Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SBA Live Academy - Secure Containers for Developer by Mathias Tausig

35 views

Published on

Target Group: SysAdmins, Developer, DevOps
Focus: technical
Talk language: English

Abstract
**********
What are Containers and what makes them secure to use? Which different types of Containers are out there and how can I best use them securely? What container types are there beyond Docker?

About the Speaker:
*********************
Mathias Tausig is Security Consultant at SBA Research. Mathias received a master’s degree (DI / MSc) in Technical Mathematics from the University of Technology Vienna (TU Wien). His professional experience includes a tenure as a Security Officer for a Certification Authority and lecturing IT-Security at the University of Applied Sciences Campus Vienna.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

SBA Live Academy - Secure Containers for Developer by Mathias Tausig

  1. 1. Secure Containers for Developers Mathias Tausig SBA Research gGmbH SBA Live Academy 2020
  2. 2. History 1
  3. 3. Container History I • Since the 1980s, the chroot technology allows parts of the filesystem to separated from each other on *NIX systems • Parallel to the rise of virtualization 2000, interest in a more lightweight OS-Virtualization grew ◦ 2000: Virtuozzo (Linux, Windows) − 2005 OpenVZ ◦ 2000: Jails (BSD) ◦ 2001: Linux VServer ◦ 2004: Zones (Solaris) 2
  4. 4. Container History II • Around the same time, generic interfaces in the Linux kernel were developed: ◦ 1998: AppArmor ◦ 2000: SELinux ◦ 2002: Namespaces ◦ 2007: CGroups • 2008 saw the first release of LXC (Linux Containers), a userspace interface to create virtualized environments using these technologies ◦ No kernel modification neccesary • In 2013, the company dotCloud Inc. released the first version of its container software: Docker ◦ Initially based on LXC ◦ Switched to the libcontainer interface to use the kernel’s capabilities 3
  5. 5. Containers
  6. 6. VM vs. Container While a virtual machine is always running a full OS on virtual hardware, a container is part of the current host system sharing its resources (especially the kernel). 5
  7. 7. VM vs. Container A container ist more lightweight than a VM. • Less storage space • Less memory • Much faster creation and startup These performance advantages are offset by a worse isolation. Since all containers share the same kernel, an exploit on the kernel level can comprosie all containers on the host. 6
  8. 8. System- vs. application-container • An application container is used to run a single process. If that process is stopped, the corresponding container is terminated as well. • A system container is able to run multiple processes while keeping a persisten state over a long time. 7
  9. 9. Privileged containers A privileged container is one running with root privileges on the host system.1 An unprivileged container does not have those capabilities.2 1 Default for Docker 2 Default for LXC 8
  10. 10. Linux containment features
  11. 11. Namespaces • Since kernel 3.12 • Used to isolate system ressources and processes • Provides a certain ressource to a process in an abstracted fashion ◦ pid: Container may administer their own process hierarchy while having their own (logical) init process with PID 1 ◦ user: Isolation of user- and group IDS (uid and gid) allows a process to run processes as “root” without granting it elevated privileges on the host system ◦ net: Provides separated network devices and configurations as well as routing tables ◦ mnt: Each container can have their own view of the filesystem hierarchy ◦ ... 10
