 03 00 add 0x31bad(%rax),%dh 00 00 add %al,(%rax) fb sti 4f 52 rex.WRXB push %r10 e4 0f in $0xf,%al <multiboot1_header_end>: 0f 1f 40 00 nopl 0x0(%rax) <multiboot2_header_start>: d6 (bad) 50 push %rax 52 push %rdx e8 00 00 00 00 callq ffff82d080200020 88 00 mov %al,(%rax)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Trap and emulate: virtual machine monitor <_start>: e9 59 e1 17 00 jmpq ffff82d08037e15e 0f 1f 00 nopl (%rax) <multiboot1_header_start>: 02 b0 ad 1b 03 00 add 0x31bad(%rax),%dh 00 00 add %al,(%rax) fb sti 4f 52 rex.WRXB push %r10 e4 0f in $0xf,%al <multiboot1_header_end>: 0f 1f 40 00 nopl 0x0(%rax) <multiboot2_header_start>: d6 (bad) 50 push %rax 52 push %rdx e8 00 00 00 00 callq ffff82d080200020 88 00 mov %al,(%rax)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Wait … what?
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Virtualisation and statistical majority?
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T What’s a statistical majority?
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T What just happened?
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Trap and emulate <_start>: e9 59 e1 17 00 jmpq ffff82d08037e15e 0f 1f 00 nopl (%rax) <multiboot1_header_start>: 02 b0 ad 1b 03 00 add 0x31bad(%rax),%dh 00 00 add %al,(%rax) fb sti 4f 52 rex.WRXB push %r10 e4 0f in $0xf,%al <multiboot1_header_end>: 0f 1f 40 00 nopl 0x0(%rax) <multiboot2_header_start>: d6 (bad) 50 push %rax 52 push %rdx e8 00 00 00 00 callq ffff82d080200020 88 00 mov %al,(%rax)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Hypervisor bloat …
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. What would a virtual machine look like if it were designed for today’s world of containers and function based services?
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Firecracker RESTful API Networks Storage Rate Limiting Metadata
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Secure
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Secure Fast
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Secure Fast Efficient
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Firecracker RESTful API Networks Storage Rate Limiting Metadata
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Firecracker RESTful API Networks Storage Rate Limiting Metadata
Deep Dive into Firecracker Using Lightweight Virtual Machines to Enhance the Container Security Boundary - AWS Summit Sydney
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Firecracker RESTful API Networks Storage Rate Limiting Metadata
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Firecracker RESTful API Networks Storage Rate Limiting Metadata
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Firecracker RESTful API Networks Storage Rate Limiting Metadata
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Firecracker RESTful API Networks Storage Rate Limiting Metadata
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Serverless compute at AWS
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Deep Dive into Firecracker Using Lightweight Virtual Machines to Enhance the Container Security Boundary - AWS Summit Sydney
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T What’s new and what’s next? • [NEW] Firectl: Command-line tool for managing Firecracker MicroVMs • [NEW] Integration with container runtimes like Kata Containers • [NEXT] Integration to enable ContainerD to manage Firecracker MicroVMs
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Wrap up • Opensource, Apache, version 2.0 license • Contribute at https://github.com/firecracker-microvm/ • Join the conversation at firecracker-microvm.slack.com
Thank you! S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Mitch Beaumont beaumonm@amazon.com
1 of 43

Deep Dive into Firecracker Using Lightweight Virtual Machines to Enhance the Container Security Boundary - AWS Summit Sydney

Firecracker is an open source virtualisation technology which enables secure and fast microVMs for serverless computing. Firecracker was developed at Amazon Web Services to improve efficiency and customer experience for services like AWS Lambda and AWS Fargate. In this session, hear more about why AWS built this virtualisation technology, how Firecracker differs from traditional virtualisation technology, and how you can contribute to the open source project.

