SlideShare a Scribd company logo

Container Security

Salman Baset
Salman Baset

Container security involves securing the host, container content, orchestration, and applications. The document discusses how container isolation evolved over time through namespaces, cgroups, capabilities, and other Linux kernel features. It also covers securing container images, orchestrators, and applications themselves. Emerging technologies like LinuxKit, Katacontainers, and MirageOS aim to provide more lightweight and secure container environments.

1 of 25
Download to read offline
Container Security Salman A. Baset @salman_baset, sabaset@us.ibm.com
What is a container? 2
What is a container? According to NIST (National Institute of Standards Technology) • Virtualization: the simulation of the software and/or hardware upon which other software runs. (800-125) • System Virtual Machine: A System Virtual Machine (VM) is a software implementation of a complete system platform that supports the execution of a complete operating system and corresponding applications in a cloud. (800- 180 draft) • Operating System Virtualization (aka OS Container): Provide multiple virtualized OSes above a single shared kernel (800-190). E.g., Solaris Zone, FreeBSD Jails, LXC • Application Virtualization (aka Application Containers): Same shared kernel is exposed to multiple discrete instances (800-180 draft). E.g., Docker (containerd), rkt 3
“Container” Security Orchestrator Security Content Security Host Security= + + 2002 – to-date2015 – to-date2016 - date Implement defense in depth App Security + 4 * - date
Container Runtime Stack on a Single Host Host kernel Container runtime VM kernel Host kernel Container runtime Application containers App Bins/libs App Bins/libs App Bins/libs App Bins/libs Application containers 1. Is host isolated from application container? 2. Is one application container isolated from another application container? 5
Shared kervel vs. separate kernel debate… CVEs inside Linux kernel https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33 6
The previous chart can be misleading… • Gain privilege exploits in 2017: 36 • Includes CVEs in previous kernel versions • 1 eCryptfs 3.18 or earlier • Drivers: 5 Qualcomm drives, 2 NVIDIA, 1 USB, 1 BROADCOM, 1 GPU, 1 TTY • KVM: 1 (that is, CVE found in kvm also) • Not all CVEs are [easily] exploitable, but nevertheless… Host kernel Container runtime App Bins/libs App Bins/libs Application containers Focus of this talk 7
Usage Model Host kernel Container runtime App Bins/libs App Bins/libs Application containers Host kernel Container runtime App Bins/libs App Bins/libs Application containers Host kernel Container runtime App Bins/libs App Bins/libs Application containers Multiple apps of same user running on same/different hosts Multiple apps of distinct users running on same/different hosts Image Registry Orchestrator + + 8
What does host security mean? Informally… • Isolation from host • Can never be root • Should not “see” host processes • Shout not interfere with host operation • Isolation from other containers • Should not “see” other containers • Should not impact performance of other containers 9
Container on Linux • is just a process • wrapper in bunch of “isolation gear” • to isolate from host and other processes • the isolation gear was developed independently over time • docker engine (on a host) + containerd + runC 10
Namespaces • Linux kernel namespaces provide the isolation (hence “container”) in which we place one or more processes • Introduced ~2002 – inspired from Plan B • Ok, what about devices? • docker options • --userns • --pid • --uts pid mount ipc user net uts HOST SECURITY 11
Resource isolation - cgroups • What is a resource? • CPU, memory, disk, network • PID, file descriptors • Devices • cgroups v2 support introduced in Kernel 4.5. • Docker has many options for tuning cpu, mem, disk • cpu: 10 • device: 8 • memory: 5 • PID: configure the max number of PID descriptors • Device: maximum device bandwidth, in, out HOST SECURITY 12
Are namespaces and cgroups enough? • No • Linux capabilities: • Fine-grained access capabilities besides root/non-root • E.g., load a module, mount a file • Docker container drops most capabilities by default • chown, dac_override, fsetid, fowner, mknod, net_raw, setgid, setuid, setfcap, setpcap, net_bind_service, sys_chroot, kill, audit_write • Seccomp • Restrict the system calls that a system is allowed to execute • Often, security issues found in system calls pertaining to legacy devices • AppArmor / SELINUX • Mandatory access control (MAC) Default Docker capabilities HOST SECURITY 13
Is that enough for host security? • No • Other host security best practices still apply! • Patch management • Monitoring • Antivirus • Malware • Logging • Privileged user monitoring HOST SECURITY 14