  12. 12. cgroups To limit negative consequences to the host system by a container, Control Groups (cgroups) may be used. They are built out of various subsystems, each of which limits a certain resource for a container. • blkio: Limits access to block devices • cpu, cpuacct, cpusets: Limits CPU access • devices: Access to devices can be granted • freezer: Allows to stop and wakeup tasks • hugetlb, memory: Limits available RAM • net_cls, net_prio: Used for network priorisation • perf_event: Used for process monitoring 11
  13. 13. SELinux / AppArmor The kernel security modules SELinux and AppArmor greatly extends the usual Discretionary Access Control (DAC) model of linux Access Controll Policies with a much more advanced and powerful Mandatory Access Controll (MAC) system. The allows i.e to limit which files a certain process may access, or to cut off its network access. 12
  14. 14. Linux Containers
  15. 15. What is LXC? LXC is a userspace interface for the Linux kernel containment features. Through a powerful API and simple tools, it lets Li- nux users easily create and manage system or application containers. – https://linuxcontainers.org 14
  16. 16. Frontends LXC container can be created and managed using different tools: • Direct usage of liblxc and lxc-utils • Usage of a frontend ◦ libvirt ◦ ProxMox ◦ LXD 15
  17. 17. LXD LXD is a next generation system container manager. It offers a user experience similar to virtual machines but using Linux containers instead. – https://linuxcontainers.org/lxd/introduction/ 16
  18. 18. LXD Architecture LXD is based on a daemon (which in turn is based on liblxc) which provides a REST API. This API is consumed by the command line tool lxc3 3 No typo. The tool is really named like this. 17
  19. 19. Images New containers are not installedm they get cloned from a base image, which is retrieved from a repository4 . 4 local or online 18
  20. 20. Use Cases Developer • Isolated execution of applications • Development environments with seperated dependencies • Test environments 19
  21. 21. LXD Tutorial
  22. 22. Requirements The following scenarios assume the following: • Ubuntu 18.04 Bionic 64 bit is used • Packages lxd, lxdtool are installedm • User is part of the group lxd5 5 Disclaimer: As with docker, this is equivalent to giving the user root privileges on the system. Take care. 21
  23. 23. Documentations • Official documentation: https://linuxcontainers.org/lxd/docs/master/ • Blog of Stéphane Graber: https://stgraber.org/category/lxd/ 22
  24. 24. Initialize $ l x d i n i t Would you l i k e to use LXD c l u s t e r i n g ? ( yes / no ) [ d e f a u l t =no ] : no Do you want to c o n f i g u r e a new storage pool ? ( yes / no ) [ d e f a u l t = yes ] : yes Name of the new storage pool [ d e f a u l t = d e f a u l t ] : mystorage Would you l i k e to connect to a MAAS s e r v e r ? ( yes / no ) [ d e f a u l t =no ] : no Would you l i k e to create a new l o c a l network bridge ? ( yes / no ) [ d e f a u l t = yes ] : yes What should the new bridge be c a l l e d ? [ d e f a u l t = lxdbr0 ] : l x d l o c a l What IPv4 address should be used ? ( CIDR subnet notation , " auto " or " none " ) [ d e f a u l t = auto ] : auto What IPv6 address should be used ? ( CIDR subnet notation , " auto " or " none " ) [ d e f a u l t = auto ] : none Would you l i k e LXD to be a v a i l a b l e over the network ? ( yes / no ) [ d e f a u l t =no ] : no Would you l i k e s t a l e cached images to be updated a u t o m a t i c a l l y ? ( yes / no ) [ d e f a u l t = yes ] no Would you l i k e a YAML " l x d i n i t " preseed to be p r i n t e d ? ( yes / no ) [ d e f a u l t =no ] : yes 23
  25. 25. Images $ l x c remote l i s t +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ | NAME | URL | PROTOCOL | +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ | images | https : // images . l i n u x c o n t a i n e r s . org | simplestreams | +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ | l o c a l ( d e f a u l t ) | unix : // | l x d | +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ | ubuntu | https : // cloud−images . ubuntu . com/ r e l e a s e s | simplestreams | +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ | ubuntu−d a i l y | https : // cloud−images . ubuntu . com/ d a i l y | simplestreams | +−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−−−−−−−+ 24
