Tagged articles

9 articles

Page 1 of 1

Apr 9, 2026 · Information Security

Why Traditional AI Agent Sandboxes Fail and How Sandlock Provides a Lightweight Alternative

The article argues that heavy container‑ or micro‑VM‑based sandboxes mis‑solve AI agent security, because the real threat is prompt injection at the application layer, and demonstrates that a policy‑first approach using Linux Landlock, seccomp and per‑tool isolation—embodied in the open‑source Sandlock sandbox—delivers strong protection without root or heavyweight isolation.

AI agentsLandlockLinux

0 likes · 15 min read

Why Traditional AI Agent Sandboxes Fail and How Sandlock Provides a Lightweight Alternative

Black & White Path

Feb 21, 2026 · Information Security

Bypassing Linux Pkeys Security Mechanism in a PWN Challenge

An in‑depth analysis of Linux Memory Protection Keys (pkeys), their x86_64 and arm64 implementations, related syscalls, and a step‑by‑step exploit that randomises PKRU permissions and then uses WRPKRU to bypass the restrictions and capture the flag in a CTF PWN challenge.

CTFExploitLinux

0 likes · 12 min read

Bypassing Linux Pkeys Security Mechanism in a PWN Challenge

System Architect Go

Oct 11, 2024 · Information Security

How Kubernetes Secures Pods with Seccomp, AppArmor, and SELinux

This article explains how Kubernetes leverages the Linux kernel security mechanisms Seccomp, AppArmor, and SELinux together with Pod Security Standards and the built‑in admission controller to enforce fine‑grained security policies for container workloads in cloud‑native environments.

AppArmorCloud NativeKubernetes

0 likes · 8 min read

How Kubernetes Secures Pods with Seccomp, AppArmor, and SELinux

AntTech

Jul 18, 2023 · Information Security

HODOR: Shrinking the Attack Surface on Node.js via System Call Limitation

Researchers from Shanghai Jiao Tong University, Ant Security Light-Year Lab, and Zhejiang University present HODOR, a system that reduces the attack surface of Node.js applications by generating fine-grained system‑call allowlists using Seccomp, achieving an average 80% reduction in exploit surface with negligible runtime overhead.

Node.jsSystem Callruntime protection

0 likes · 12 min read

HODOR: Shrinking the Attack Surface on Node.js via System Call Limitation

System Architect Go

Mar 28, 2023 · Operations

30× Faster OCI Container Startup: Kernel and Seccomp Tweaks Explained

By profiling the OCI runtime with hyperfine and applying a series of kernel patches, seccomp hash optimizations, and BPF compilation caching, the author reduced container start‑up time from roughly 160 ms in 2017 to just over 5 ms today—a near 30‑fold speedup.

BPFLinux kernelOCI

0 likes · 15 min read

30× Faster OCI Container Startup: Kernel and Seccomp Tweaks Explained

Programmer DD

Dec 1, 2020 · Cloud Native

Boost Your Kubernetes Pod Security with 9 Essential Best Practices

This article outlines nine practical Kubernetes pod‑level security configurations—including security contexts, privilege escalation, non‑root users, resource limits, service account tokens, seccomp profiles, capabilities, and read‑only filesystems—to help you harden containers against attacks and improve cluster stability.

KubernetesPod SecuritySecurity Context

0 likes · 7 min read

Boost Your Kubernetes Pod Security with 9 Essential Best Practices

DevOps

Nov 1, 2018 · Information Security

Docker Security Features: Capabilities, Image Signing, AppArmor, Seccomp, User Namespaces and More

This article explains Docker's built‑in security mechanisms—including Linux kernel capabilities, image signing, AppArmor MAC, Seccomp syscall filtering, user namespaces, SELinux, PID limits and additional kernel hardening tools—provides configuration examples, command‑line demonstrations, and guidance on using them safely.

AppArmorContainer SecurityImage Signing

0 likes · 16 min read

Docker Security Features: Capabilities, Image Signing, AppArmor, Seccomp, User Namespaces and More

Hujiang Technology

Sep 5, 2017 · Information Security

Understanding Android O seccomp Filters and Illegal System Calls

The article explains how Android O uses seccomp filters in the zygote process to block unused or dangerous system calls, how developers can detect and avoid illegal calls that cause crashes, and how to test or disable the filter on development builds.

AndroidSystem Callskernel

0 likes · 6 min read

Understanding Android O seccomp Filters and Illegal System Calls

GF Securities FinTech

Sep 14, 2016 · Information Security

Securing Docker Microservices: Key Strategies from DockerCon 2016

At DockerCon 2016, Aaron Grattafiori outlined a comprehensive security framework for container‑based microservices, emphasizing user namespaces, custom AppArmor/SELinux policies, sec‑comp whitelists, hardened host OS, limited host access, network security, immutable containers, and secret management to achieve high‑assurance deployments.

AppArmorContainer SecurityDocker

0 likes · 11 min read

Securing Docker Microservices: Key Strategies from DockerCon 2016