Container Images • Container images are the root of software supply chain • Containers images are supposed to provide an immutable source • In reality: secrets needed for running the container are stored outside the container image, and can impact its run-time • Different secrets for different run-time environments (stage, prod) • Container images are often pulled through open source • Important to vet the base image, malware, anti-virus • Container images contain OS distro packages + application packages + application code • Ubuntu, Node.js • Check vulnerabilities of all content that goes inside the image, including scanning application source code CONTENT SECURITY App Bins/libs secrets 15
Orchestrator Security • Containers are often deployed through orchestrators • Docker Machine, Kubernetes • Sane defaults, TLSv1.2 etc • Who has access to those APIs just equally as important as other aspects • determine what volumes, devices are passed inside container • who can docker exec into a running container • Moreover, secrets are typically stored outside container registry and container run-time. Access to these secrets also important • Your Jenkins server may be leaking secrets! ORCHESTRATOR SECURITY 16
App Security • A developer still needs to configure their app securely. • However it is still much better to run app in a container than inside a host APP SECURITY 17 Configurepartitions Runasnon-root, utilizinguserand kernelnamespaces Configurelog, monitoring,audit Configurenetwork, relatedservices, disableIPforwarding Configurepatching andanti-virusagents Configuremandatory accesscontrol Preventapplication fromDoSingahost Furtherdeprivilege applicationthrough subsetofLinux capabilities FurtherDeprivilege applicationbylimiting allowedsystemcalls Configureapplication security Host Container Host Manual Manual Manual per app One time (in Docker) Manual per app Manual One time Step 1 Step 2 Step 3 Manual Manual Step 4 Manual Manual Step 5 Step 6 Manual per app Out of box (in Docker) Out of box (in Docker) Step 7 Manual per app Step 8 Manual per app Out of box (in Docker) Manual per app Out of box (in Docker) Step 9 Step 10 Manual per app Manual
Kernel and Container Security Evolution • 2015 • Content Addressability (image spec, phase 1) – Docker 1.6 • Default ulimits for all containers – Docker 1.6 • Docker Content Trust – (notary) image provenance/signing – Docker 1.8 • 2016 • Full migration to content addressability for images/layers – Docker 1.10 • User namespaces – Docker 1.10 • Secure computing (libseccomp) – Docker 1.10 • --pids-limit (cgroups pid limitation) – Docker 1.11 (kernel 4.3 +) • cgroups “v2” – (kernel 4.5+) • --no-new-privileges (limit process escalation) – Docker 1.11 • Storage driver quotas (limited) – Docker 1.12 • Secure by default multi-node orchestration (mutual TLS) – Docker 1.12 • 2017 • Improved resource isolation features in Linux Kernel and in Docker engine 18
Whats Next in Container Security? • Host Security • Linux Kit • Lightweight virtualization (Katacontainers (formerly Intel clear containers) ) • Unikernels (MirageOS) • Content Security • Distribution Specific Project (OCI) • Project Grafeas 19
Linux Kit • Secure, portable OSes for Linux containers • Support Kubernetes, AWS, GCP, Azure etc • https://github.com/linuxkit/linuxkit 20
Katacontainers • Based on Intel Clear Containers • Perform like containers but provide the workload isolation and security advantages of VMs • OCI compliant • https://github.com/kata-containers/ 21
MirageOS • Library operating system for unikernels • MirageOS3.0 released in Feb 2017 • https://mirage.io/ 22
Distribution Specific Project • Image and run-time formats through OCI • Image distribution is now defacto Docker Image Registry API • https://www.opencontainers.org/announcement/2018/04/09/oci- announces-dist-spec-project 23
Project Grafeas • Standardize container vulnerability format • Standardize attestations • https://grafeas.io/ 24
Conclusion • Container security has significantly evolved from early days of Docker • Secure-by-default in all major platforms • For users, security focus is on securing software supply chain • New features promise standardization, light-weight, VM isolation 25

Recommended

Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
John Kinsella
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
Sreenivas Makam
 
Docker Basics
Docker BasicsDocker Basics
Docker Basics
DuckDuckGo
 
Container Security
Container SecurityContainer Security
Container Security
Amazon Web Services
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
Hendri Karisma
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
Phil Estes
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 