  26. 26. Images $ l x c image l i s t ubuntu : +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+ | DESCRIPTION | ARCH | SIZE | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+ | ubuntu 1 7 . 1 0 amd64 ( r e l e a s e ) (20180706) | x86_64 | 1 6 9 . 5 1MB | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+ | ubuntu 1 7 . 1 0 arm64 ( r e l e a s e ) (20180706) | aarch64 | 153.62MB | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+ | ubuntu 1 7 . 1 0 armhf ( r e l e a s e ) (20180706) | armv7l | 1 5 2 . 8 1MB | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−+ . . . $ l x c image l i s t images : +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−−+ | DESCRIPTION | ARCH | SIZE | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−−+ | Alpine 3.6 amd64 (20190402 _13 :00) | x86_64 | 3 . 1 7MB | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−−+ | Alpine 3.6 arm64 (20190402 _13 :00) | aarch64 | 3.07MB | +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+−−−−−−−−−+−−−−−−−−−−−+ . . . 25
  27. 27. Container lifecycle $ l x c launch ubuntu : b i o n i c t e s t C r e a t i n g t e s t S t a r t i n g t e s t $ l x c l i s t +−−−−−−+−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−+−−−−−−+−−−−−−−−−−−−+−−−−−−−−−−−+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +−−−−−−+−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−+−−−−−−+−−−−−−−−−−−−+−−−−−−−−−−−+ | t e s t | RUNNING | 1 0 . 1 1 4 . 1 3 . 2 4 ( eth0 ) | | PERSISTENT | 0 | +−−−−−−+−−−−−−−−−+−−−−−−−−−−−−−−−−−−−−−+−−−−−−+−−−−−−−−−−−−+−−−−−−−−−−−+ $ l x c exec t e s t −− / bin / bash root@test : ~# e x i t $ l x c stop t e s t $ l x c rm t e s t 26
  28. 28. BTRFS storage $ l x c storage create mybtrfs b t r f s source =/ dev / loop0 Storage pool mybtrfs created $ df −h F i l e s y s t e m S i z e Used A v a i l Use% Mounted on udev 7 ,8G 0 7 ,8G 0% / dev tmpfs 1 ,6G 2 ,0M 1 ,6G 1% / run / dev / sda2 1 1 7G 1 1 G 100G 10% / [ . . . ] / dev / loop0 30G 17M 28G 1% / var / l i b / l x d / storage−pools / mybtrfs $ l x c storage show mybtrfs c o n f i g : source : 031 d08f0−ed03−4f39 −8274−03fc4a12688c v o l a t i l e . i n i t i a l _ s o u r c e : / dev / loop0 d e s c r i p t i o n : " " name : mybtrfs d r i v e r : b t r f s used_by : [ ] s t a t u s : Created l o c a t i o n s : − none 27
  29. 29. Profile $ l x c p r o f i l e create myprof $ cat lxd−p r o f i l e −myprof . yaml c o n f i g : user . vendor−data : | # cloud−c o n f i g users : − name : ubuntu ssh_authorized_keys : − ssh−ed25519 AAAAC3Nza [ . . . ] oJmMZ7Y5YlrYA mat@office s h e l l : / bin / bash d e s c r i p t i o n : My brandnew LXD p r o f i l e devices : eth0 : name : eth0 n i c t y p e : bridged parent : l x d l o c a l type : n i c root : path : / pool : mybtrfs type : d i s k s i z e : 10GB name : myprofile $ l x c p r o f i l e e d i t myprof < lxd−p r o f i l e −myprof . yaml 28
  30. 30. Profile $ l x c launch ubuntu : 1 8 . 0 4 web −−p r o f i l e myprof $ l x c p r o f i l e show myprof c o n f i g : user . vendor−data : | # cloud−c o n f i g users : − name : ubuntu ssh_authorized_keys : − ssh−ed25519 AAAAC3Nza [ . . . ] oJmMZ7Y5YlrYA mat@office s h e l l : / bin / bash group : sudo d e s c r i p t i o n : My brandnew LXD p r o f i l e devices : eth0 : name : eth0 n i c t y p e : bridged parent : l x d l o c a l type : n i c root : path : / pool : mybtrfs s i z e : 10GB type : d i s k name : myprof used_by : [ web ] 29
