Have you found yourself wondering how to take advantage of what you have developed in the past for current or future projects? Are you tired of copying/pasting then adapting from your previous projects to the new ones? Start developing for the future and contribute to others by developing libraries and sharing them for use. Where do you start? You’ll be guided through this tutorial step by step to include security, tests and all the factors you need to consider when building a library.
Zend Framework is widely known as having a "use-at-will" architecture, but what does that really mean? We'll explore two scenarios: one where developers use Zend Framework as a base and extend various components to suite their needs and another where developers can extend nonZF code with ZF components. On conclusion, developers will have a necessary enough understanding to extend with and for ZF.
Automating Security Response with ServerlessMichael Ducy
Serverless (or Functions as a Service) tends to get thrown in the "paradigms nice for developers" bucket, but Serverless can provide meaningful benefits to Operations, DevOps, and SRE teams. In a world where everything is presented or controlled via an API, Serverless' event driven, api first philosophy can help these teams create new levels of automation that were typically the realm of runbook tooling.
In this talk we'll cover the various open source Serverless frameworks and platforms available. We'll show how to automate basic day to day operational task with Serverless functions. Finally, we will show how to build an open source, automated, Serverless based, event driven pipeline to automatically secure and protect a Kubernetes cluster.
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
How to secure microservices running in containers? Strategies for Docker, Kubernetes, Openshift, RancherOS, DC/OS Mesos.
Privileges, resources and visibility constrains with capabilities, cgroups and namespaces. Image vulnerability scanning and behaviour security monitoring with Sysdig Falco.
Have you found yourself wondering how to take advantage of what you have developed in the past for current or future projects? Are you tired of copying/pasting then adapting from your previous projects to the new ones? Start developing for the future and contribute to others by developing libraries and sharing them for use. Where do you start? You’ll be guided through this tutorial step by step to include security, tests and all the factors you need to consider when building a library.
Zend Framework is widely known as having a "use-at-will" architecture, but what does that really mean? We'll explore two scenarios: one where developers use Zend Framework as a base and extend various components to suite their needs and another where developers can extend nonZF code with ZF components. On conclusion, developers will have a necessary enough understanding to extend with and for ZF.
Automating Security Response with ServerlessMichael Ducy
Serverless (or Functions as a Service) tends to get thrown in the "paradigms nice for developers" bucket, but Serverless can provide meaningful benefits to Operations, DevOps, and SRE teams. In a world where everything is presented or controlled via an API, Serverless' event driven, api first philosophy can help these teams create new levels of automation that were typically the realm of runbook tooling.
In this talk we'll cover the various open source Serverless frameworks and platforms available. We'll show how to automate basic day to day operational task with Serverless functions. Finally, we will show how to build an open source, automated, Serverless based, event driven pipeline to automatically secure and protect a Kubernetes cluster.
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
How to secure microservices running in containers? Strategies for Docker, Kubernetes, Openshift, RancherOS, DC/OS Mesos.
Privileges, resources and visibility constrains with capabilities, cgroups and namespaces. Image vulnerability scanning and behaviour security monitoring with Sysdig Falco.
Contain your risk: Deploy secure containers with trust and confidenceBlack Duck by Synopsys
Presented on September 22, 2016 by Brent Baude, Principle Software Engineer, Atomic and Docker Development, Red Hat; Randy Kilmon, VP, Engineering, Black Duck
Organizations are increasingly turning to container environments to meet the demand for faster, more agile software development. But a 2015 study conducted by Forrester Consulting on behalf of Red Hat revealed that 53% of IT operations and development decision makers at global enterprises reported container security concerns as a barrier to adoption.
The challenges of managing security risk increase in scope and complexity when hundreds or even thousands of different open source software components and licenses are part of your application code base. Since 2014, more than 6,000 new open source security vulnerabilities have been reported, making it essential to have good visibility into and control over the open source in use in order to understand if any known vulnerabilities are present.
In this webinar, experts from Red Hat and Black Duck will share the latest insights and recommendations for securing the open source in your containers, including protecting them from vulnerabilities like Heartbleed, Shellshock and Venom. You’ll learn:
• Why container environments present new application security challenges, including those posed by ever-increasing open source use.
• How to scan applications running in containers to identify open source in use and map known open source security vulnerabilities.