Recommended

Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
John Kinsella
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
Sreenivas Makam
 
Docker Basics
Docker BasicsDocker Basics
Docker Basics
DuckDuckGo
 
Container Security
Container SecurityContainer Security
Container Security
Amazon Web Services
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
Hendri Karisma
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
Phil Estes
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
Docker Kubernetes Istio
Docker Kubernetes IstioDocker Kubernetes Istio
Docker Kubernetes Istio
Araf Karsh Hamid
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Amazon Web Services
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
Prashanth B. P.
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
Eueung Mulyana
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container Security
Suraj Khetani
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
Thomas Fricke
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker Introduction
Peng Xiao
 
Docker and the Linux Kernel
Docker and the Linux KernelDocker and the Linux Kernel
Docker and the Linux Kernel
Docker, Inc.
 
Cloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust VisibilityCloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust Visibility
Raphaël PINSON
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
Archana Joshi
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
Docker: From Zero to Hero
Docker: From Zero to HeroDocker: From Zero to Hero
Docker: From Zero to Hero
fazalraja
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
Luong Vo
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to docker
Frederik Mogensen
 
Container Security
Container SecurityContainer Security
Container Security
Jie Liau
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
Aditya Konarde
 
Advanced Container Security
Advanced Container Security Advanced Container Security
Advanced Container Security
Amazon Web Services
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
Phuc Nguyen
 
Containers and security
Containers and securityContainers and security
Containers and security
sriram_rajan
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trust
ehazlett
 

More Related Content

What's hot

Docker Kubernetes Istio
Docker Kubernetes IstioDocker Kubernetes Istio
Docker Kubernetes Istio
Araf Karsh Hamid
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Amazon Web Services
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
Prashanth B. P.
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
Eueung Mulyana
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container Security
Suraj Khetani
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
Thomas Fricke
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker Introduction
Peng Xiao
 
Docker and the Linux Kernel
Docker and the Linux KernelDocker and the Linux Kernel
Docker and the Linux Kernel
Docker, Inc.
 
Cloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust VisibilityCloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust Visibility
Raphaël PINSON
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
Archana Joshi
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
Docker: From Zero to Hero
Docker: From Zero to HeroDocker: From Zero to Hero
Docker: From Zero to Hero
fazalraja
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
Luong Vo
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to docker
Frederik Mogensen
 
Container Security
Container SecurityContainer Security
Container Security
Jie Liau
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
Aditya Konarde
 
Advanced Container Security
Advanced Container Security Advanced Container Security
Advanced Container Security
Amazon Web Services
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
Phuc Nguyen
 

What's hot (20)

Docker Kubernetes Istio
Docker Kubernetes IstioDocker Kubernetes Istio
Docker Kubernetes Istio
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container Security
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
 
Docker Introduction
Docker IntroductionDocker Introduction
Docker Introduction
 
Docker and the Linux Kernel
Docker and the Linux KernelDocker and the Linux Kernel
Docker and the Linux Kernel
 
Cloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust VisibilityCloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust Visibility
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
 
Docker: From Zero to Hero
Docker: From Zero to HeroDocker: From Zero to Hero
Docker: From Zero to Hero
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
Introduction to docker
Introduction to dockerIntroduction to docker
Introduction to docker
 
Container Security
Container SecurityContainer Security
Container Security
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
 
Advanced Container Security
Advanced Container Security Advanced Container Security
Advanced Container Security
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
 

Similar to Container Security

Containers and security
Containers and securityContainers and security
Containers and security
sriram_rajan
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trust
ehazlett
 
Docker Security
Docker SecurityDocker Security
Docker Security
antitree
 
Docker.ppt
Docker.pptDocker.ppt
Docker.ppt
Ajit Mali
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetes
Dongwon Kim
 
SW Docker Security
SW Docker SecuritySW Docker Security
SW Docker Security
Stephane Woillez
 
Docker
DockerDocker
Docker
Codeister Technolgoies
 
presentation on Docker
presentation on Dockerpresentation on Docker
presentation on Docker
Virendra Ruhela
 
Docker Dojo
Docker DojoDocker Dojo
Docker Dojo
Hugo González Labrador
 
Containers 101
Containers 101Containers 101
Containers 101
Black Duck by Synopsys
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
Black Duck by Synopsys
 