Amazon Web Services
Amazon Web ServicesAmazon Web Services

Recommended

Intro to Reactive Programming by
Intro to Reactive ProgrammingIntro to Reactive Programming
Intro to Reactive ProgrammingStéphane Maldini
16.5K views81 slides
Redux Toolkit - Quick Intro - 2022 by
Redux Toolkit - Quick Intro - 2022Redux Toolkit - Quick Intro - 2022
Redux Toolkit - Quick Intro - 2022Fabio Biondi
528 views45 slides
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space? by
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?ArangoDB Database
1.7K views63 slides
Cours java by
Cours javaCours java
Cours javaZakaria Mouammin
5.5K views343 slides
VictoriaLogs: Open Source Log Management System - Preview by
VictoriaLogs: Open Source Log Management System - PreviewVictoriaLogs: Open Source Log Management System - Preview
VictoriaLogs: Open Source Log Management System - PreviewVictoriaMetrics
2.9K views98 slides
Quarkus Denmark 2019 by
Quarkus Denmark 2019Quarkus Denmark 2019
Quarkus Denmark 2019Max Andersen
606 views44 slides

More Related Content

What's hot

Understanding Reactive Programming by
Understanding Reactive ProgrammingUnderstanding Reactive Programming
Understanding Reactive ProgrammingAndres Almiray
1.2K views54 slides
Observability in Java: Getting Started with OpenTelemetry by
Observability in Java: Getting Started with OpenTelemetryObservability in Java: Getting Started with OpenTelemetry
Observability in Java: Getting Started with OpenTelemetryDevOps.com
378 views26 slides
Rootless Containers by
Rootless ContainersRootless Containers
Rootless ContainersAkihiro Suda
23.1K views54 slides
Fun with Network Interfaces by
Fun with Network InterfacesFun with Network Interfaces
Fun with Network InterfacesKernel TLV
5K views50 slides
Getting up to speed with Kafka Connect: from the basics to the latest feature... by
Getting up to speed with Kafka Connect: from the basics to the latest feature...Getting up to speed with Kafka Connect: from the basics to the latest feature...
Getting up to speed with Kafka Connect: from the basics to the latest feature...HostedbyConfluent
540 views75 slides
Intégration continue et déploiement continue avec Jenkins by
Intégration continue et déploiement continue avec JenkinsIntégration continue et déploiement continue avec Jenkins
Intégration continue et déploiement continue avec JenkinsKokou Gaglo
1.3K views16 slides

What's hot(20)