• Best practices and methodologies for deploying secure containers with trust and confidence.
Docker is revolutionizing the way organizations build and deploy applications. But while containers make it easier to development teams to package applications with all their dependencies, they make it harder for operations teams to control what software is deployed into production. In this session you will see how Black Duck Hub helps development and operations teams maintain complete visibility and control of the open source in their containers.
"Docker best practice", Станислав Коленкин (senior devops, DataArt)DataArt
Docker best practice
про Docker, лучшие практики в написании Dockerfile, проблемы большого количества слоев (Layers) в images и подходы по оптимизации Layers в images, функционал multi-stage builds, подходы к безопастности контейнеров и Hosts системе, подходы дебагинга и мониторинга.
Real-World Docker: 10 Things We've Learned RightScale
Docker has taken the world of software by storm, offering the promise of a portable way to build and ship software - including software running in the cloud. The RightScale development team has been diving into Docker for several projects, and we'll share our lessons learned on using Docker for our cloud-based applications.
Organinzing Your PHP Projects (2010 Memphis PHP)Paul Jones
By using a single organizational principle, developers can easily make their project structure more predictable, extensible, and modular. The talk will discuss this one lesson, how it can be discovered from researching publicly available PHP projects, how to apply it, and how it is used (or not used) in well-known applications and frameworks.
Organizing Your PHP Projects (2010 ConFoo)Paul Jones
By using a few simple organizational principles, developers can make their project structure predictable, extensible, and modular. These techniques make it easy to de-conflict and share code between multiple projects. They also make it easy to automate project-support tasks such as testing, documentation, and distribution. This talk will discuss these principles, how they can be discovered from researching publicly available PHP projects, and how they are used (or not used) in popular applications and frameworks.
For years people have been using VM-based CI platforms where they are managing build nodes that run their CI workflows.
A few years ago, Codefresh revolutionized the CI/CD world and became the first container-native CI/CD platform.
**WATCH THE WEBINAR AT https://Codefresh.io/events **
In this webinar, we will look at the differences between VM-based CI pipelines and Docker-based CI pipelines, in terms of maintenance, upgrades, pipeline creation, caching, and speed!
Conda is a cross-platform package manager that lets you quickly and easily build environments containing complicated software stacks. It was built to manage the NumPy stack in Python but can be used to manage any complex software dependencies.
This talk was delivered in the Kubernetes Bangalore June 2021 Meetup. This talk covers PSP, OPA Gatekeeper and Pod Security Admission Control. You can watch the video of this talk here: https://youtu.be/VwQ7_cnHSzM
This talk explains what what Pod Security Policy is and it's importance in Kubernetes Security. The talk also takes a look at the current situation of docker hub's popular images and helm charts repository.
This talk stresses on the fact that having PSP enabled the right way is absolutely necessary for the real security of the cluster.
Link to the demos:
What is Pod Security Policy? https://www.youtube.com/watch?v=nrWRMP94vqc
Kubernetes Hostpath exploit thrawted with Pod Security Policy https://www.youtube.com/watch?v=APS0CfD6DsE
More Related Content
Similar to Building Container Defence Executable at a Time.pdf
Contain your risk: Deploy secure containers with trust and confidenceBlack Duck by Synopsys
Presented on September 22, 2016 by Brent Baude, Principle Software Engineer, Atomic and Docker Development, Red Hat; Randy Kilmon, VP, Engineering, Black Duck
Organizations are increasingly turning to container environments to meet the demand for faster, more agile software development. But a 2015 study conducted by Forrester Consulting on behalf of Red Hat revealed that 53% of IT operations and development decision makers at global enterprises reported container security concerns as a barrier to adoption.
The challenges of managing security risk increase in scope and complexity when hundreds or even thousands of different open source software components and licenses are part of your application code base. Since 2014, more than 6,000 new open source security vulnerabilities have been reported, making it essential to have good visibility into and control over the open source in use in order to understand if any known vulnerabilities are present.
In this webinar, experts from Red Hat and Black Duck will share the latest insights and recommendations for securing the open source in your containers, including protecting them from vulnerabilities like Heartbleed, Shellshock and Venom. You’ll learn:
• Why container environments present new application security challenges, including those posed by ever-increasing open source use.
