SlideShare a Scribd company logo

MR201411 SELinux in Virtualization and Containers

FFRI, Inc.
FFRI, Inc.

• To achieve secure environment requires two surfaces for isolation in virtualization and containers – An isolation between host OS and guest OS – An isolation between guests • libvirt is sophisticated VM management framework, it has already integrated isolation with SELinux and AppArmor • Docker is familiar to developers, but it includes security risks like execution of untrusted programs – We absolutely need SELinux for secure development with Docker

Technology
1 of 16
Download to read offline
FFRI,Inc. 1 Monthly Research SELinux in Virtualization and Containers FFRI, Inc http://www.ffri.jp Ver 1.00.02
FFRI,Inc. SELinux in Virtualization and Containers • Virtualization security with SELinux – Threat model of operating system virtualization – libvirt(svirt) – An isolation between host OS and guest OS with Type Enforcement*1 – An isolation between guests with Multi Category Security*2 • Docker security with SELinux – About Docker – Threat model of Docker – Isolation using libcontainer with SELinux • Conclusion 2 *1, *2: We already shows SELinux Basics. See also: http://www.ffri.jp/assets/files/monthly_research/MR201406_A%20Re-introduction%20to%20SELinux_ENG.pdf
FFRI,Inc. Introduction • In virtualization environment, isolation is an important security factor – Container is also the same • Unfortunately, almost virtualization instances and containers require root privilege – If possible, host OS confines guest OS and container “in the virtual” • In this research, we show isolation using SELinux in Linux virtualization system and Docker 3
FFRI,Inc. VIRTUALIZATION SECURITY WITH SELINUX 4
FFRI,Inc. Threat model of operating system virtualization • Case1: Infecting host from malicious guest – If vulnerabilities exist in virtualization system, an attacker may gain privileges because almost Guest OS runs with root privileges in Linux virtualization system • Case2: Malicious guest attacks to the other guest – DoS attack, information stealing and more 5 Attack from the guest to the other guest Guest OS Host OS Guest OS Attack from guest to host Fig 1. Threat model of virtualization system
FFRI,Inc. libvirt(with svirt) • libvirt is well-integrated VM management framework – virsh is sophisticated component in libvirt which is usable tools for administrator • sVirt(secure Virtualization) integrated into libvirt for each virtualization software and containers with SELinux and AppArmor – Virtualization: KVM, Xen, QEMU, VirtualBox, VMwaare, Hyper-V etc. – Containers: LXC, OpenVZ etc. – If use SELinux, security policies are managed by reference policy 6
FFRI,Inc. An isolation between host OS and guest OS with Type Enforcement • A Security manager of libvirt isolates the guest using integrated Linux access controls – selinux, apparmor, Unix DAC 7 Guest OS Process (qemu_t) allow ipc etc. Host OS Allow read/write Guest OS image (qemu_image_t or virt_image_t) libvirtd (virtd_t ) Allow read/write manage SELinux Hooks Fig 2. Host-Guest Isolation using SELinux
FFRI,Inc. An isolation between guests with Multi Category Security • A Security manager of libvirt assigns unique MCS context to guest process and guest disk images dynamically • MCS access controls denies access from another categories 8 Guest OS Process (MLS Context: c1) Allow All Guest OS1 Image (MLS Context: c1) Guest OS Process (MLS Context: c2) Deny All Allow All Guest OS2 Image (MLS Context: c2) Fig 3. Guest-Guest Isolation using SELinux SELinux Hooks
FFRI,Inc. DOCKER SECURITY WITH SELINUX 9
FFRI,Inc. About Docker • Docker is application deployment framework using containers and OS image version control system – Docker Engine • Including containers manager, disk controller and CLI etc. – Docker Hub • Image distribution and management platform like github • Docker developed by DotCloud for PaaS – DotCloud has renamed itself Docker, Inc. • Docker is hot topic in PaaS provider – Microsoft, Google and Amazon establish relations with Docker in 2014. 10
FFRI,Inc. Scalable Deployment Cycle with Docker 11 Docker Container Docker Engine Developer’s Host Docker Container Docker Container Docker Engine Production Serer A 1. Download from Docker Hub Docker Image Docker Container Docker Container Docker Engine Production Serer B 2. Building application in Docker container 3. Deploying production environment from developer’s Docker container Docker Hub 4. You can deploy Docker image from Docker Hub directly
FFRI,Inc. Threat model of Docker • Docker container requires root privilege • Docker Hub is hosting service, do not guarantee images safety – Do you trust public docker image? 12 Malicious Docker Container Attack Docker Engine Developer’s Host This container is trusted? Untrusted OS execution with pilerivge Malicious Docker Image Docker Hub Benign Docker Container Attack
FFRI,Inc. Isolation using libcontainer with SELinux • libcontainer was integrated into Docker after version 0.9 – In the past, lxc and libvirt used • libcontainer isolates container using Linux capabilities, cgroup, MAC(SELinux, AppArmor) – In case of SELinux; libcontainer assigns MCS context dynamically 13
FFRI,Inc. Conclusion • To achieve secure environment requires two surfaces for isolation in virtualization and containers – An isolation between host OS and guest OS – An isolation between guests • libvirt is sophisticated VM management framework, it has already integrated isolation with SELinux and AppArmor • Docker is familiar to developers, but it includes security risks like execution of untrusted programs – We absolutely need SELinux for secure development with Docker 14
FFRI,Inc. References • Section 3: sVirt https://access.redhat.com/documentation/ja-JP/Red_Hat_Enterprise_Linux/6/html/ Virtualization_Administration_Guide/chap-sVirt.html • Docker and SELinux http://www.projectatomic.io/docs/docker-and-selinux/ • DOCKER 0.9: INTRODUCING EXECUTION DRIVERS AND LIBCONTAINER https://blog.docker.com/2014/03/docker-0-9-introducing-execution-drivers-and-libcontainer/ • Introducing a *Super* Privileged Container Concept http://developerblog.redhat.com/2014/11/06/introducing-a-super-privileged-container-concept/ 15
FFRI,Inc. Contact Information E-Mail : research—feedback@ffri.jp Twitter : @FFRI_Research 16