Understanding Reactive Programming by Andres Almiray
Understanding Reactive ProgrammingUnderstanding Reactive Programming
Understanding Reactive Programming
Andres Almiray1.2K views
Observability in Java: Getting Started with OpenTelemetry by DevOps.com
Observability in Java: Getting Started with OpenTelemetryObservability in Java: Getting Started with OpenTelemetry
Observability in Java: Getting Started with OpenTelemetry
DevOps.com378 views
Rootless Containers by Akihiro Suda
Rootless ContainersRootless Containers
Rootless Containers
Akihiro Suda23.1K views
Fun with Network Interfaces by Kernel TLV
Fun with Network InterfacesFun with Network Interfaces
Fun with Network Interfaces
Kernel TLV5K views
Getting up to speed with Kafka Connect: from the basics to the latest feature... by HostedbyConfluent
Getting up to speed with Kafka Connect: from the basics to the latest feature...Getting up to speed with Kafka Connect: from the basics to the latest feature...
Getting up to speed with Kafka Connect: from the basics to the latest feature...
HostedbyConfluent540 views
Intégration continue et déploiement continue avec Jenkins by Kokou Gaglo
Intégration continue et déploiement continue avec JenkinsIntégration continue et déploiement continue avec Jenkins
Intégration continue et déploiement continue avec Jenkins
Kokou Gaglo1.3K views
Quarkus - a next-generation Kubernetes Native Java framework by SVDevOps
Quarkus - a next-generation Kubernetes Native Java frameworkQuarkus - a next-generation Kubernetes Native Java framework
Quarkus - a next-generation Kubernetes Native Java framework
SVDevOps619 views
Svelte the future of frontend development by twilson63
Svelte the future of frontend developmentSvelte the future of frontend development
Svelte the future of frontend development
twilson63556 views
Introduction à React JS by Abdoulaye Dieng
Introduction à React JSIntroduction à React JS
Introduction à React JS
Abdoulaye Dieng2.2K views
React Native by ASIMYILDIZ
React NativeReact Native
React Native
ASIMYILDIZ135 views
Svelte as a Reactive Web Framework by University of Moratuwa, Katubedda, Sri Lanka
Svelte as a Reactive Web FrameworkSvelte as a Reactive Web Framework
Svelte as a Reactive Web Framework
University of Moratuwa, Katubedda, Sri Lanka225 views
Jenkins by Lhouceine OUHAMZA
JenkinsJenkins
Jenkins
Lhouceine OUHAMZA369 views
[12]MVVM과 Grab Architecture : MVVM에 가기 위한 여행기 by NAVER Engineering
[12]MVVM과 Grab Architecture : MVVM에 가기 위한 여행기[12]MVVM과 Grab Architecture : MVVM에 가기 위한 여행기
[12]MVVM과 Grab Architecture : MVVM에 가기 위한 여행기
NAVER Engineering2.8K views
Introduction to RxJS by Brainhub
Introduction to RxJSIntroduction to RxJS
Introduction to RxJS
Brainhub3.7K views
Apache Kafka’s Transactions in the Wild! Developing an exactly-once KafkaSink... by HostedbyConfluent
Apache Kafka’s Transactions in the Wild! Developing an exactly-once KafkaSink...Apache Kafka’s Transactions in the Wild! Developing an exactly-once KafkaSink...
Apache Kafka’s Transactions in the Wild! Developing an exactly-once KafkaSink...
HostedbyConfluent679 views
Janus & docker: friends or foe by Alessandro Amirante
Janus & docker: friends or foe Janus & docker: friends or foe
Janus & docker: friends or foe
Alessandro Amirante1.8K views
RxJS Operators - Real World Use Cases (FULL VERSION) by Tracy Lee
RxJS Operators - Real World Use Cases (FULL VERSION)RxJS Operators - Real World Use Cases (FULL VERSION)
RxJS Operators - Real World Use Cases (FULL VERSION)
Tracy Lee4.8K views
A guide of PostgreSQL on Kubernetes by t8kobayashi
A guide of PostgreSQL on KubernetesA guide of PostgreSQL on Kubernetes
A guide of PostgreSQL on Kubernetes
t8kobayashi1.4K views
Docker compose by Felipe Ruhland
Docker composeDocker compose
Docker compose
Felipe Ruhland759 views
A whirlwind tour of the LLVM optimizer by Nikita Popov
A whirlwind tour of the LLVM optimizerA whirlwind tour of the LLVM optimizer
A whirlwind tour of the LLVM optimizer
Nikita Popov7.4K views

Similar to Deep Dive into Firecracker Using Lightweight Virtual Machines to Enhance the Container Security Boundary - AWS Summit Sydney