• How to scan applications running in containers to identify open source in use and map known open source security vulnerabilities.
• Best practices and methodologies for deploying secure containers with trust and confidence.
Docker is revolutionizing the way organizations build and deploy applications. But while containers make it easier to development teams to package applications with all their dependencies, they make it harder for operations teams to control what software is deployed into production. In this session you will see how Black Duck Hub helps development and operations teams maintain complete visibility and control of the open source in their containers.
"Docker best practice", Станислав Коленкин (senior devops, DataArt)DataArt
Docker best practice
про Docker, лучшие практики в написании Dockerfile, проблемы большого количества слоев (Layers) в images и подходы по оптимизации Layers в images, функционал multi-stage builds, подходы к безопастности контейнеров и Hosts системе, подходы дебагинга и мониторинга.
Real-World Docker: 10 Things We've Learned RightScale
Docker has taken the world of software by storm, offering the promise of a portable way to build and ship software - including software running in the cloud. The RightScale development team has been diving into Docker for several projects, and we'll share our lessons learned on using Docker for our cloud-based applications.
Organinzing Your PHP Projects (2010 Memphis PHP)Paul Jones
By using a single organizational principle, developers can easily make their project structure more predictable, extensible, and modular. The talk will discuss this one lesson, how it can be discovered from researching publicly available PHP projects, how to apply it, and how it is used (or not used) in well-known applications and frameworks.
Organizing Your PHP Projects (2010 ConFoo)Paul Jones
By using a few simple organizational principles, developers can make their project structure predictable, extensible, and modular. These techniques make it easy to de-conflict and share code between multiple projects. They also make it easy to automate project-support tasks such as testing, documentation, and distribution. This talk will discuss these principles, how they can be discovered from researching publicly available PHP projects, and how they are used (or not used) in popular applications and frameworks.
For years people have been using VM-based CI platforms where they are managing build nodes that run their CI workflows.
A few years ago, Codefresh revolutionized the CI/CD world and became the first container-native CI/CD platform.
**WATCH THE WEBINAR AT https://Codefresh.io/events **
In this webinar, we will look at the differences between VM-based CI pipelines and Docker-based CI pipelines, in terms of maintenance, upgrades, pipeline creation, caching, and speed!
Conda is a cross-platform package manager that lets you quickly and easily build environments containing complicated software stacks. It was built to manage the NumPy stack in Python but can be used to manage any complex software dependencies.
This talk was delivered in the Kubernetes Bangalore June 2021 Meetup. This talk covers PSP, OPA Gatekeeper and Pod Security Admission Control. You can watch the video of this talk here: https://youtu.be/VwQ7_cnHSzM
This talk explains what what Pod Security Policy is and it's importance in Kubernetes Security. The talk also takes a look at the current situation of docker hub's popular images and helm charts repository.
This talk stresses on the fact that having PSP enabled the right way is absolutely necessary for the real security of the cluster.
Link to the demos:
What is Pod Security Policy? https://www.youtube.com/watch?v=nrWRMP94vqc
Kubernetes Hostpath exploit thrawted with Pod Security Policy https://www.youtube.com/watch?v=APS0CfD6DsE
Kubernetes Security Updates from Kubecon 2018 SeattleSuraj Deshmukh
This is talk delivered in Kubernetes Bangalore meetup of January which is just an update from the Kubecon that happened in Seattle in December 2018. Also includes some updates from recent Kubernetes release v1.13.
This is a journey of a developer who goes from docker-compose to kompose to opencompose. Which tool can help her best to move to Kubernetes? Find out in the slides. Also there is a demo in the slides which shows how these tools can help.
This talk was presented at DevConf India on May 12th 2017. DevConf India was a parallel track with rootconf 2017. Visit devconf.in to know more.
At Bangalore Kubernetes meetup April 2017. This is about running Kubernetes using alternative container runtime cri-o and runc.
Event report for the meetup: suraj.io/post/blr-k8s-meetup-april-2017/
JSONSchema with golang is about using JSONSchema to define configuration files' specification for your application and then the configuration files could be JSON/YAML.
With golang library called gojsonschema is pretty neat to handle validations.
What's new in Kubernetes 1.3?
New things like:
Petsets, init-containers, ubernetes, federated clusters, improved kubernetes UI, minikube, support for rkt, etc.