Recommended

Unik Slides
Unik SlidesUnik Slides
Unik SlidesIdit Levine
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Unik: Unikernel Backend to Cloud Foundry
Unik: Unikernel Backend to Cloud FoundryUnik: Unikernel Backend to Cloud Foundry
Unik: Unikernel Backend to Cloud FoundryVMware Tanzu
 
Cigna Innovation Summit
Cigna Innovation SummitCigna Innovation Summit
Cigna Innovation SummitIdit Levine
 
Linux security
Linux securityLinux security
Linux securitytrilokchandra prakash
 
Code Factory avec GitLab CI et Rancher
Code Factory avec GitLab CI et RancherCode Factory avec GitLab CI et Rancher
Code Factory avec GitLab CI et RancherSUSE
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux SecurityRizky Ariestiyansyah
 
Debugging Microservices - QCON 2017
Debugging Microservices - QCON 2017Debugging Microservices - QCON 2017
Debugging Microservices - QCON 2017Idit Levine
 

Recommended

Unik Slides
Unik SlidesUnik Slides
Unik SlidesIdit Levine
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Unik: Unikernel Backend to Cloud Foundry
Unik: Unikernel Backend to Cloud FoundryUnik: Unikernel Backend to Cloud Foundry
Unik: Unikernel Backend to Cloud FoundryVMware Tanzu
 
Cigna Innovation Summit
Cigna Innovation SummitCigna Innovation Summit
Cigna Innovation SummitIdit Levine
 
Linux security
Linux securityLinux security
Linux securitytrilokchandra prakash
 
Code Factory avec GitLab CI et Rancher
Code Factory avec GitLab CI et RancherCode Factory avec GitLab CI et Rancher
Code Factory avec GitLab CI et RancherSUSE
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux SecurityRizky Ariestiyansyah
 
Debugging Microservices - QCON 2017
Debugging Microservices - QCON 2017Debugging Microservices - QCON 2017
Debugging Microservices - QCON 2017Idit Levine
 
Testing Docker Images Security -NcN edition
Testing Docker Images Security -NcN editionTesting Docker Images Security -NcN edition
Testing Docker Images Security -NcN editionJose Manuel Ortega Candel
 
Qubes os presentation_to_clug_20150727
Qubes os presentation_to_clug_20150727Qubes os presentation_to_clug_20150727
Qubes os presentation_to_clug_20150727csirac2
 
