SlideShare a Scribd company logo

Vulnerability Exploitation in Docker Container Environments

F
FlawCheck

Docker container environments face security risks from vulnerabilities and malware. While containers isolate processes, compromised web applications could still exfiltrate data. Many pre-built containers from Docker Hub contain known vulnerabilities, as Docker does not inspect images for security. Enterprises have been slow to adopt containers due to these cybersecurity concerns over vulnerabilities, malware, and lack of policy enforcement and auditability within containers.

Technology
1 of 35
Download to read offline
VULNERABILITY EXPLOITATION IN DOCKER CONTAINER ENVIRONMENTS ANTHONY BETTINI FLAWCHECK
ABOUT ANTHONY BETTINI Working in cybersecurity since 1996 (Netect, Bindview Team RAZOR, Guardent, Foundstone Labs, McAfee Avert Labs, Intel, Appthority, FlawCheck) Original vulnerabilities discovered in products by PGP, ISS, Symantec, McAfee, Microsoft, Apple, etc. Founded Appthority, which did static & dynamic analysis of mobile apps and was named the Most Innovative Company of the Year at RSA Conference 2012 Most recently, founded FlawCheck, the only scalable vulnerability & malware inspection platform for container images
CONTAINERS CONTAIN … UNTIL THEY DON’T MODERN HISTORY OF LINUX CONTAINERS
CHROOT 1979
For ftpd, not security
UNCHROOT CHROOT ESCAPE
CONTROL GROUPS 2007
CONTROL GROUPS (CGROUPS) “Control Groups provide a mechanism for aggregating/partitioning sets of tasks, and all their future children, into hierarchical groups with specialized [behavior].” Started in 2006 as “process containers” Released in 2007 in Linux kernel 2.6.24 as control groups (due to containers being an overloaded term) Primarily authored by Google engineers for scaling out isolated workloads Basis for at least: systemd, CoreOS, Docker, lmctfy, LXC, etc. cgroups resource: https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt
LXC Runs in userspace Provides interface to all of the kernel containment features ­ Kernel namespaces ­ Control Groups ­ Apparmour & SELinux ­ Policies Learn more at: https://linuxcontainers.org/lxc/introduction/ 2008
2013 Solomon Hykes on "The future of Linux Containers" PyCon US 2013: https://www.youtube.com/watch?v=wW9CAH9nSLs
DOCKER VS. LXC
DOCKER BASICS
DOCKER REMOTE API EVENTS (ARCHITECTURE)
LINUX NAMESPACES “A namespace wraps a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource. Changes to the global resource are visible to other processes that are members of the namespace, but are invisible to other processes. One use of namespaces is to implement containers.” Six namespaces: 1. mnt (filesystems & mount points) 2. PID (processes) 3. net (network stack) 4. UTS (hostname) 5. IPC (Linux implementation of System V IPC) 6. user (more on this later…) namespaces(7)
USER NAMESPACES Introduced in Linux kernel 3.8 user_namespaces(7) Docker uses kernel namespaces and does not yet fully implement user namespaces More on namespaces (from Plan 9): ­ http://www.cs.bell-labs.com/sys/doc/names.html More on user namespaces: ­ https://lwn.net/Articles/532593/ 2013
STATE OF THE UNION: CONTAINERS IN THE ENTERPRISE
ENTERPRISES SLOW TO ADOPT CONTAINERS DUE TO CYBERSECURITY CONCERNS JANUARY 2015
JULY 2015