Also find out sources to learn Kubernetes, how to participate with k8s community.
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Globus
The U.S. Geological Survey (USGS) has made substantial investments in meeting evolving scientific, technical, and policy driven demands on storing, managing, and delivering data. As these demands continue to grow in complexity and scale, the USGS must continue to explore innovative solutions to improve its management, curation, sharing, delivering, and preservation approaches for large-scale research data. Supporting these needs, the USGS has partnered with the University of Chicago-Globus to research and develop advanced repository components and workflows leveraging its current investment in Globus. The primary outcome of this partnership includes the development of a prototype enterprise repository, driven by USGS Data Release requirements, through exploration and implementation of the entire suite of the Globus platform offerings, including Globus Flow, Globus Auth, Globus Transfer, and Globus Search. This presentation will provide insights into this research partnership, introduce the unique requirements and challenges being addressed and provide relevant project progress.
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Anthony Dahanne
Les Buildpacks existent depuis plus de 10 ans ! D’abord, ils étaient utilisés pour détecter et construire une application avant de la déployer sur certains PaaS. Ensuite, nous avons pu créer des images Docker (OCI) avec leur dernière génération, les Cloud Native Buildpacks (CNCF en incubation). Sont-ils une bonne alternative au Dockerfile ? Que sont les buildpacks Paketo ? Quelles communautés les soutiennent et comment ?
Venez le découvrir lors de cette session ignite
Advanced Flow Concepts Every Developer Should KnowPeter Caitens
Tim Combridge from Sensible Giraffe and Salesforce Ben presents some important tips that all developers should know when dealing with Flows in Salesforce.
In software engineering, the right architecture is essential for robust, scalable platforms. Wix has undergone a pivotal shift from event sourcing to a CRUD-based model for its microservices. This talk will chart the course of this pivotal journey.
Event sourcing, which records state changes as immutable events, provided robust auditing and "time travel" debugging for Wix Stores' microservices. Despite its benefits, the complexity it introduced in state management slowed development. Wix responded by adopting a simpler, unified CRUD model. This talk will explore the challenges of event sourcing and the advantages of Wix's new "CRUD on steroids" approach, which streamlines API integration and domain event management while preserving data integrity and system resilience.
Participants will gain valuable insights into Wix's strategies for ensuring atomicity in database updates and event production, as well as caching, materialization, and performance optimization techniques within a distributed system.
Join us to discover how Wix has mastered the art of balancing simplicity and extensibility, and learn how the re-adoption of the modest CRUD has turbocharged their development velocity, resilience, and scalability in a high-growth environment.
Experience our free, in-depth three-part Tendenci Platform Corporate Membership Management workshop series! In Session 1 on May 14th, 2024, we began with an Introduction and Setup, mastering the configuration of your Corporate Membership Module settings to establish membership types, applications, and more. Then, on May 16th, 2024, in Session 2, we focused on binding individual members to a Corporate Membership and Corporate Reps, teaching you how to add individual members and assign Corporate Representatives to manage dues, renewals, and associated members. Finally, on May 28th, 2024, in Session 3, we covered questions and concerns, addressing any queries or issues you may have.
For more Tendenci AMS events, check out www.tendenci.com/events
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
Your Digital Assistant.
Making complex approach simple. Straightforward process saves time. No more waiting to connect with people that matter to you. Safety first is not a cliché - Securely protect information in cloud storage to prevent any third party from accessing data.
Would you rather make your visitors feel burdened by making them wait? Or choose VizMan for a stress-free experience? VizMan is an automated visitor management system that works for any industries not limited to factories, societies, government institutes, and warehouses. A new age contactless way of logging information of visitors, employees, packages, and vehicles. VizMan is a digital logbook so it deters unnecessary use of paper or space since there is no requirement of bundles of registers that is left to collect dust in a corner of a room. Visitor’s essential details, helps in scheduling meetings for visitors and employees, and assists in supervising the attendance of the employees. With VizMan, visitors don’t need to wait for hours in long queues. VizMan handles visitors with the value they deserve because we know time is important to you.
Feasible Features
One Subscription, Four Modules – Admin, Employee, Receptionist, and Gatekeeper ensures confidentiality and prevents data from being manipulated
User Friendly – can be easily used on Android, iOS, and Web Interface
Multiple Accessibility – Log in through any device from any place at any time
One app for all industries – a Visitor Management System that works for any organisation.