DockerCon EU 2015 Barcelona
DockerCon EU 2015 BarcelonaDockerCon EU 2015 Barcelona
DockerCon EU 2015 Barcelona
Roman Dembitsky
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
Amazon Web Services
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
Amazon Web Services
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOps
Salesforce Engineering
 
Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013
Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013
Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013dotCloud
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Sysdig
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!
Sysdig
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
OW2
 
컨테이너 기술 소개 - Warden, Garden, Docker
컨테이너 기술 소개 - Warden, Garden, Docker컨테이너 기술 소개 - Warden, Garden, Docker
컨테이너 기술 소개 - Warden, Garden, Docker
seungdon Choi
 

Similar to Container Security (20)

Containers and security
Containers and securityContainers and security
Containers and security
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trust
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
Docker.ppt
Docker.pptDocker.ppt
Docker.ppt
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetes
 
SW Docker Security
SW Docker SecuritySW Docker Security
SW Docker Security
 
Docker
DockerDocker
Docker
 
presentation on Docker
presentation on Dockerpresentation on Docker
presentation on Docker
 
Docker Dojo
Docker DojoDocker Dojo
Docker Dojo
 
Containers 101
Containers 101Containers 101
Containers 101
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
 
DockerCon EU 2015 Barcelona
DockerCon EU 2015 BarcelonaDockerCon EU 2015 Barcelona
DockerCon EU 2015 Barcelona
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOps
 
Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013
Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013
Write Once and REALLY Run Anywhere | OpenStack Summit HK 2013
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
 
컨테이너 기술 소개 - Warden, Garden, Docker
컨테이너 기술 소개 - Warden, Garden, Docker컨테이너 기술 소개 - Warden, Garden, Docker
컨테이너 기술 소개 - Warden, Garden, Docker
 

More from Salman Baset

GDPR considerations for blockchain solution architects.
GDPR considerations for blockchain solution architects.GDPR considerations for blockchain solution architects.
GDPR considerations for blockchain solution architects.
Salman Baset
 
GDPR and Blockchain
GDPR and BlockchainGDPR and Blockchain
GDPR and Blockchain
Salman Baset
 
Blockchain - Beyond the Hype
Blockchain - Beyond the HypeBlockchain - Beyond the Hype
Blockchain - Beyond the Hype
Salman Baset
 
Dissecting Open Source Cloud Evolution: An OpenStack Case Study
Dissecting Open Source Cloud Evolution: An OpenStack Case StudyDissecting Open Source Cloud Evolution: An OpenStack Case Study
Dissecting Open Source Cloud Evolution: An OpenStack Case Study
Salman Baset
 
Open Source Cloud Technologies
Open Source Cloud TechnologiesOpen Source Cloud Technologies
Open Source Cloud Technologies
Salman Baset
 
Cloud SLAs: Present and Future
Cloud SLAs: Present and FutureCloud SLAs: Present and Future
Cloud SLAs: Present and Future
Salman Baset
 
SPEC Cloud (TM) IaaS 2016 Benchmark
SPEC Cloud (TM) IaaS 2016 BenchmarkSPEC Cloud (TM) IaaS 2016 Benchmark
SPEC Cloud (TM) IaaS 2016 Benchmark
Salman Baset
 
A Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container PlatformsA Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container Platforms
Salman Baset
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production Cloud
Salman Baset
 

More from Salman Baset (9)

GDPR considerations for blockchain solution architects.
GDPR considerations for blockchain solution architects.GDPR considerations for blockchain solution architects.
GDPR considerations for blockchain solution architects.
 
GDPR and Blockchain
GDPR and BlockchainGDPR and Blockchain
GDPR and Blockchain
 
Blockchain - Beyond the Hype
Blockchain - Beyond the HypeBlockchain - Beyond the Hype
Blockchain - Beyond the Hype
 
Dissecting Open Source Cloud Evolution: An OpenStack Case Study
Dissecting Open Source Cloud Evolution: An OpenStack Case StudyDissecting Open Source Cloud Evolution: An OpenStack Case Study
Dissecting Open Source Cloud Evolution: An OpenStack Case Study
 
Open Source Cloud Technologies
Open Source Cloud TechnologiesOpen Source Cloud Technologies
Open Source Cloud Technologies
 
Cloud SLAs: Present and Future
Cloud SLAs: Present and FutureCloud SLAs: Present and Future
Cloud SLAs: Present and Future
 
