Finding Your Way in Container Security

Ksenia Peguero
September 19, 2023
Finding You Way in Container Security

© 2023 Synopsys, Inc. 2
Synopsys Confidential Information
whoami
• Current: Sr. Manager of Softwre Engineering
at Synopsys Software Integrity Group
• Prior: Principal Consultant at Cigital/Synopsys
• PhD in Computer Science
• Mother
• Ballroom dancing & diving
• @KseniaDmitrieva

Agenda
• Introduction to container technologies
• Challenges for DevSecOps engineers
• Common container threats and real-world attacks
• How to secure components of container infrastructure
• Standards and resources for container security
• Best practices to secure containers

What is a container?
• Containerization is not new. The first ones
appeared in 1999 as FreeBSD Jails
• Modern containers took off in 2013 (Docker)
Containers are executable units of software in
which application code is packaged, along with its
libraries and dependencies, in common ways so
that it can be run anywhere, whether it be on
desktop, traditional IT, or the cloud. (IBM)
• Containers use operating system virtualization
– Using namespaces and cgroups to isolate
processes, CPU, memory, disk

Containers vs Virtual Machines
Hypervisor
Hardware
• Isolation of machines
• Hardware virtualization
Host OS
Kernel
Hardware
• Process isolation
• Operating system virtualization >
Application virtualization
C 1 C 2 C 3 C 4
Containers Virtual Machines
VM1
OS
VM2
OS
VM3
OS
VM4
OS

Components of container infrastructure
Container
image
image creation
Image registry
image storage and retrieval
Orchestrator
automating deployment,
management, scaling,
security management
Container runtime
>_
loading container images,
spinning up containers,
managing network, local
resources
Host OS
running the container runtime

Main benefits:
• Lightweight
• Portable and platform independent
• Support modern development and architecture
• Improve utilization of CPU and memory
According to the IBM report, “containers are delivering real-world
business benefits”:
• Improved application quality
• Faster time to market
• Improved employee productivity
• Higher customer satisfaction
• Reduced application downtime
https://www.ibm.com/downloads/cas/VG8KRPRM
Benefits of using containers
This Photo by Unknown Author is licensed under CC BY

https://www.ibm.com/downloads/cas/VG8KRPRM
Challenges of using containers (in 2020)
Talent and
knowledge
Insufficient internal expertise
Complexity of learning containerization strategies and technologies
Challenges in redesigning existing on-premises enterprise application for containers
Costs
Uncertainty regarding the time and costs involved in container projects
No clear way to assess ROI or track benefits concretely
Difficulty predicting container performance, undermining confidence in meeting SLAs
Management
Difficulty cataloging, curating and managing containers as they proliferate across our environment
Difficulty managing, sharing and securing data across containers
Tooling
Immaturity of internal, homegrown tools for container development and management
Lack of enterprise-grade security capabilities

Examples of Container Vulnerabilities
• CVE-2014-9357
• CVE-2019-5021
• CVE-2019-15752
• CVE-2019-11246
Container
image
Image registry
Orchestrator
Container runtime
>_
Host OS

• Docker 1.3.2
– Used chroot sandboxing to extract archives
– Victim calls docker pull to automatically unpack a malicious image or build
• Attacker includes malicious xz binaries in the image or build
• Victim creates a container using the malicious image or build
• Privilege escalation => Attacker runs as root on the host OS
• CVE severity – Critical
• Vulnerability was fixed in Docker 1.3.3
CVE-2014-9357
Arbitrary code execution with root privileges

Blank root password
• Affects containers built with the Alpine Linux
Docker image versions 3, 4, 5.
• System credentials are typically stored in
etc/shadow
• Authentication mechanisms can be
customized with different packages
– Alpine Linux + shadow/PAM packages
• Empty password for root user
• Attacker hacks into container => easily
switches to root
• CVE Severity - Critical
CVE-2019-5021
Root users on Alpine Linux containers have blank passwords.