Stress-free Sign-up
Visitor is registered and checked-in by the Receptionist
Host gets a notification, where they opt to Approve the meeting
Host notifies the Receptionist of the end of the meeting
Visitor is checked-out by the Receptionist
Host enters notes and remarks of the meeting
Customizable Components
Scheduling Meetings – Host can invite visitors for meetings and also approve, reject and reschedule meetings
Single/Bulk invites – Invitations can be sent individually to a visitor or collectively to many visitors
VIP Visitors – Additional security of data for VIP visitors to avoid misuse of information
Courier Management – Keeps a check on deliveries like commodities being delivered in and out of establishments
Alerts & Notifications – Get notified on SMS, email, and application
Parking Management – Manage availability of parking space
Individual log-in – Every user has their own log-in id
Visitor/Meeting Analytics – Evaluate notes and remarks of the meeting stored in the system
Visitor Management System is a secure and user friendly database manager that records, filters, tracks the visitors to your organization.
"Secure Your Premises with VizMan (VMS) – Get It Now"
Modern design is crucial in today's digital environment, and this is especially true for SharePoint intranets. The design of these digital hubs is critical to user engagement and productivity enhancement. They are the cornerstone of internal collaboration and interaction within enterprises.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
Cyaniclab : Software Development Agency Portfolio.pdfCyanic lab
CyanicLab, an offshore custom software development company based in Sweden,India, Finland, is your go-to partner for startup development and innovative web design solutions. Our expert team specializes in crafting cutting-edge software tailored to meet the unique needs of startups and established enterprises alike. From conceptualization to execution, we offer comprehensive services including web and mobile app development, UI/UX design, and ongoing software maintenance. Ready to elevate your business? Contact CyanicLab today and let us propel your vision to success with our top-notch IT solutions.
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTier1 app
Even though at surface level ‘java.lang.OutOfMemoryError’ appears as one single error; underlyingly there are 9 types of OutOfMemoryError. Each type of OutOfMemoryError has different causes, diagnosis approaches and solutions. This session equips you with the knowledge, tools, and techniques needed to troubleshoot and conquer OutOfMemoryError in all its forms, ensuring smoother, more efficient Java applications.
2. About Me
• Senior Software Engineer at Microsoft.
• Kubernetes Bangalore Meetup organizer.
• Find me at:
@surajd_
suraj.io
surajd.service@gmail.com
3. Threat Model
• An attacker who has container’s shell access tries to do malicious
activities using the container’s identity, network, cloud privileges,
volume and secret, etc.
4. Attack Vector
• Attacker tries to write and execute binaries to container filesystem.
• Mitigation/Defense:
• Disallow execution of binaries not shipped with container image.
5. Existing Solutions
• Read-only filesystem
• /dev partition is still writable.
• Scratch base image
• Only suitable for apps with static binaries.
6. New Solution
Know about binary execution even before it is executed from inside the container!
Container
rootfs
Policy
Enforcer
Executing Binary /bin/foo
✅ OR ❌
7. How do you get those notifications?
• Enter fanotify
• A filesystem notification framework in Linux.
8. What is fanotify?
From fanotify man page:
The fanotify API provides notification and interception of filesystem
events. Use cases include virus scanning and hierarchical storage
management.
… monitor all of the objects in a mounted filesystem, make access
permission decisions, and the possibility to read or modify files before
access by other applications.
Source: https://man7.org/linux/man-pages/man7/fanotify.7.html
10. Fanotify as system calls
int fanotify_init(unsigned int flags, unsigned int event_f_flags);
int fanotify_mark(int fanotify_fd, unsigned int flags, uint64_t mask,
int dirfd, const char *pathname);
11. • Watch the rootfs of the container.
• Send events/notifications when a permission to open a file for
execution is requested i.e. FAN_OPEN_EXEC_PERM.
