Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Is Docker Secure?
Grehack’16 @France
Manideep K
Carnegie Mellon University
2
Shameless Bragging
• Masters Student + Security Researcher at Carnegie Mellon, Cylab
• Authored a book on Info Sec & Eth...
3
What am I upto with Containers?
• Co-Authored CIS Docker 1.12 Benchmark
• Cloud Security Research Intern @Adobe
• Extens...
4
Before we start
• How many of you know what containers are?
• How many of you used containers?
Personal / Enterprise dev...
5
6-7 months research in 30 minutes
Tough task but we will do it 
6
What are we doing for next 30 mins?
 Intro
• Containers in 60 seconds
• Container Pipeline and Risk Areas
 Sec…Securit...
7
What are we doing for next 30 mins?
 Intro
• Containers in 60 seconds
• Container Pipeline and Risk Areas
 Sec…Securit...
8
Quick “60 second” Intro
Containers?
 Lightweight
 Application centric
 No more - “it works on my machine”
 Micro-ser...
9
Client <=> daemon
communication
Communication with public/private registry
Registry’s security
Host security Daemon secu...
10
What are we doing for next 30 mins?
 Intro
• Containers in 60 seconds
• Container Pipeline and Risk Areas
 Sec…Securi...
11
Containers do not contain
53% of decision makers are worried about security of containers*
Containers are not productio...
12
“Images” Security
Lifecycle of An Image
• Where can I get Images?
- Docker hub public
- Docker Private Store (Beta)
• C...
13
My Analysis with Images
• Downloaded 50 images from hub & the first image analyzed has XSS, CSRF vulns
www.vulnerabilit...
14
Quick Facts from Banyanops 2015 Analysis report*
30% official images are vulnerable
70% general images are vulnerable
H...
15
Manideep, What to do now?
 Enterprises - Build your own in-house registry by referring CIS Docker 1.12 doc
• Write Doc...
16
Container Runtime - Messy Slide, Sorry!
• Breakout of container and attack host / other containers
• Major problem is “...
17
Hello enterprises (applies for personal users too)
• Use tools (Ex: Twistlock, Scalock, Nautilus) which allow you to (n...
18
What’s next?
 Intro
• Containers in 60 seconds
• Container Pipeline and Risk Areas
 Sec…Security
• Images
• Container...
19
Container pipeline (Holistic View)
Client <=> daemon
communication
Communication with public/private registry
Registry’...
20
What’s next?
 Intro
• Containers in 60 seconds
• Container Pipeline and Risk Areas
 Sec…Security
• Images
• Container...
21
So, what did you learn today?
Docker Containers are not secure, you have to make them secure…!
22
It’s not good to keep questions in your mind
Throw them out and I am here to catch 
23
References
1. CIS Docker Benchmark 1.12
2. https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2016/apr...
24TCS Confidential
Hope you enjoyed…!
Reach me on www.manideepk.com for any questions
Upcoming SlideShare
Loading in …5
×

Is Docker Secure?

505 views

Published on

Container / Docker security in 30 minutes at Grehack'16 in France.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Is Docker Secure?