VULNERABILITIES & MALWARE AUGUST 2015 42% 21% 16% 11% 11% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% Top Security Concern RECENT ENTERPRISE SURVEY BY FLAWCHECK Vulnerabilities & Malware Policy Enforcement Isolation Auditability Network Perimeter Security
CONTAINERS ARE EPHEMERAL
VULNERABILITIES
DOCKER INSTALLATION | sh
DAEMON RUNS AS ROOT
DOCKER NETWORKING ENUMERATE CONTAINERS
DOCKER NETWORKING SHUTDOWN CONTAINER HOST
DOCKER ESCAPE (FIXED) Problem stemmed from blacklisting kernel capabilities (Docker missed CAP_DAC_READ_SEARCH, allowing open_by_handle_at() to succeed) In Docker 0.12.0, Docker switched to a whitelist model for kernel capabilities Docker kernel capabilities whitelist: ­ https://github.com/docker/docker/blob/master/daemon/execdriver/native/template/default_templ ate.go AFFECTED < 0.11.1
DECOMPRESSION HIGHEST ROI ATTACK VECTOR Docker needs to decompress (recursively) container images (and currently does this as root on the container host) – Docker supports at least XZ, GZ, TAR Cloud Service Providers (CSP) particularly at risk if not validating container images T. TIIGI WORKS AT DOCKER NOW
BASH IN A DOCKER CONTAINER? Present in >50% of popular containers on Docker Hub Commonly present in most or very few of homegrown containers, dependent upon how automated builds are done in the CI/CD process automation /bin/bash typically not related to the actively running process but could be CVE-2014-6271
ELASTICSEARCH CVE-2014-3120 CVE-2014-3120 is a RCE bug in ElasticSearch (prior to 1.2.0) Ben Hall @ Ocelot Uproar was running ElasticSearch in a Docker container and it was breached via CVE-2014-3120 (probably first publicly-admitted breach of a Docker container environment in-the-wild (ITW)) Actively exploited in the wild and MetaSploit plugin available (works against Dockerized ElasticSearch): ­ https://github.com/rapid7/metasploit- framework/blob/master/modules/exploits/multi/elasticsearch/script_mvel_rce.rb
TEARING APART CONTAINERS What did we find?
MODERN ANALOGY Launched in 2008 Launched in 2014 Friday, November 13, 2015 CONFIDENTIAL & PROPRIETARY. COPYRIGHT 2015 © FLAWCHECK INC. ALL RIGHTS RESERVED 31
ANDROID MALWARE Android Market launched without doing security inspection of uploaded apps Today, Google performs static & dynamic analysis of Android apps, with the hope of finding malware Long list of Android malware: http://forensics.spreitzenbarth.de/an droid-malware/ Friday, November 13, 2015 CONFIDENTIAL & PROPRIETARY. COPYRIGHT 2015 © FLAWCHECK INC. ALL RIGHTS RESERVED 32
IS ELF MALWARE REALLY A CONCERN? Friday, November 13, 2015 CONFIDENTIAL & PROPRIETARY. COPYRIGHT 2015 © FLAWCHECK INC. ALL RIGHTS RESERVED 33
DOCKER HUB Docker Hub Overall >15,000 pre-built containers >500 million downloads No security inspection by Docker >30% of containers have vulnerabilities Docker Hub Official Images ~100 official images (tag: latest) Blue-ribbon from Docker No security inspection by Docker >90% of official images have vulnerabilities
BLACK HAT SOUND BYTES Concerns about vulnerabilities & malware in containers, holding back Docker from production deployments in enterprises Isolation (even strong) doesn't mean data exfiltration won't occur (due to the risk of web tier containers being compromised) If you download a pre-built container from Docker Hub, there is a high chance it comes with vulnerabilities out-of-the-box (and therefore, shouldn’t be run in production environments)