UniK: Deploy Unikernels with Ease
UniK: Deploy Unikernels with EaseUniK: Deploy Unikernels with Ease
UniK: Deploy Unikernels with EaseScott Weiss
 
µ-Xen
µ-Xenµ-Xen
µ-XenLars Kurth
 
Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Jose Manuel Ortega Candel
 
Everything you need to know about containers security
Everything you need to know about containers securityEverything you need to know about containers security
Everything you need to know about containers securityJose Manuel Ortega Candel
 
Testing Docker Images Security
Testing Docker Images SecurityTesting Docker Images Security
Testing Docker Images SecurityJose Manuel Ortega Candel
 
Embedded Linux System Overview : Tonex Training
Embedded Linux System Overview : Tonex TrainingEmbedded Linux System Overview : Tonex Training
Embedded Linux System Overview : Tonex TrainingBryan Len
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsJames Morris
 
Course 101: Lecture 6: Installing Ubuntu
Course 101: Lecture 6: Installing Ubuntu Course 101: Lecture 6: Installing Ubuntu
Course 101: Lecture 6: Installing Ubuntu Ahmed El-Arabawy
 
Evolution of Linux Containerization
Evolution of Linux Containerization Evolution of Linux Containerization
Evolution of Linux Containerization WSO2
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009James Morris
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningStephane Woillez
 
Essential security for linux servers
Essential security for linux serversEssential security for linux servers
Essential security for linux serversJuan Carlos Pérez Pardo
 
Linux Operating System
Linux Operating SystemLinux Operating System
Linux Operating SystemAvnish Khandelwal
 
MR201404 building secure linux application with privilege separation
MR201404 building secure linux application with privilege separationMR201404 building secure linux application with privilege separation
MR201404 building secure linux application with privilege separationFFRI, Inc.
 
L'affaire CentOS
L'affaire CentOSL'affaire CentOS
L'affaire CentOSSUSE
 
Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualizat...
Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualizat...Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualizat...
Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualizat...DefconRussia
 
GWAVACon 2015: Microsoft MVP - Office 365, Typical Deployment Scenarios
GWAVACon 2015: Microsoft MVP - Office 365, Typical Deployment ScenariosGWAVACon 2015: Microsoft MVP - Office 365, Typical Deployment Scenarios
GWAVACon 2015: Microsoft MVP - Office 365, Typical Deployment ScenariosGWAVA
 
Mailserver Migrationen - Häufig gestellte Fragen
Mailserver Migrationen - Häufig gestellte FragenMailserver Migrationen - Häufig gestellte Fragen
Mailserver Migrationen - Häufig gestellte FragenGWAVA
 

More Related Content

What's hot

Qubes os presentation_to_clug_20150727
Qubes os presentation_to_clug_20150727Qubes os presentation_to_clug_20150727
Qubes os presentation_to_clug_20150727csirac2
 
UniK: Deploy Unikernels with Ease
UniK: Deploy Unikernels with EaseUniK: Deploy Unikernels with Ease
UniK: Deploy Unikernels with EaseScott Weiss
 
Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Jose Manuel Ortega Candel
 
Everything you need to know about containers security
Everything you need to know about containers securityEverything you need to know about containers security
Everything you need to know about containers securityJose Manuel Ortega Candel
 
Embedded Linux System Overview : Tonex Training
Embedded Linux System Overview : Tonex TrainingEmbedded Linux System Overview : Tonex Training
Embedded Linux System Overview : Tonex TrainingBryan Len
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsJames Morris
 
Course 101: Lecture 6: Installing Ubuntu
Course 101: Lecture 6: Installing Ubuntu Course 101: Lecture 6: Installing Ubuntu
Course 101: Lecture 6: Installing Ubuntu Ahmed El-Arabawy
 
Evolution of Linux Containerization
Evolution of Linux Containerization Evolution of Linux Containerization
Evolution of Linux Containerization WSO2
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009James Morris
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security OverviewShawn Wells
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningStephane Woillez
 
MR201404 building secure linux application with privilege separation
MR201404 building secure linux application with privilege separationMR201404 building secure linux application with privilege separation
MR201404 building secure linux application with privilege separationFFRI, Inc.
 