Trojan horse
• Not the virus trojan horse
• Docker Desktop Community Edition versions
prior to 2.1.0.1
• Docker startup or authenticate invokes
docker-credential-wincred.exe
• Access controls of containing folder
%PROGRAMDATA%DockerDesktopversi
on-bin
• Exploit: Replace the executable, keep the
name
• When Docker starts, the executable runs with
user’s privilege (what if it was admin?)
• CVE Severity - High
CVE-2019-15752
Docker folder uses the default windows access control.

• Affects Kubernetes versions older than 1.12.9,
1.13.6, and 1.14.2
• Command kubectl cp – copy files between
host and containers
– Packs into archive using tar
– Transfers over network
– Unpacks on the host
• Compromised tar binary on the container =>
access to the host file system:
– Adding malicious files
– Overwriting existing files
• CVE Severity - High
CVE-2019-11246
Kubernetes File Manipulation

Securing Containers: Risks and Mitigations
• Container image
• Image registry
• Container runtime
• Host OS
• Orchestrator
Container
image
Image registry
Orchestrator
Container runtime
>_
Host OS

Securing container images
Mitigations
• Use a minimalistic base OS, like Alpine Linux and
Windows Nano Server
• Keep the software in container images up-to-date
• Periodically scan the containers for:
– Known vulnerabilities / CVEs in the container layers
– Misconfigurations of containers
(Containerfiles/Dockerfiles) with a scanner (port
misconfigurations, protocols, certificates, running as non-
privileged users, etc.)
– Malware
– Hard-coded secrets
• An organization should have a set of vetted images
that are used across all teams
• Maintain application security requirements for the
code deployed on the container:
– Maintain the frameworks/libraries/components up-to-date
– Scan the internally-developed applications
• Base OS functionality and components
• Components missing critical security
updates (component become outdated over
time)
• Configuration defects
• Embedded malware
• Leaking clear text secrets
Risks

Securing image registries
Mitigations
• Use private registry
• Use secure connections to the registry
• Harden the registry host
• Use authentication and access control
– E.g. developers can only write to the
specific repository
• Regularly monitor
• Prune stale images
• Only publish trusted images (that
passed security requirements)
• Ensure that only containers from your
private registry can be used within the
organization
• Insecure connection
• Leaking IP from the
registry
• Stale images
Risks

Securing container runtime
Mitigations
• Monitor container runtime for vulnerabilities (CVEs)
and update it often
• Control egress network traffic sent by containers
– Traffic in the virtual network is encrypted.
Therefore, traditional network controls (firewalls)
may not work.
– Dynamic IP assigned automatically. Therefore, IP-
based controls won’t work.
– Use app-aware tools
• Use mandatory access control (MAC) technologies
(file system, processes, network sockets, etc.)
• CIS Benchmark for Docker
• Use OS kernel level controls
• Network risks between containers in the
same runtime
• Runtime misconfigurations:
• Containers running in privileged mode
• Containers mounting volumes in sensitive
directories on the host OS
Risks

Securing host OS
Mitigations
• Use slim OS with kernel protections (e.g.
SELinux)
• Keep the OS up-to-date, monitor for
vulnerabilities
• Limit logins to the host OS, audit
authentication
• Monitoring for any unexpected behavior on
the host (network, file system, processes,
etc.)
• Running “busted” containers
• Malicious containers
• Rogue containers
• Containers with vulnerable layers
• Containers with application security
defects
• Large attack surface
• Shared kernel
• Host OS components
• Shared file system (mounting volumes)
• Additional users of the OS
Risks

Host OS
Can we forget about application security?
Scenario: vulnerable application in a container
Secure/vetted
Container
Container
Marketing
web app
Public
Internet
DB Engine
SQL injection
Payload: SQLi to RCE
Container Container Container
Mitigations:
• Limit egress: to an internal
subnet or (better) application
protocols
• No internet access
• Only needed internal
network access
• Restrict DB user: deny running
OS commands
Service managing bounties
for Bug Bounty program
RCE: network scan

