Edera has just launched Styrolite, a new open-source project designed to provide enhanced security for container runtimes. Unlike traditional security measures that focus on upper layers like the Open Container Initiative (OCI) runtimes, Styrolite takes a deeper approach by securing the interactions between containers and Linux kernel namespaces. Operating beneath the surface of tools like containerd, Styrolite aims to address a critical gap in container security, especially in an era where supply chain vulnerabilities, like those seen in the Log4j and XZ Utils incidents, dominate the conversation.
Despite years of progress in securing container environments, the runtime itself remains a tempting target for attackers. Exploits targeting low-level kernel subsystems, such as the Dirty Cow and Dirty Pipe vulnerabilities, allow attackers to break out of containers and escalate their privileges. This is where Styrolite comes in: it acts as a programmable sandboxing tool that gives platform engineering teams the ability to quarantine container interactions with Linux namespaces. By doing so, Styrolite adds an extra layer of protection at a crucial point in the container runtime process.
The idea for Styrolite comes from Ariadne Conill, the co-founder and distinguished engineer at Edera. Conill has long been concerned with the lack of strong isolation in container runtimes, pointing out that while Linux namespaces allow containers to share system resources in multi-tenant environments, they were never designed with security boundaries in mind. “Namespaces can’t provide true isolation because they exist as part of the shared kernel state,” Conill explains. Styrolite seeks to change that by providing engineers with more control over how containers interact with the kernel at the most fundamental level.
Styrolite’s design is rooted in practicality and modernity. Written in Rust and built as a microservice, it offers a solution that bridges the gap between cloud-native computing and traditional security measures like virtualization-based security. Styrolite’s functionality is comparable to a container runtime interface (CRI) but with a focus on securing the critical processes that govern how containers interact with kernel namespaces. Through Styrolite, engineers gain granular control over the lifecycle of these interactions, securing areas such as timekeeping, mounts, and process collections. By doing so, it allows for tighter security while maintaining the flexibility containers need in dynamic environments.