L'affaire CentOS
L'affaire CentOSL'affaire CentOS
L'affaire CentOSSUSE
 
Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualizat...
Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualizat...Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualizat...
Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualizat...DefconRussia
 

What's hot (20)

Testing Docker Images Security -NcN edition
Testing Docker Images Security -NcN editionTesting Docker Images Security -NcN edition
Testing Docker Images Security -NcN edition
 
Qubes os presentation_to_clug_20150727
Qubes os presentation_to_clug_20150727Qubes os presentation_to_clug_20150727
Qubes os presentation_to_clug_20150727
 
UniK: Deploy Unikernels with Ease
UniK: Deploy Unikernels with EaseUniK: Deploy Unikernels with Ease
UniK: Deploy Unikernels with Ease
 
µ-Xen
µ-Xenµ-Xen
µ-Xen
 
Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017
 
Everything you need to know about containers security
Everything you need to know about containers securityEverything you need to know about containers security
Everything you need to know about containers security
 
Testing Docker Images Security
Testing Docker Images SecurityTesting Docker Images Security
Testing Docker Images Security
 
Embedded Linux System Overview : Tonex Training
Embedded Linux System Overview : Tonex TrainingEmbedded Linux System Overview : Tonex Training
Embedded Linux System Overview : Tonex Training
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
 
Course 101: Lecture 6: Installing Ubuntu
Course 101: Lecture 6: Installing Ubuntu Course 101: Lecture 6: Installing Ubuntu
Course 101: Lecture 6: Installing Ubuntu
 
Evolution of Linux Containerization
Evolution of Linux Containerization Evolution of Linux Containerization
Evolution of Linux Containerization
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
 
Container security
Container securityContainer security
Container security
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment Planning
 
Essential security for linux servers
Essential security for linux serversEssential security for linux servers
Essential security for linux servers
 
Linux Operating System
Linux Operating SystemLinux Operating System
Linux Operating System
 
MR201404 building secure linux application with privilege separation
MR201404 building secure linux application with privilege separationMR201404 building secure linux application with privilege separation
MR201404 building secure linux application with privilege separation
 
L'affaire CentOS
L'affaire CentOSL'affaire CentOS
L'affaire CentOS
 
Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualizat...
Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualizat...Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualizat...
Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualizat...
 

Viewers also liked

GWAVACon 2015: Microsoft MVP - Office 365, Typical Deployment Scenarios
GWAVACon 2015: Microsoft MVP - Office 365, Typical Deployment ScenariosGWAVACon 2015: Microsoft MVP - Office 365, Typical Deployment Scenarios
GWAVACon 2015: Microsoft MVP - Office 365, Typical Deployment ScenariosGWAVA
 
Mailserver Migrationen - Häufig gestellte Fragen
Mailserver Migrationen - Häufig gestellte FragenMailserver Migrationen - Häufig gestellte Fragen
Mailserver Migrationen - Häufig gestellte FragenGWAVA
 
Collaboration mit Office 365 Groups, Planner, Video & Co
Collaboration mit Office 365 Groups, Planner, Video & CoCollaboration mit Office 365 Groups, Planner, Video & Co
Collaboration mit Office 365 Groups, Planner, Video & CoGWAVA
 
Going Hybrid with Exchange 2013
Going Hybrid with Exchange 2013Going Hybrid with Exchange 2013
Going Hybrid with Exchange 2013Alberto Pascual
 
Slides: Archivierung und Security – Für weniger mehr bekommen
Slides: Archivierung und Security – Für weniger mehr bekommen Slides: Archivierung und Security – Für weniger mehr bekommen
Slides: Archivierung und Security – Für weniger mehr bekommen GWAVA
 
Mail server report
Mail server reportMail server report
Mail server reportNavjot Navi
 
A Project Report on Linux Server Administration
A Project Report on Linux Server AdministrationA Project Report on Linux Server Administration
A Project Report on Linux Server AdministrationAvinash Kumar
 
Intranet Mailing System Rahul Raj
Intranet Mailing System Rahul RajIntranet Mailing System Rahul Raj
Intranet Mailing System Rahul Rajvishnu56
 
Mail Server Project Report
Mail Server Project ReportMail Server Project Report
Mail Server Project ReportKavita Sharma
 
Mail server on linux
Mail server on linux Mail server on linux
Mail server on linux Roshni17
 
Project Report On Online Crime Management Application
Project Report On Online Crime Management ApplicationProject Report On Online Crime Management Application
Project Report On Online Crime Management Applicationsatvirsandhu9
 

Viewers also liked (13)

