Firecracker: Installing Aporeto Enforcer

By: Jody Scott 05.17.2019
Firecracker: Installing Aporeto Enforcer

In November 2018, Amazon presented Firecracker at AWS Reinvent, a new virtualization and open source technology that enables service owners to operate secure multi-tenant, container-based services by combining the speed, resource efficiency, and performance enabled by containers. This is combined with the security and isolation offered by traditional Virtual Machines (VM).

Firecracker Components

Firecracker uses a virtual machine manager (VMM) based on Linux’s Kernel-based Virtual Machine (KVM). It also provides a RESTful API to create and manage microVMs with any combination of vCPU and memory to match application requirements.

How is Firecracker built?

Firecracker is built with minimal device emulation that enables faster startup time, provides a reduced memory footprint for each microVM, and offers a trusted sandboxed environment for each container. Furthermore, Amazon elected to release Firecracker as an open source project under Apache 2.0.

If you use functions as an Amazon service, you benefit from Firecracker without needing to do anything extra. But if you want to use Firecracker directly, you will need an image and a kernel. Amazon provides an example that you can download but the information on how to build your own is scant. So we wrote a script and put this blog post together to help you.

This is a three-part post covering how to build the EXT4 filesystem, the Linux Kernel (and modules), and finally how to install the Aporeto Enforcer. This blog entry builds upon the work we did in the first and second blog entry, and it covers installing the Aporeto Enforcer.

The Aporeto Enforcer

How does Aporeto assign all apps and processes a cryptographic identity? Through careful mining of metadata. Our Aporeto Enforcer acts as a trusted component, and runs on every workload server in the infrastructure. The Enforcer uses a metadata extractor to collect an application’s runtime information for generating its fingerprint. Once metadata are extracted from a combination of static, user, and dynamic information sources, we can create a multi-attribute identity that is a cryptographically-signed JSON document. This dynamic identity can be now used to validate the application with other systems. The local data is discoverable by a user, and works as the foundation of identity.

The poetry of the Aporeto approach is that it flips the internet’s fundamentally open design with an even older piece of classic computer science. Aporeto piggybacks on the embryonic IP session identity-exchange that began with the Diffie–Hellman key exchange. We initiate data exchange at the moment of Syn-SynAck handshake, inject the cryptographically signed JSOC document as payload into the Syn-packet, and hand it back to the network. It is this signature that the Enforcer then judges. This makes the whole process mutual, and end-to-end.

The build instructions can be found here.


Recent Posts How to Combat Cloud Hacking Application-aware Security, Part 3: Authentication & Communication Protocol Firecracker: Building The EXT4 Filesystem Image