The Nitro Project: Next-Generation EC2 Infrastructure - AWS Online Tech Talks by
The Nitro Project: Next-Generation EC2 Infrastructure - AWS Online Tech TalksThe Nitro Project: Next-Generation EC2 Infrastructure - AWS Online Tech Talks
The Nitro Project: Next-Generation EC2 Infrastructure - AWS Online Tech TalksAmazon Web Services
20K views41 slides
C5 Instances and the Evolution of Amazon EC2 Virtualization - CMP332 - re:Inv... by
C5 Instances and the Evolution of Amazon EC2 Virtualization - CMP332 - re:Inv...C5 Instances and the Evolution of Amazon EC2 Virtualization - CMP332 - re:Inv...
C5 Instances and the Evolution of Amazon EC2 Virtualization - CMP332 - re:Inv...Amazon Web Services
3.4K views41 slides
Deep Dive on New Amazon EC2 Instances and Virtualization Technologies - AWS O... by
Deep Dive on New Amazon EC2 Instances and Virtualization Technologies - AWS O...Deep Dive on New Amazon EC2 Instances and Virtualization Technologies - AWS O...
Deep Dive on New Amazon EC2 Instances and Virtualization Technologies - AWS O...Amazon Web Services
601 views41 slides
Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019 by
Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019 Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019
Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019 Amazon Web Services
6.1K views30 slides
Serverless_Architecture를_응용한_실시간_DW플랫폼_구현 by
Serverless_Architecture를_응용한_실시간_DW플랫폼_구현 Serverless_Architecture를_응용한_실시간_DW플랫폼_구현
Serverless_Architecture를_응용한_실시간_DW플랫폼_구현 Ji hyeong Seo
61 views27 slides
Practical Memory Tuning for PostgreSQL by
Practical Memory Tuning for PostgreSQLPractical Memory Tuning for PostgreSQL
Practical Memory Tuning for PostgreSQLGrant McAlister
105 views68 slides

Similar to Deep Dive into Firecracker Using Lightweight Virtual Machines to Enhance the Container Security Boundary - AWS Summit Sydney(20)