GWAVACon 2015: Microsoft MVP - Office 365, Typical Deployment Scenarios
GWAVACon 2015: Microsoft MVP - Office 365, Typical Deployment ScenariosGWAVACon 2015: Microsoft MVP - Office 365, Typical Deployment Scenarios
GWAVACon 2015: Microsoft MVP - Office 365, Typical Deployment Scenarios
 
Mailserver Migrationen - Häufig gestellte Fragen
Mailserver Migrationen - Häufig gestellte FragenMailserver Migrationen - Häufig gestellte Fragen
Mailserver Migrationen - Häufig gestellte Fragen
 
Collaboration mit Office 365 Groups, Planner, Video & Co
Collaboration mit Office 365 Groups, Planner, Video & CoCollaboration mit Office 365 Groups, Planner, Video & Co
Collaboration mit Office 365 Groups, Planner, Video & Co
 
Going Hybrid with Exchange 2013
Going Hybrid with Exchange 2013Going Hybrid with Exchange 2013
Going Hybrid with Exchange 2013
 
Slides: Archivierung und Security – Für weniger mehr bekommen
Slides: Archivierung und Security – Für weniger mehr bekommen Slides: Archivierung und Security – Für weniger mehr bekommen
Slides: Archivierung und Security – Für weniger mehr bekommen
 
Internet mail server
Internet mail server Internet mail server
Internet mail server
 
Zimbra Overview
Zimbra OverviewZimbra Overview
Zimbra Overview
 
Mail server report
Mail server reportMail server report
Mail server report
 
A Project Report on Linux Server Administration
A Project Report on Linux Server AdministrationA Project Report on Linux Server Administration
A Project Report on Linux Server Administration
 
Intranet Mailing System Rahul Raj
Intranet Mailing System Rahul RajIntranet Mailing System Rahul Raj
Intranet Mailing System Rahul Raj
 
Mail Server Project Report
Mail Server Project ReportMail Server Project Report
Mail Server Project Report
 
Mail server on linux
Mail server on linux Mail server on linux
Mail server on linux
 
Project Report On Online Crime Management Application
Project Report On Online Crime Management ApplicationProject Report On Online Crime Management Application
Project Report On Online Crime Management Application
 

Similar to MR201411 SELinux in Virtualization and Containers

Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisOW2
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trustehazlett
 
Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017Patrick Chanezon
 
Securing the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersSecuring the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersMassimiliano Mattetti
 
Container Security
Container SecurityContainer Security
Container SecuritySalman Baset
 
DockerCon 2017 - General Session Day 1 - Solomon Hykes
DockerCon 2017 - General Session Day 1 - Solomon HykesDockerCon 2017 - General Session Day 1 - Solomon Hykes
DockerCon 2017 - General Session Day 1 - Solomon HykesDocker, Inc.
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel securitysmart_bit
 
Introduction to Docker Containers - Docker Captain
Introduction to Docker Containers - Docker CaptainIntroduction to Docker Containers - Docker Captain
Introduction to Docker Containers - Docker CaptainAjeet Singh Raina
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and BeyondBlack Duck by Synopsys
 
Microservices and containers for the unitiated
Microservices and containers for the unitiatedMicroservices and containers for the unitiated
Microservices and containers for the unitiatedKevin Lee
 
Container Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingContainer Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingPhil Estes
 
containers and virtualization tools ( Docker )
containers and virtualization tools ( Docker )containers and virtualization tools ( Docker )
containers and virtualization tools ( Docker )Imo Inyang
 
Docker introduction
Docker introductionDocker introduction
Docker introductionPhuc Nguyen
 
Introduction to Docker - IndiaOpsUG
Introduction to Docker - IndiaOpsUGIntroduction to Docker - IndiaOpsUG
Introduction to Docker - IndiaOpsUGAjeet Singh Raina
 
Docker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerDocker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerRonak Kogta
 
.docker : How to deploy Digital Experience in a container, drinking a cup of ...
.docker : How to deploy Digital Experience in a container, drinking a cup of ....docker : How to deploy Digital Experience in a container, drinking a cup of ...
.docker : How to deploy Digital Experience in a container, drinking a cup of ...ICON UK EVENTS Limited
 
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)DataArt
 

Similar to MR201411 SELinux in Virtualization and Containers (20)

Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trust
 
Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017
 
Securing the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux ContainersSecuring the Infrastructure and the Workloads of Linux Containers
Securing the Infrastructure and the Workloads of Linux Containers
 
Container Security
Container SecurityContainer Security
Container Security
 
DockerCon 2017 - General Session Day 1 - Solomon Hykes
DockerCon 2017 - General Session Day 1 - Solomon HykesDockerCon 2017 - General Session Day 1 - Solomon Hykes
DockerCon 2017 - General Session Day 1 - Solomon Hykes
 
Docker
DockerDocker
Docker
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel security
 
Introduction to Docker Containers - Docker Captain
Introduction to Docker Containers - Docker CaptainIntroduction to Docker Containers - Docker Captain
Introduction to Docker Containers - Docker Captain
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
 
paper
paperpaper
paper
 
Microservices and containers for the unitiated
Microservices and containers for the unitiatedMicroservices and containers for the unitiated
Microservices and containers for the unitiated
 
Container Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingContainer Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're Going
 
containers and virtualization tools ( Docker )
containers and virtualization tools ( Docker )containers and virtualization tools ( Docker )
containers and virtualization tools ( Docker )
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
 
Introduction to Docker - IndiaOpsUG
Introduction to Docker - IndiaOpsUGIntroduction to Docker - IndiaOpsUG
Introduction to Docker - IndiaOpsUG
 
What is Docker?
What is Docker?What is Docker?
What is Docker?
 
Docker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerDocker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your container
 
.docker : How to deploy Digital Experience in a container, drinking a cup of ...
.docker : How to deploy Digital Experience in a container, drinking a cup of ....docker : How to deploy Digital Experience in a container, drinking a cup of ...
.docker : How to deploy Digital Experience in a container, drinking a cup of ...
 
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)"Docker best practice", Станислав Коленкин (senior devops, DataArt)
"Docker best practice", Станислав Коленкин (senior devops, DataArt)
 

More from FFRI, Inc.

Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
 
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
 
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) FFRI, Inc.
 
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...FFRI, Inc.
 
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) FFRI, Inc.
 
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) FFRI, Inc.
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)FFRI, Inc.
 
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...FFRI, Inc.
 
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)FFRI, Inc.
 
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)FFRI, Inc.
 
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) FFRI, Inc.
 
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)FFRI, Inc.
 
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)FFRI, Inc.
 
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...FFRI, Inc.
 
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)FFRI, Inc.
 
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...FFRI, Inc.
 
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)FFRI, Inc.
 
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)FFRI, Inc.
 
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)FFRI, Inc.
 
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...FFRI, Inc.
 

More from FFRI, Inc. (20)

Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
 
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
 
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
 
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
 
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
 
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
 
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
 
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
 
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
 
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
 
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
 
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
 
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
 
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
 
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
 
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
 
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
 
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
 
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
 

Recently uploaded

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 

Recently uploaded (20)