Securing orchestration platforms
Risks
• Unnecessary administrative access
• Unauthorized access (to containers and data storage
volumes)
• Compliance risk – encrypting data at rest
• Network risks – traffic from different applications sharing
the same virtual network
• Orchestrator node trust
Mitigations
• Limit the number of privileged users
• Access control linked to the company user directory
• Encrypting data storage volumes
• Segmentation, segmentation, segmentation:
– Virtual networks by sensitivity level (if by app is not
possible)
– Host “pinning” by sensitivity levels (individually
managed clusters)
Aerial view of the Forbidden City, Beijing (© Google Earth 2021)
Defense in depth

Container Security Resources

OWASP Docker Top 10
Draft in progress.
Not a list of top 10 vulnerabilities or risks, but a
list of top 10 controls.
Document: https://github.com/OWASP/Docker-
Security/blob/main/dist/owasp-docker-
security.pdf
• Use it as guidance during the design phase,
for auditing an existing environment, or
procuring a new one
• Focuses on Docker, but could be applied to
containers in general
• Orchestrator security risks are out of scope
for this list, but container networking is in
scope
D01 - Secure User Mapping
D02 - Patch Management Strategy
D03 - Network Segmentation and Firewalling
D04 - Secure Defaults and Hardening
D05 - Maintain Security Contexts
D06 - Protect Secrets
D07 - Resource Protection
D08 - Container Image Integrity and Origin
D09 - Follow Immutable Paradigm
D10 - Logging
https://owasp.org/www-project-docker-top-10/

OWASP Container Security Verification Standard (CSVS)
• The structure is based on the OWASP Application
Security Verification Standard (ASVS)
• Has overlap with Docker Top 10, but covers broader
categories:
– V1: Organizational (processes & people)
– V2: Infrastructure
– V3: Containers (Docker Top 10)
– V4: Orchestration Management
– V5: Image Distribution
– V6: Secrets and Keys
– V7: Network
– V8: Storage
– V9: Logging & Monitoring
– V10: Integration
– V11: Disaster Recovery
– V12: Testing
• This is a shorter standard, compared to CIS
Benchmarks and NIST Application Container Security
Guide
https://owasp.org/www-project-container-security-verification-standard/migrated_content
• Provides 3 security verification levels
1. For all containers
2. Containers with sensitive data or business logic
3. Critical containers (high value transactions, PII,
medical data)

NIST Special Publication 800-190
Application Container Security Guide
https://doi.org/10.6028/NIST.SP.800-190
• Overview of Container Technology
• Explains basic concepts of container
and orchestrations
• Discusses risks to the core components
of container technologies
• Contains a section on countermeasures
for the listed risks
• Provides threat scenario examples and
considerations for the container
technology life cycle
NIST Application Container Security Guide
Container Technology Architecture and Lifecycle Phases
NIST SP 800-190

Center for Internet Security (CIS) developed "more than 100 configuration guidelines across 25+
vendor product families to safeguard systems against today’s evolving cyber threats."
• CIS Benchmarks include hardening guidelines for manual and automated steps
CIS Docker Benchmark provides detailed guidelines in the following categories:
• Host
• Docker daemon and its config files
• Container images and build files
• Container runtime
• Docker security operations
• Docker Swarm
CIS Docker Benchmark
https://www.cisecurity.org/benchmark/docker

• Harden all the systems
• Use segmentation at all levels (clusters, hosts, networks)
• Monitor all the components
• Use vetted base images
• Generate a Software Bill of Materials (SBOM) for every container image
– Gotchas – only if the installer is used and not a custom script
• Use an ASOC tool (Application Security Orchestration and Correlation)
– Collects data from various AppSec sources
– Consolidates and correlates the findings, prioritizing remediation efforts
Best Practices of Securing Containers

Ksenia Peguero
ksenia@synopsys.com
Twitter: @KseniaDmitrieva
https://www.synopsys.com/software

Finding Your Way in Container Security

Finding Your Way in Container Security

Recommended

More Related Content

Similar to Finding Your Way in Container Security

Similar to Finding Your Way in Container Security(20)

Recently uploaded

Recently uploaded(20)

Finding Your Way in Container Security