Recommended

Preventing Hybrid Cloud Environments from Being Breached
Preventing Hybrid Cloud Environments from Being BreachedPreventing Hybrid Cloud Environments from Being Breached
Preventing Hybrid Cloud Environments from Being Breached
FlawCheck
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
Phil Estes
 
How abusing the Docker API led to remote code execution same origin bypass an...
How abusing the Docker API led to remote code execution same origin bypass an...How abusing the Docker API led to remote code execution same origin bypass an...
How abusing the Docker API led to remote code execution same origin bypass an...
Aqua Security
 
"Containers do not contain"
"Containers do not contain""Containers do not contain"
"Containers do not contain"
Maciej Lasyk
 
OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)
Jooho Lee
 
Linux containers & Devops
Linux containers & DevopsLinux containers & Devops
Linux containers & Devops
Maciej Lasyk
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes
Aqua Security
 
Vagrant or docker for java dev environment
Vagrant or docker for java dev environmentVagrant or docker for java dev environment
Vagrant or docker for java dev environment
Orest Ivasiv
 

Recommended

Preventing Hybrid Cloud Environments from Being Breached
Preventing Hybrid Cloud Environments from Being BreachedPreventing Hybrid Cloud Environments from Being Breached
Preventing Hybrid Cloud Environments from Being Breached
FlawCheck
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
Phil Estes
 
How abusing the Docker API led to remote code execution same origin bypass an...
How abusing the Docker API led to remote code execution same origin bypass an...How abusing the Docker API led to remote code execution same origin bypass an...
How abusing the Docker API led to remote code execution same origin bypass an...
Aqua Security
 
"Containers do not contain"
"Containers do not contain""Containers do not contain"
"Containers do not contain"
Maciej Lasyk
 
OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)
Jooho Lee
 
Linux containers & Devops
Linux containers & DevopsLinux containers & Devops
Linux containers & Devops
Maciej Lasyk
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes
Aqua Security
 
Vagrant or docker for java dev environment
Vagrant or docker for java dev environmentVagrant or docker for java dev environment
Vagrant or docker for java dev environment
Orest Ivasiv
 
Dockerizing development workflow
Dockerizing development workflowDockerizing development workflow
Dockerizing development workflow
Orest Ivasiv
 
RHEL/Fedora + Docker (and SELinux)
RHEL/Fedora + Docker (and SELinux)RHEL/Fedora + Docker (and SELinux)
RHEL/Fedora + Docker (and SELinux)
Maciej Lasyk
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloud
Dobrica Pavlinušić
 
Oscon London 2016 - Docker from Development to Production
Oscon London 2016 - Docker from Development to ProductionOscon London 2016 - Docker from Development to Production
Oscon London 2016 - Docker from Development to Production
Patrick Chanezon
 
Kubernetes deployment on bare metal with container linux
Kubernetes deployment on bare metal with container linuxKubernetes deployment on bare metal with container linux
Kubernetes deployment on bare metal with container linux
macchiang
 
App container rkt
App container rktApp container rkt
App container rkt
Xiaofeng Guo
 
Eclipsecon 2017 presentation
Eclipsecon 2017 presentationEclipsecon 2017 presentation
Eclipsecon 2017 presentation
Kynetics
 
Orchestrating docker containers at scale (PJUG edition)
Orchestrating docker containers at scale (PJUG edition)Orchestrating docker containers at scale (PJUG edition)
Orchestrating docker containers at scale (PJUG edition)
Maciej Lasyk
 
Docker dDessi november 2015
Docker dDessi november 2015Docker dDessi november 2015
Docker dDessi november 2015
Massimiliano Dessì
 
Orchestrating docker containers at scale (#DockerKRK edition)
Orchestrating docker containers at scale (#DockerKRK edition)Orchestrating docker containers at scale (#DockerKRK edition)
Orchestrating docker containers at scale (#DockerKRK edition)
Maciej Lasyk
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned
RightScale
 
What's really the difference between a VM and a Container?
What's really the difference between a VM and a Container?What's really the difference between a VM and a Container?
What's really the difference between a VM and a Container?
Adrian Otto
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
Stop disabling SELinux!
Stop disabling SELinux!Stop disabling SELinux!
Stop disabling SELinux!
Maciej Lasyk
 
How to master OpenStack in 2 hours
How to master OpenStack in 2 hoursHow to master OpenStack in 2 hours
How to master OpenStack in 2 hours
OpenCity Community
 
CLI Wizardry - A Friendly Intro To sed/awk/grep
CLI Wizardry - A Friendly Intro To sed/awk/grepCLI Wizardry - A Friendly Intro To sed/awk/grep
CLI Wizardry - A Friendly Intro To sed/awk/grep
All Things Open
 