/* Create an fanotify file descriptor with unlimited queue and unlimited
marks */
fd = fanotify_init(FAN_CLASS_CONTENT | FAN_UNLIMITED_QUEUE |
FAN_UNLIMITED_MARKS,
O_RDONLY | O_LARGEFILE | O_CLOEXEC);
/* Place a mark on the container's rootfs. Which can be derived from the
container's PID1 and looks like /proc/PID/root. */
ret = fanotify_mark(fd, FAN_MARK_ADD | FAN_MARK_MOUNT,
FAN_OPEN_EXEC_PERM | FAN_EVENT_ON_CHILD,
AT_FDCWD, path);
12. Design 1: Policy Enforcer for Containers
• Runtime Verifier using diff APIs.
13. Detour: Layers in container image
$ docker run --name=example
-it fedora /bin/bash -c
'touch foobar && rm
/usr/bin/touch'
$ docker diff example
A /foobar
C /usr
C /usr/bin
D /usr/bin/touch
Container
image layer
Container
layer
Union
Filesystem
/foobar
/foobar
/usr/bin/touch
❌
14. Runtime Verifier
Kernel App
1. Executing /bin/foo
2. Get the current diff in layer 0
3. Current diff in layer 0
4. Check if binary path
exists in returned diff
5. Allow if binary not in diff
5. Deny if binary in diff
Container
Runtime
15. Design 2: Policy Enforcer for Containers
• Pre-run: Trusted Source of Truth
• Runtime Verifier using above “Source of Truth”.
16. Pre-run: Trusted Source of Truth
• Source of truth is a list of binaries
and their hashes/signatures.
• Trusted sources:
• An image built with that metadata in
a “Secure Software Supply Chain”
environment.
• Calculate the hashes after rootfs has
been unpacked and before PID1 of
container starts.
• A service that calculates the hashes of
binaries in the image and provides
that over a REST call.
42a340d1ff0747a52db7b372eeb906d8a6de6c0d0627265
f2f09ddfefd2b0ce2 /usr/bin/ls
598bb15167292c328a9869e5cc301f3d4f92ec0a7f9bc91
351203844d70ff94e /usr/bin/cp
6a4a2172c6a818d218bc28384b9ccc068791c2f0d980775
287f47ca5d2591cbc /usr/bin/touch
6a4833060350d2434944d5d35693ac02bf0c869623e4918
4d2ea20adaf47c107 /usr/bin/less
c34dfda3e53b26d9b09ec3b1ac03ea25b04977736ab5b39
9410ddfb09748ec45 /usr/bin/awk
3f794988bc9b6e734d06c6507b4335054d01760a741b601
04a49543cf7a964ed /usr/bin/cd
581975f0d51f108bf51714664406f98fbef25a14da6d29f
f84840e2c89fc6350 /usr/bin/cat
6443adf01b4bac47cc87f41a293130431f42b1c31c09568
f4a3dc548c5e644f2 /usr/bin/chmod
17. Runtime Verifier
Kernel App Filesystem
1. Executing /bin/foo
2. Calculate current hash of
/bin/foo in rootfs
3. Current hash
4. Match current hash
with existing hash
5. Allow if hashes match
5. Deny if hashes don’t match
18. Design 1 vs Design 2
Design 1 Design 2
Does not need pre-computed hashes. Needs pre-computed hashes to function.
Depends on the container runtime to provide diffs. Container runtime agnostic.
Adds dependency on the runtime to be online. Regardless of uptime of runtime, it will continue to
run.
19. Policy Enforcer App
• Standalone app that runs as a daemon (using systemd or Kubernetes
Daemonset).
• Pros: Flexible in policy change enforcement, can be backed by an operator,
ease of deployment.
• Cons: A single daemon monitoring all node containers, can have late start
issues.
• Code as a part of custom containerd-shim.
• Pros: A single-daemon single-container mapping.
• Cons: Inflexibility in policy change enforcement, needs changes to installation
processes.
20. Advantages over the existing solutions
• Read-only filesystem
• Everything is writable but not executable.
• Scratch base image
• Run apps needing interpreter without fear of being compromised because of
the baggage.
22. Disadvantages of Fanotify based eventing
• Userspace program could slow down the container application due to
the kernel-mode user-mode transition, hash-calculation, etc.
• Limited by memory available for storing events.
• Events could be bypassed using memfd.
• Streaming scripts to interpreter like Python.
• Possibility to create deadlocks.
23. Roadmap
• A fine-grained policy allowing user to provide allowlist and denylist of
paths.
• Disallow apps from using STDIN as input.**