The Nitro Project: Next-Generation EC2 Infrastructure - AWS Online Tech Talks by Amazon Web Services
The Nitro Project: Next-Generation EC2 Infrastructure - AWS Online Tech TalksThe Nitro Project: Next-Generation EC2 Infrastructure - AWS Online Tech Talks
The Nitro Project: Next-Generation EC2 Infrastructure - AWS Online Tech Talks
Amazon Web Services20K views
C5 Instances and the Evolution of Amazon EC2 Virtualization - CMP332 - re:Inv... by Amazon Web Services
C5 Instances and the Evolution of Amazon EC2 Virtualization - CMP332 - re:Inv...C5 Instances and the Evolution of Amazon EC2 Virtualization - CMP332 - re:Inv...
C5 Instances and the Evolution of Amazon EC2 Virtualization - CMP332 - re:Inv...
Amazon Web Services3.4K views
Deep Dive on New Amazon EC2 Instances and Virtualization Technologies - AWS O... by Amazon Web Services
Deep Dive on New Amazon EC2 Instances and Virtualization Technologies - AWS O...Deep Dive on New Amazon EC2 Instances and Virtualization Technologies - AWS O...
Deep Dive on New Amazon EC2 Instances and Virtualization Technologies - AWS O...
Amazon Web Services601 views
Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019 by Amazon Web Services
Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019 Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019
Security benefits of the Nitro architecture - SEP401-R - AWS re:Inforce 2019
Amazon Web Services6.1K views
Serverless_Architecture를_응용한_실시간_DW플랫폼_구현 by Ji hyeong Seo
Serverless_Architecture를_응용한_실시간_DW플랫폼_구현 Serverless_Architecture를_응용한_실시간_DW플랫폼_구현
Serverless_Architecture를_응용한_실시간_DW플랫폼_구현
Ji hyeong Seo61 views
Practical Memory Tuning for PostgreSQL by Grant McAlister
Practical Memory Tuning for PostgreSQLPractical Memory Tuning for PostgreSQL
Practical Memory Tuning for PostgreSQL
Grant McAlister105 views
Ec2 spot-intro-20190227 by Kahori Takeda
Ec2 spot-intro-20190227Ec2 spot-intro-20190227
Ec2 spot-intro-20190227
Kahori Takeda391 views
Reinforcement Learning with Sagemaker, DeepRacer and Robomaker by Alex Barbosa Coqueiro
Reinforcement Learning with Sagemaker, DeepRacer and RobomakerReinforcement Learning with Sagemaker, DeepRacer and Robomaker
Reinforcement Learning with Sagemaker, DeepRacer and Robomaker
Alex Barbosa Coqueiro464 views
A few milliseconds in the life of an HTTP request by Amazon Web Services
A few milliseconds in the life of an HTTP requestA few milliseconds in the life of an HTTP request
A few milliseconds in the life of an HTTP request
Amazon Web Services300 views
The evolution of automated reasoning technology at AWS - SEP201 - AWS re:Info... by Amazon Web Services
The evolution of automated reasoning technology at AWS - SEP201 - AWS re:Info...The evolution of automated reasoning technology at AWS - SEP201 - AWS re:Info...
The evolution of automated reasoning technology at AWS - SEP201 - AWS re:Info...
Amazon Web Services676 views
How to Avoid Common Mistakes at Scale: AWS Developer Workshop at Web Summit 2018 by Amazon Web Services
How to Avoid Common Mistakes at Scale: AWS Developer Workshop at Web Summit 2018How to Avoid Common Mistakes at Scale: AWS Developer Workshop at Web Summit 2018
How to Avoid Common Mistakes at Scale: AWS Developer Workshop at Web Summit 2018
Amazon Web Services303 views
Best Practices for Scalable Monitoring (ENT310-S) - AWS re:Invent 2018 by Amazon Web Services
Best Practices for Scalable Monitoring (ENT310-S) - AWS re:Invent 2018Best Practices for Scalable Monitoring (ENT310-S) - AWS re:Invent 2018
Best Practices for Scalable Monitoring (ENT310-S) - AWS re:Invent 2018
Amazon Web Services394 views
7 Habits of Highly Efficient Visualforce Pages by Salesforce Developers
7 Habits of Highly Efficient Visualforce Pages7 Habits of Highly Efficient Visualforce Pages
7 Habits of Highly Efficient Visualforce Pages
Salesforce Developers7.2K views
AWS-DeepRacer-Workshop-HK-Donnie-Prakoso by Amazon Web Services
AWS-DeepRacer-Workshop-HK-Donnie-PrakosoAWS-DeepRacer-Workshop-HK-Donnie-Prakoso
AWS-DeepRacer-Workshop-HK-Donnie-Prakoso
Amazon Web Services314 views
DeepRacer-Workshop-HongKong-Donnie-Prakoso by Amazon Web Services
DeepRacer-Workshop-HongKong-Donnie-PrakosoDeepRacer-Workshop-HongKong-Donnie-Prakoso
DeepRacer-Workshop-HongKong-Donnie-Prakoso
Amazon Web Services807 views
Virtual Flink Forward 2020: Lessons learned on Apache Flink application avail... by Flink Forward
Virtual Flink Forward 2020: Lessons learned on Apache Flink application avail...Virtual Flink Forward 2020: Lessons learned on Apache Flink application avail...
Virtual Flink Forward 2020: Lessons learned on Apache Flink application avail...
Flink Forward298 views
Keynote - Adrian Hornsby on Chaos Engineering by Amazon Web Services
Keynote - Adrian Hornsby on Chaos EngineeringKeynote - Adrian Hornsby on Chaos Engineering
Keynote - Adrian Hornsby on Chaos Engineering
Amazon Web Services389 views
The Steady State Reduce Spikiness from GPU Utilization with Apache MXNet (inc... by Amazon Web Services
The Steady State Reduce Spikiness from GPU Utilization with Apache MXNet (inc...The Steady State Reduce Spikiness from GPU Utilization with Apache MXNet (inc...
The Steady State Reduce Spikiness from GPU Utilization with Apache MXNet (inc...
Amazon Web Services264 views
0x32 Shades of #7f7f7f: The Tension Between Absolutes and Ambiguity in Securi... by Amazon Web Services
0x32 Shades of #7f7f7f: The Tension Between Absolutes and Ambiguity in Securi...0x32 Shades of #7f7f7f: The Tension Between Absolutes and Ambiguity in Securi...
0x32 Shades of #7f7f7f: The Tension Between Absolutes and Ambiguity in Securi...
Amazon Web Services788 views
AWS, I Choose You: Pokemon's Battle against the Bots (SEC402-R1) - AWS re:Inv... by Amazon Web Services
AWS, I Choose You: Pokemon's Battle against the Bots (SEC402-R1) - AWS re:Inv...AWS, I Choose You: Pokemon's Battle against the Bots (SEC402-R1) - AWS re:Inv...
AWS, I Choose You: Pokemon's Battle against the Bots (SEC402-R1) - AWS re:Inv...
Amazon Web Services3.8K views