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 

MR201411 SELinux in Virtualization and Containers

  • 1. FFRI,Inc. 1 Monthly Research SELinux in Virtualization and Containers FFRI, Inc http://www.ffri.jp Ver 1.00.02
  • 2. FFRI,Inc. SELinux in Virtualization and Containers • Virtualization security with SELinux – Threat model of operating system virtualization – libvirt(svirt) – An isolation between host OS and guest OS with Type Enforcement*1 – An isolation between guests with Multi Category Security*2 • Docker security with SELinux – About Docker – Threat model of Docker – Isolation using libcontainer with SELinux • Conclusion 2 *1, *2: We already shows SELinux Basics. See also: http://www.ffri.jp/assets/files/monthly_research/MR201406_A%20Re-introduction%20to%20SELinux_ENG.pdf
  • 3. FFRI,Inc. Introduction • In virtualization environment, isolation is an important security factor – Container is also the same • Unfortunately, almost virtualization instances and containers require root privilege – If possible, host OS confines guest OS and container “in the virtual” • In this research, we show isolation using SELinux in Linux virtualization system and Docker 3
  • 5. FFRI,Inc. Threat model of operating system virtualization • Case1: Infecting host from malicious guest – If vulnerabilities exist in virtualization system, an attacker may gain privileges because almost Guest OS runs with root privileges in Linux virtualization system • Case2: Malicious guest attacks to the other guest – DoS attack, information stealing and more 5 Attack from the guest to the other guest Guest OS Host OS Guest OS Attack from guest to host Fig 1. Threat model of virtualization system
  • 6. FFRI,Inc. libvirt(with svirt) • libvirt is well-integrated VM management framework – virsh is sophisticated component in libvirt which is usable tools for administrator • sVirt(secure Virtualization) integrated into libvirt for each virtualization software and containers with SELinux and AppArmor – Virtualization: KVM, Xen, QEMU, VirtualBox, VMwaare, Hyper-V etc. – Containers: LXC, OpenVZ etc. – If use SELinux, security policies are managed by reference policy 6
  • 7. FFRI,Inc. An isolation between host OS and guest OS with Type Enforcement • A Security manager of libvirt isolates the guest using integrated Linux access controls – selinux, apparmor, Unix DAC 7 Guest OS Process (qemu_t) allow ipc etc. Host OS Allow read/write Guest OS image (qemu_image_t or virt_image_t) libvirtd (virtd_t ) Allow read/write manage SELinux Hooks Fig 2. Host-Guest Isolation using SELinux
  • 8. FFRI,Inc. An isolation between guests with Multi Category Security • A Security manager of libvirt assigns unique MCS context to guest process and guest disk images dynamically • MCS access controls denies access from another categories 8 Guest OS Process (MLS Context: c1) Allow All Guest OS1 Image (MLS Context: c1) Guest OS Process (MLS Context: c2) Deny All Allow All Guest OS2 Image (MLS Context: c2) Fig 3. Guest-Guest Isolation using SELinux SELinux Hooks
  • 9. FFRI,Inc. DOCKER SECURITY WITH SELINUX 9
  • 10. FFRI,Inc. About Docker • Docker is application deployment framework using containers and OS image version control system – Docker Engine • Including containers manager, disk controller and CLI etc. – Docker Hub • Image distribution and management platform like github • Docker developed by DotCloud for PaaS – DotCloud has renamed itself Docker, Inc. • Docker is hot topic in PaaS provider – Microsoft, Google and Amazon establish relations with Docker in 2014. 10
  • 11. FFRI,Inc. Scalable Deployment Cycle with Docker 11 Docker Container Docker Engine Developer’s Host Docker Container Docker Container Docker Engine Production Serer A 1. Download from Docker Hub Docker Image Docker Container Docker Container Docker Engine Production Serer B 2. Building application in Docker container 3. Deploying production environment from developer’s Docker container Docker Hub 4. You can deploy Docker image from Docker Hub directly
  • 12. FFRI,Inc. Threat model of Docker • Docker container requires root privilege • Docker Hub is hosting service, do not guarantee images safety – Do you trust public docker image? 12 Malicious Docker Container Attack Docker Engine Developer’s Host This container is trusted? Untrusted OS execution with pilerivge Malicious Docker Image Docker Hub Benign Docker Container Attack
  • 13. FFRI,Inc. Isolation using libcontainer with SELinux • libcontainer was integrated into Docker after version 0.9 – In the past, lxc and libvirt used • libcontainer isolates container using Linux capabilities, cgroup, MAC(SELinux, AppArmor) – In case of SELinux; libcontainer assigns MCS context dynamically 13
  • 14. FFRI,Inc. Conclusion • To achieve secure environment requires two surfaces for isolation in virtualization and containers – An isolation between host OS and guest OS – An isolation between guests • libvirt is sophisticated VM management framework, it has already integrated isolation with SELinux and AppArmor • Docker is familiar to developers, but it includes security risks like execution of untrusted programs – We absolutely need SELinux for secure development with Docker 14
  • 15. FFRI,Inc. References • Section 3: sVirt https://access.redhat.com/documentation/ja-JP/Red_Hat_Enterprise_Linux/6/html/ Virtualization_Administration_Guide/chap-sVirt.html • Docker and SELinux http://www.projectatomic.io/docs/docker-and-selinux/ • DOCKER 0.9: INTRODUCING EXECUTION DRIVERS AND LIBCONTAINER https://blog.docker.com/2014/03/docker-0-9-introducing-execution-drivers-and-libcontainer/ • Introducing a *Super* Privileged Container Concept http://developerblog.redhat.com/2014/11/06/introducing-a-super-privileged-container-concept/ 15
  • 16. FFRI,Inc. Contact Information E-Mail : research—feedback@ffri.jp Twitter : @FFRI_Research 16