SPEC Cloud (TM) IaaS 2016 Benchmark
SPEC Cloud (TM) IaaS 2016 BenchmarkSPEC Cloud (TM) IaaS 2016 Benchmark
SPEC Cloud (TM) IaaS 2016 Benchmark
 
A Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container PlatformsA Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container Platforms
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production Cloud
 

Recently uploaded

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 

Recently uploaded (20)

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 

Container Security

  • 1. Container Security Salman A. Baset @salman_baset, sabaset@us.ibm.com
  • 2. What is a container? 2
  • 3. What is a container? According to NIST (National Institute of Standards Technology) • Virtualization: the simulation of the software and/or hardware upon which other software runs. (800-125) • System Virtual Machine: A System Virtual Machine (VM) is a software implementation of a complete system platform that supports the execution of a complete operating system and corresponding applications in a cloud. (800- 180 draft) • Operating System Virtualization (aka OS Container): Provide multiple virtualized OSes above a single shared kernel (800-190). E.g., Solaris Zone, FreeBSD Jails, LXC • Application Virtualization (aka Application Containers): Same shared kernel is exposed to multiple discrete instances (800-180 draft). E.g., Docker (containerd), rkt 3
  • 4. “Container” Security Orchestrator Security Content Security Host Security= + + 2002 – to-date2015 – to-date2016 - date Implement defense in depth App Security + 4 * - date
  • 5. Container Runtime Stack on a Single Host Host kernel Container runtime VM kernel Host kernel Container runtime Application containers App Bins/libs App Bins/libs App Bins/libs App Bins/libs Application containers 1. Is host isolated from application container? 2. Is one application container isolated from another application container? 5
  • 6. Shared kervel vs. separate kernel debate… CVEs inside Linux kernel https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33 6
  • 7. The previous chart can be misleading… • Gain privilege exploits in 2017: 36 • Includes CVEs in previous kernel versions • 1 eCryptfs 3.18 or earlier • Drivers: 5 Qualcomm drives, 2 NVIDIA, 1 USB, 1 BROADCOM, 1 GPU, 1 TTY • KVM: 1 (that is, CVE found in kvm also) • Not all CVEs are [easily] exploitable, but nevertheless… Host kernel Container runtime App Bins/libs App Bins/libs Application containers Focus of this talk 7
  • 8. Usage Model Host kernel Container runtime App Bins/libs App Bins/libs Application containers Host kernel Container runtime App Bins/libs App Bins/libs Application containers Host kernel Container runtime App Bins/libs App Bins/libs Application containers Multiple apps of same user running on same/different hosts Multiple apps of distinct users running on same/different hosts Image Registry Orchestrator + + 8
  • 9. What does host security mean? Informally… • Isolation from host • Can never be root • Should not “see” host processes • Shout not interfere with host operation • Isolation from other containers • Should not “see” other containers • Should not impact performance of other containers 9
  • 10. Container on Linux • is just a process • wrapper in bunch of “isolation gear” • to isolate from host and other processes • the isolation gear was developed independently over time • docker engine (on a host) + containerd + runC 10
  • 11. Namespaces • Linux kernel namespaces provide the isolation (hence “container”) in which we place one or more processes • Introduced ~2002 – inspired from Plan B • Ok, what about devices? • docker options • --userns • --pid • --uts pid mount ipc user net uts HOST SECURITY 11
  • 12. Resource isolation - cgroups • What is a resource? • CPU, memory, disk, network • PID, file descriptors • Devices • cgroups v2 support introduced in Kernel 4.5. • Docker has many options for tuning cpu, mem, disk • cpu: 10 • device: 8 • memory: 5 • PID: configure the max number of PID descriptors • Device: maximum device bandwidth, in, out HOST SECURITY 12
  • 13. Are namespaces and cgroups enough? • No • Linux capabilities: • Fine-grained access capabilities besides root/non-root • E.g., load a module, mount a file • Docker container drops most capabilities by default • chown, dac_override, fsetid, fowner, mknod, net_raw, setgid, setuid, setfcap, setpcap, net_bind_service, sys_chroot, kill, audit_write • Seccomp • Restrict the system calls that a system is allowed to execute • Often, security issues found in system calls pertaining to legacy devices • AppArmor / SELINUX • Mandatory access control (MAC) Default Docker capabilities HOST SECURITY 13