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn... by
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
26.5K views46 slides
Big Data per le Startup: come creare applicazioni Big Data in modalità Server... by
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
5.6K views44 slides
Esegui pod serverless con Amazon EKS e AWS Fargate by
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
4.1K views62 slides
Costruire Applicazioni Moderne con AWS by
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
2.8K views61 slides
Come spendere fino al 90% in meno con i container e le istanze spot by
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
1.8K views21 slides
Open banking as a service by
Open banking as a serviceOpen banking as a service
Open banking as a serviceAmazon Web Services
7.1K views14 slides

More from Amazon Web Services(20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn... by Amazon Web Services
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services26.5K views
Big Data per le Startup: come creare applicazioni Big Data in modalità Server... by Amazon Web Services
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services5.6K views
Esegui pod serverless con Amazon EKS e AWS Fargate by Amazon Web Services
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
Amazon Web Services4.1K views
Costruire Applicazioni Moderne con AWS by Amazon Web Services
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services2.8K views
Come spendere fino al 90% in meno con i container e le istanze spot by Amazon Web Services
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
Amazon Web Services1.8K views
Open banking as a service by Amazon Web Services
Open banking as a serviceOpen banking as a service
Open banking as a service
Amazon Web Services7.1K views
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea... by Amazon Web Services
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Amazon Web Services3.3K views
OpsWorks Configuration Management: automatizza la gestione e i deployment del... by Amazon Web Services
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services2.6K views
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads by Amazon Web Services
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services1.7K views
Computer Vision con AWS by Amazon Web Services
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
Amazon Web Services3.1K views
Database Oracle e VMware Cloud on AWS i miti da sfatare by Amazon Web Services
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services1.3K views
Crea la tua prima serverless ledger-based app con QLDB e NodeJS by Amazon Web Services
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services1.9K views
API moderne real-time per applicazioni mobili e web by Amazon Web Services
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services1.5K views
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare by Amazon Web Services
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services1.5K views
Tools for building your MVP on AWS by Amazon Web Services
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services2.4K views
How to Build a Winning Pitch Deck by Amazon Web Services
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services1.4K views
Building a web application without servers by Amazon Web Services
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services1.4K views
Fundraising Essentials by Amazon Web Services
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
Amazon Web Services887 views
AWS_HK_StartupDay_Building Interactive websites while automating for efficien... by Amazon Web Services
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services672 views
Introduzione a Amazon Elastic Container Service by Amazon Web Services
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
Amazon Web Services2.7K views

Deep Dive into Firecracker Using Lightweight Virtual Machines to Enhance the Container Security Boundary - AWS Summit Sydney