  31. 31. Shared Disk $ l x c c o n f i g device add t e s t s r c d i r d i s k path =/home/ ubuntu / s r c source =/home/my/ s r c Device s r c d i r added to shared $ ssh ubuntu@10 . 4 5 . 2 3 8 . 1 6 7 ubuntu@shared : ~$ mount / dev /dm−5 on / type b t r f s ( rw , relatime , ssd , [ . . . ] ) none on / dev type tmpfs ( rw , relatime , s i z e =492k , mode=755 , uid =165536 , gid =165536) . . . / dev / mapper /myvg−home on /home/ ubuntu / s r c type ext4 ( rw , relatime , data = ordered ) . . . ubuntu@shared : ~$ df F i l e s y s t e m 1 K−blocks Used A v a i l a b l e Use% Mounted on / dev /dm−5 36700160 21135324 14910740 59% / none 492 0 492 0% / dev udev 3898488 0 3898488 0% / dev / t t y tmpfs 100 0 100 0% / dev / l x d tmpfs 100 0 100 0% / dev / . lxd−mounts tmpfs 3930688 0 3930688 0% / dev /shm tmpfs 3930688 172 3930516 1% / run tmpfs 5120 0 5120 0% / run / l o c k tmpfs 3930688 0 3930688 0% / sys / f s / cgroup / dev / mapper /myvg−home 95593892 85171544 5523328 94% /home/ ubuntu / s r c tmpfs 786136 0 786136 0% / run / user /1000 30
  32. 32. Network $ l x c network create i s o l a t e d Network i s o l a t e d created $ l x c network set i s o l a t e d ipv4 . nat f a l s e $ l x c network set i s o l a t e d ipv6 . address none $ l x c network set i s o l a t e d ipv6 . nat f a l s e $ l x c network attach i s o l a t e d webdev $ l x c network show i s o l a t e d c o n f i g : ipv4 . address : 1 0 . 8 1 . 2 3 8 . 1 / 2 4 ipv4 . nat : " f a l s e " ipv6 . address : none ipv6 . nat : " f a l s e " d e s c r i p t i o n : " " name : i s o l a t e d type : bridge used_by : − / 1 . 0 / c o n t a i n e r s / webdev managed : true s t a t u s : Created l o c a t i o n s : − none 31
  33. 33. Privileged containers $ l x c c o n f i g set webdev s e c u r i t y . p r i v i l e g e d true $ l x c c o n f i g show webdev a r c h i t e c t u r e : x86_64 c o n f i g : image . a r c h i t e c t u r e : amd64 image . d e s c r i p t i o n : ubuntu 18.04 LTS amd64 ( r e l e a s e ) ( 2 0 1 9 0 8 1 3 . 1 ) [ . . . ] s e c u r i t y . p r i v i l e g e d : " true " [ . . . ] v o l a t i l e . i s o l a t e d . hwaddr : 00:16:3 e :4 f : 4 7 : 1 5 v o l a t i l e . i s o l a t e d . name : eth1 v o l a t i l e . l a s t _ s t a t e . idmap : ’ [ { " I s u i d " : true , " I s g i d " : f a l s e , " Hostid " : 1 6 5 5 3 6 , [ . . . ] } ] ’ v o l a t i l e . l a s t _ s t a t e . power : RUNNING devices : i s o l a t e d : n i c t y p e : bridged parent : i s o l a t e d type : n i c ephemeral : f a l s e p r o f i l e s : − d e f a u l t s t a t e f u l : f a l s e d e s c r i p t i o n : " " 32
  34. 34. Privileged containers $ l x c c o n f i g set webdev s e c u r i t y . p r i v i l e g e d true $ l x c r e s t a r t webdev $ l x c s h e l l webdev root@webdev : ~# t a i l −f / var / log / s y s l o g & Oct 1 1 16:30:30 webdev systemd [ 1 ] : Stopped t a r g e t Login Prompts . [ . . . ] root@webdev : ~# logout $ ps aux | grep " t a i l −f " root 19655 [ . . . ] 18:30 0:00 t a i l −f / var / log / s y s l o g $ l x c c o n f i g set webdev s e c u r i t y . p r i v i l e g e d f a l s e $ l x c r e s t a r t webdev $ l x c s h e l l webdev root@webdev : ~# t a i l −f / var / log / s y s l o g & Oct 1 1 1 6 : 3 1 : 0 4 g i t o l i t e systemd [ 1 ] : S t a r t e d User Manager f o r UID 0. [ . . . ] root@webdev : ~# logout $ ps aux | grep " t a i l −f " 165536 2 0 9 3 8 [ . . . ] 1 8 : 3 1 0:00 t a i l −f / var / log / s y s l o g 33
  35. 35. The End!
  36. 36. Klassifikation: Öffentlich 17 Professional Services Penetration Testing Architecture Reviews Security Audit Security Trainings Incident Response Readiness ISMS & ISO 27001 Consulting Bridging Science and Industry Applied Research Industrial Security | IIoT Security | Mathematics for Security Research | Machine Learning | Blockchain | Network Security | Sustainable Software Systems | Usable Security SBA Research Knowledge Transfer SBA Live Academy | sec4dev | Trainings | Events | Teaching | sbaPRIME Contact us: anfragen@sba-research.org

×