  • 14. Is that enough for host security? • No • Other host security best practices still apply! • Patch management • Monitoring • Antivirus • Malware • Logging • Privileged user monitoring HOST SECURITY 14
  • 15. Container Images • Container images are the root of software supply chain • Containers images are supposed to provide an immutable source • In reality: secrets needed for running the container are stored outside the container image, and can impact its run-time • Different secrets for different run-time environments (stage, prod) • Container images are often pulled through open source • Important to vet the base image, malware, anti-virus • Container images contain OS distro packages + application packages + application code • Ubuntu, Node.js • Check vulnerabilities of all content that goes inside the image, including scanning application source code CONTENT SECURITY App Bins/libs secrets 15
  • 16. Orchestrator Security • Containers are often deployed through orchestrators • Docker Machine, Kubernetes • Sane defaults, TLSv1.2 etc • Who has access to those APIs just equally as important as other aspects • determine what volumes, devices are passed inside container • who can docker exec into a running container • Moreover, secrets are typically stored outside container registry and container run-time. Access to these secrets also important • Your Jenkins server may be leaking secrets! ORCHESTRATOR SECURITY 16
  • 17. App Security • A developer still needs to configure their app securely. • However it is still much better to run app in a container than inside a host APP SECURITY 17 Configurepartitions Runasnon-root, utilizinguserand kernelnamespaces Configurelog, monitoring,audit Configurenetwork, relatedservices, disableIPforwarding Configurepatching andanti-virusagents Configuremandatory accesscontrol Preventapplication fromDoSingahost Furtherdeprivilege applicationthrough subsetofLinux capabilities FurtherDeprivilege applicationbylimiting allowedsystemcalls Configureapplication security Host Container Host Manual Manual Manual per app One time (in Docker) Manual per app Manual One time Step 1 Step 2 Step 3 Manual Manual Step 4 Manual Manual Step 5 Step 6 Manual per app Out of box (in Docker) Out of box (in Docker) Step 7 Manual per app Step 8 Manual per app Out of box (in Docker) Manual per app Out of box (in Docker) Step 9 Step 10 Manual per app Manual
  • 18. Kernel and Container Security Evolution • 2015 • Content Addressability (image spec, phase 1) – Docker 1.6 • Default ulimits for all containers – Docker 1.6 • Docker Content Trust – (notary) image provenance/signing – Docker 1.8 • 2016 • Full migration to content addressability for images/layers – Docker 1.10 • User namespaces – Docker 1.10 • Secure computing (libseccomp) – Docker 1.10 • --pids-limit (cgroups pid limitation) – Docker 1.11 (kernel 4.3 +) • cgroups “v2” – (kernel 4.5+) • --no-new-privileges (limit process escalation) – Docker 1.11 • Storage driver quotas (limited) – Docker 1.12 • Secure by default multi-node orchestration (mutual TLS) – Docker 1.12 • 2017 • Improved resource isolation features in Linux Kernel and in Docker engine 18
  • 19. Whats Next in Container Security? • Host Security • Linux Kit • Lightweight virtualization (Katacontainers (formerly Intel clear containers) ) • Unikernels (MirageOS) • Content Security • Distribution Specific Project (OCI) • Project Grafeas 19
  • 20. Linux Kit • Secure, portable OSes for Linux containers • Support Kubernetes, AWS, GCP, Azure etc • https://github.com/linuxkit/linuxkit 20
  • 21. Katacontainers • Based on Intel Clear Containers • Perform like containers but provide the workload isolation and security advantages of VMs • OCI compliant • https://github.com/kata-containers/ 21
  • 22. MirageOS • Library operating system for unikernels • MirageOS3.0 released in Feb 2017 • https://mirage.io/ 22
  • 23. Distribution Specific Project • Image and run-time formats through OCI • Image distribution is now defacto Docker Image Registry API • https://www.opencontainers.org/announcement/2018/04/09/oci- announces-dist-spec-project 23
  • 24. Project Grafeas • Standardize container vulnerability format • Standardize attestations • https://grafeas.io/ 24
  • 25. Conclusion • Container security has significantly evolved from early days of Docker • Secure-by-default in all major platforms • For users, security focus is on securing software supply chain • New features promise standardization, light-weight, VM isolation 25