  • 1. S U M M I T SYDNEY
  • 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Deep Dive in to Firecracker: Using lightweight virtual machines to enhance the container security boundary Mitch Beaumont Senior Solutions Architect Amazon Web Services
  • 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Serverless compute at AWS
  • 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Running containers and serverless at scale Different security boundaries than instances Inefficient resource utilisation
  • 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Running containers and serverless at scale Different security boundaries than instances Inefficient resource utilisation
  • 6. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. What would a virtual machine look like if it were designed for today’s world of containers and function based services?
  • 7. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Virtualisation <_start>: e9 59 e1 17 00 jmpq ffff82d08037e15e 0f 1f 00 nopl (%rax) <multiboot1_header_start>: 02 b0 ad 1b 03 00 add 0x31bad(%rax),%dh 00 00 add %al,(%rax) fb sti 4f 52 rex.WRXB push %r10 e4 0f in $0xf,%al <multiboot1_header_end>: 0f 1f 40 00 nopl 0x0(%rax) <multiboot2_header_start>: d6 (bad) 50 push %rax 52 push %rdx e8 00 00 00 00 callq ffff82d080200020 88 00 mov %al,(%rax)
  • 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T <_start>: e9 59 e1 17 00 jmpq ffff82d08037e15e 0f 1f 00 nopl (%rax) <multiboot1_header_start>: 02 b0 ad 1b 03 00 add 0x31bad(%rax),%dh 00 00 add %al,(%rax) fb sti 4f 52 rex.WRXB push %r10 e4 0f in $0xf,%al <multiboot1_header_end>: 0f 1f 40 00 nopl 0x0(%rax) <multiboot2_header_start>: d6 (bad) 50 push %rax 52 push %rdx e8 00 00 00 00 callq ffff82d080200020 88 00 mov %al,(%rax) Virtualisation
  • 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T <_start>: e9 59 e1 17 00 jmpq ffff82d08037e15e 0f 1f 00 nopl (%rax) <multiboot1_header_start>: 02 b0 ad 1b 03 00 add 0x31bad(%rax),%dh 00 00 add %al,(%rax) fb sti 4f 52 rex.WRXB push %r10 e4 0f in $0xf,%al <multiboot1_header_end>: 0f 1f 40 00 nopl 0x0(%rax) <multiboot2_header_start>: d6 (bad) 50 push %rax 52 push %rdx e8 00 00 00 00 callq ffff82d080200020 88 00 mov %al,(%rax) Virtualisation
  • 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T <_start>: e9 59 e1 17 00 jmpq ffff82d08037e15e 0f 1f 00 nopl (%rax) <multiboot1_header_start>: 02 b0 ad 1b 03 00 add 0x31bad(%rax),%dh 00 00 add %al,(%rax) fb sti 4f 52 rex.WRXB push %r10 e4 0f in $0xf,%al <multiboot1_header_end>: 0f 1f 40 00 nopl 0x0(%rax) <multiboot2_header_start>: d6 (bad) 50 push %rax 52 push %rdx e8 00 00 00 00 callq ffff82d080200020 88 00 mov %al,(%rax) Virtualisation
  • 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T <_start>: e9 59 e1 17 00 jmpq ffff82d08037e15e 0f 1f 00 nopl (%rax) <multiboot1_header_start>: 02 b0 ad 1b 03 00 add 0x31bad(%rax),%dh 00 00 add %al,(%rax) fb sti 4f 52 rex.WRXB push %r10 e4 0f in $0xf,%al <multiboot1_header_end>: 0f 1f 40 00 nopl 0x0(%rax) <multiboot2_header_start>: d6 (bad) 50 push %rax 52 push %rdx e8 00 00 00 00 callq ffff82d080200020 88 00 mov %al,(%rax) Virtualisation
  • 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T What just happened? Ring 0 Ring 1 Ring 2 Ring 3
  • 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Trap and emulate: virtual machine monitor <_start>: e9 59 e1 17 00 jmpq ffff82d08037e15e 0f 1f 00 nopl (%rax) <multiboot1_header_start>: 02 b0 ad 1b 03 00 add 0x31bad(%rax),%dh 00 00 add %al,(%rax) fb sti 4f 52 rex.WRXB push %r10 e4 0f in $0xf,%al <multiboot1_header_end>: 0f 1f 40 00 nopl 0x0(%rax) <multiboot2_header_start>: d6 (bad) 50 push %rax 52 push %rdx e8 00 00 00 00 callq ffff82d080200020 88 00 mov %al,(%rax)
  • 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Trap and emulate: virtual machine monitor <_start>: e9 59 e1 17 00 jmpq ffff82d08037e15e 0f 1f 00 nopl (%rax) <multiboot1_header_start>: 02 b0 ad 1b 03 00 add 0x31bad(%rax),%dh 00 00 add %al,(%rax) fb sti 4f 52 rex.WRXB push %r10 e4 0f in $0xf,%al <multiboot1_header_end>: 0f 1f 40 00 nopl 0x0(%rax) <multiboot2_header_start>: d6 (bad) 50 push %rax 52 push %rdx e8 00 00 00 00 callq ffff82d080200020 88 00 mov %al,(%rax)