  1. 1. Is Docker Secure? Grehack’16 @France Manideep K Carnegie Mellon University
  2. 2. 2 Shameless Bragging • Masters Student + Security Researcher at Carnegie Mellon, Cylab • Authored a book on Info Sec & Ethical Hacking at the age of 20 • Featured in INDIA’s largest news papers and news channels • Trained 15,000+ people in Infosec including corporates, students & cyber cops • 10 certifications : ISO 27001:2013 ISMS LA, CCNA, CEH, JNCIP-SEC etc. • Ex Team Lead – Core Security & Data Analytics at TCS • Interest areas : Container Security, Application Security etc. More details about me on www.manideepk.com
  3. 3. 3 What am I upto with Containers? • Co-Authored CIS Docker 1.12 Benchmark • Cloud Security Research Intern @Adobe • Extensive research at Carnegie Mellon
  4. 4. 4 Before we start • How many of you know what containers are? • How many of you used containers? Personal / Enterprise development or production • How many of you did not adopt containers because of security issues?
  5. 5. 5 6-7 months research in 30 minutes Tough task but we will do it 
  6. 6. 6 What are we doing for next 30 mins?  Intro • Containers in 60 seconds • Container Pipeline and Risk Areas  Sec…Security • Images • Container runtime • Hello enterprises  Holistic pipeline view  Wrap up
  7. 7. 7 What are we doing for next 30 mins?  Intro • Containers in 60 seconds • Container Pipeline and Risk Areas  Sec…Security • Images • Container runtime • Hello enterprises  Holistic pipeline view  Wrap up
  8. 8. 8 Quick “60 second” Intro Containers?  Lightweight  Application centric  No more - “it works on my machine”  Micro-services Namespaces : Isolation (PID, User, Network, IPC, Mount, UTS) Cgroups : Isolates, limits and accounts resource usage (CPU, memory etc.) BUZZ……….! Are containers brand new? Img Ref: www.docker.com Containers in 60 seconds
  9. 9. 9 Client <=> daemon communication Communication with public/private registry Registry’s security Host security Daemon security Containers Images Container Pipeline & Risk Areas Ref: Modified version of image on www.docker.com
  10. 10. 10 What are we doing for next 30 mins?  Intro • Containers in 60 seconds • Container Pipeline and Risk Areas  Sec…Security • Images • Container runtime • Hello enterprises  Holistic pipeline view  Wrap up
  11. 11. 11 Containers do not contain 53% of decision makers are worried about security of containers* Containers are not production-ready Container Security (Docker) developed “a lot” in the past two years, is still developing and has lot of scope Docker containers are now “production-ready**” . Google spins up more than 2 billion containers per week Containers are the “FUTURE” * Forrester/Red Hat Report , January 2015 ** You have to make them secure
  12. 12. 12 “Images” Security Lifecycle of An Image • Where can I get Images? - Docker hub public - Docker Private Store (Beta) • Can I use them (directly)? - No! Not Docker hub (at least general images) for enterprises (personal?) - How about Docker Private store? • Official images are scanned with Nautilus (general images are not) - Reports can be seen by opening tags on Hub
  13. 13. 13 My Analysis with Images • Downloaded 50 images from hub & the first image analyzed has XSS, CSRF vulns www.vulnerability-lab.com/get_content.php?id=1802 www.vulnerability-lab.com/get_content.php?id=1803 • Some others (which includes official images) are using vulnerable versions of OpenSSL, glibc, tar, bash etc. and are vulnerable to Heartbleed, Shellshock etc. • Manual and also analyzed with Twistlock tool
  14. 14. 14 Quick Facts from Banyanops 2015 Analysis report* 30% official images are vulnerable 70% general images are vulnerable How well the stats of the report stay good today? * Ref: https://banyanops.com/blog/analyzing-docker-hub/
  15. 15. 15 Manideep, What to do now?  Enterprises - Build your own in-house registry by referring CIS Docker 1.12 doc • Write Dockerfiles securely (version pinning mechanisms, creating user etc.) • Maintain, Consume them securely (Docker content trust, frequent scanning etc.)  Personal users - HMM….HMm...Hmm..mmm (Private store?)
  16. 16. 16 Container Runtime - Messy Slide, Sorry! • Breakout of container and attack host / other containers • Major problem is “shared kernel” • Beware & Fix bizarre Docker defaults (few below) else you will be in big trouble a) Containers can consume entire memory causing DOS b) Containers can communicate with each other leading to sniffing etc. c) Containers are on the same bridge leading to ARP spoofing, MITM etc. d) Containers have no fork limit causing fork bomb e) Containers run as root – do you still want to know the impact? f) Docker daemon access users have effective root privileges • Isolation / Security Namespaces - Beware of non-namespaced kernel keyring, SYS_TIME etc. and do not share namespaces unless and until needed Seccomp - How a single vulnerability in a system call ripped off / torn apart containers (Linux vulnerability but impacted Docker – Cansecwest’16) LSM’s - SELinux and Apparmor Capabilities - Do not use privileged containers and try to set flag for not acquiring any additional privileges
  17. 17. 17 Hello enterprises (applies for personal users too) • Use tools (Ex: Twistlock, Scalock, Nautilus) which allow you to (not all of them do every task) a) Use only signed/ XYZ images b) Scan images “efficiently” and frequently c) Automatic container profiling etc. • Tune CIS benchmark as per your org requirements and adhere to it - Seccomp profiles, Apparmor/Selinux modules, SIEM/monitoring etc. • Group containers on VM (basing on trust, operational categories etc.) • Employ separate patch management, vulnerability assessment etc. procedures for containers
  18. 18. 18 What’s next?  Intro • Containers in 60 seconds • Container Pipeline and Risk Areas  Sec…Security • Images • Container runtime • Hello enterprises  Holistic pipeline view  Wrap up
  19. 19. 19 Container pipeline (Holistic View) Client <=> daemon communication Communication with public/private registry Registry’s security Host security Daemon security Containers Images Img Ref: Modified version of image on www.docker.com * *
  20. 20. 20 What’s next?  Intro • Containers in 60 seconds • Container Pipeline and Risk Areas  Sec…Security • Images • Container runtime • Hello enterprises  Holistic pipeline view  Wrap up
  21. 21. 21 So, what did you learn today? Docker Containers are not secure, you have to make them secure…!
  22. 22. 22 It’s not good to keep questions in your mind Throw them out and I am here to catch 
  23. 23. 23 References 1. CIS Docker Benchmark 1.12 2. https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2016/april/ncc_group_understanding_hardening_linux_containers-1-1pdf 3. www.oreilly.com/webops-perf/free/files/docker-security.pdf 4. http://container-solutions.com/content/uploads/2015/06/15.06.15_DockerCheatSheet_A2.pdf 5. http://www.slideshare.net/Docker/docker-security-workshop-slides 6. http://www.slideshare.net/Docker/securing-the-container-pipeline-at-salesforce-by-cem-gurkok-63493231 7. https://docs.docker.com/engine/security/ 8. http://www.slideshare.net/Docker/docker-security-deep-dive-by-ying-li-and-david-lawrence
  24. 24. 24TCS Confidential Hope you enjoyed…! Reach me on www.manideepk.com for any questions

×