  • 16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Trap and emulate: virtual machine monitor <_start>: e9 59 e1 17 00 jmpq ffff82d08037e15e 0f 1f 00 nopl (%rax) <multiboot1_header_start>: 02 b0 ad 1b 03 00 add 0x31bad(%rax),%dh 00 00 add %al,(%rax) fb sti 4f 52 rex.WRXB push %r10 e4 0f in $0xf,%al <multiboot1_header_end>: 0f 1f 40 00 nopl 0x0(%rax) <multiboot2_header_start>: d6 (bad) 50 push %rax 52 push %rdx e8 00 00 00 00 callq ffff82d080200020 88 00 mov %al,(%rax)
  • 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Trap and emulate: virtual machine monitor <_start>: e9 59 e1 17 00 jmpq ffff82d08037e15e 0f 1f 00 nopl (%rax) <multiboot1_header_start>: 02 b0 ad 1b 03 00 add 0x31bad(%rax),%dh 00 00 add %al,(%rax) fb sti 4f 52 rex.WRXB push %r10 e4 0f in $0xf,%al <multiboot1_header_end>: 0f 1f 40 00 nopl 0x0(%rax) <multiboot2_header_start>: d6 (bad) 50 push %rax 52 push %rdx e8 00 00 00 00 callq ffff82d080200020 88 00 mov %al,(%rax)
  • 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Wait … what?
  • 19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Virtualisation and statistical majority?
  • 20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T What’s a statistical majority?
  • 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T What just happened?
  • 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Trap and emulate <_start>: e9 59 e1 17 00 jmpq ffff82d08037e15e 0f 1f 00 nopl (%rax) <multiboot1_header_start>: 02 b0 ad 1b 03 00 add 0x31bad(%rax),%dh 00 00 add %al,(%rax) fb sti 4f 52 rex.WRXB push %r10 e4 0f in $0xf,%al <multiboot1_header_end>: 0f 1f 40 00 nopl 0x0(%rax) <multiboot2_header_start>: d6 (bad) 50 push %rax 52 push %rdx e8 00 00 00 00 callq ffff82d080200020 88 00 mov %al,(%rax)
  • 23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Hypervisor bloat …
  • 24. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. What would a virtual machine look like if it were designed for today’s world of containers and function based services?
  • 25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Firecracker RESTful API Networks Storage Rate Limiting Metadata
  • 26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Secure
  • 27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Secure Fast
  • 28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Secure Fast Efficient
  • 29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Firecracker RESTful API Networks Storage Rate Limiting Metadata
  • 30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Firecracker RESTful API Networks Storage Rate Limiting Metadata
  • 32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Firecracker RESTful API Networks Storage Rate Limiting Metadata
  • 33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Firecracker RESTful API Networks Storage Rate Limiting Metadata
  • 34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Firecracker RESTful API Networks Storage Rate Limiting Metadata
  • 35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Firecracker RESTful API Networks Storage Rate Limiting Metadata
  • 36. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Serverless compute at AWS
  • 38. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
  • 41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T What’s new and what’s next? • [NEW] Firectl: Command-line tool for managing Firecracker MicroVMs • [NEW] Integration with container runtimes like Kata Containers • [NEXT] Integration to enable ContainerD to manage Firecracker MicroVMs
  • 42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Wrap up • Opensource, Apache, version 2.0 license • Contribute at https://github.com/firecracker-microvm/ • Join the conversation at firecracker-microvm.slack.com
  • 43. Thank you! S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Mitch Beaumont beaumonm@amazon.com