Techtalks: taking docker to production
Techtalks: taking docker to productionTechtalks: taking docker to production
Techtalks: taking docker to production
muayyad alsadi
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
Jérôme Petazzoni
 
Rishidot research briefing notes Cloudscaling
Rishidot research briefing notes CloudscalingRishidot research briefing notes Cloudscaling
Rishidot research briefing notes Cloudscaling
Rishidot Research
 
Docker linuxday 2015
Docker linuxday 2015Docker linuxday 2015
Docker linuxday 2015
Massimiliano Dessì
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel security
smart_bit
 
Shmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security BriefShmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security Brief
openfly
 

More Related Content

What's hot

Dockerizing development workflow
Dockerizing development workflowDockerizing development workflow
Dockerizing development workflow
Orest Ivasiv
 
RHEL/Fedora + Docker (and SELinux)
RHEL/Fedora + Docker (and SELinux)RHEL/Fedora + Docker (and SELinux)
RHEL/Fedora + Docker (and SELinux)
Maciej Lasyk
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloud
Dobrica Pavlinušić
 
Oscon London 2016 - Docker from Development to Production
Oscon London 2016 - Docker from Development to ProductionOscon London 2016 - Docker from Development to Production
Oscon London 2016 - Docker from Development to Production
Patrick Chanezon
 
Kubernetes deployment on bare metal with container linux
Kubernetes deployment on bare metal with container linuxKubernetes deployment on bare metal with container linux
Kubernetes deployment on bare metal with container linux
macchiang
 
App container rkt
App container rktApp container rkt
App container rkt
Xiaofeng Guo
 
Eclipsecon 2017 presentation
Eclipsecon 2017 presentationEclipsecon 2017 presentation
Eclipsecon 2017 presentation
Kynetics
 
Orchestrating docker containers at scale (PJUG edition)
Orchestrating docker containers at scale (PJUG edition)Orchestrating docker containers at scale (PJUG edition)
Orchestrating docker containers at scale (PJUG edition)
Maciej Lasyk
 
Docker dDessi november 2015
Docker dDessi november 2015Docker dDessi november 2015
Docker dDessi november 2015
Massimiliano Dessì
 
Orchestrating docker containers at scale (#DockerKRK edition)
Orchestrating docker containers at scale (#DockerKRK edition)Orchestrating docker containers at scale (#DockerKRK edition)
Orchestrating docker containers at scale (#DockerKRK edition)
Maciej Lasyk
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned
RightScale
 
What's really the difference between a VM and a Container?
What's really the difference between a VM and a Container?What's really the difference between a VM and a Container?
What's really the difference between a VM and a Container?
Adrian Otto
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
Stop disabling SELinux!
Stop disabling SELinux!Stop disabling SELinux!
Stop disabling SELinux!
Maciej Lasyk
 
How to master OpenStack in 2 hours
How to master OpenStack in 2 hoursHow to master OpenStack in 2 hours
How to master OpenStack in 2 hours
OpenCity Community
 
CLI Wizardry - A Friendly Intro To sed/awk/grep
CLI Wizardry - A Friendly Intro To sed/awk/grepCLI Wizardry - A Friendly Intro To sed/awk/grep
CLI Wizardry - A Friendly Intro To sed/awk/grep
All Things Open
 
Techtalks: taking docker to production
Techtalks: taking docker to productionTechtalks: taking docker to production
Techtalks: taking docker to production
muayyad alsadi
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
Jérôme Petazzoni
 
Rishidot research briefing notes Cloudscaling
Rishidot research briefing notes CloudscalingRishidot research briefing notes Cloudscaling
Rishidot research briefing notes Cloudscaling
Rishidot Research
 
Docker linuxday 2015
Docker linuxday 2015Docker linuxday 2015
Docker linuxday 2015
Massimiliano Dessì
 

What's hot (20)

Dockerizing development workflow
Dockerizing development workflowDockerizing development workflow
Dockerizing development workflow
 
RHEL/Fedora + Docker (and SELinux)
RHEL/Fedora + Docker (and SELinux)RHEL/Fedora + Docker (and SELinux)
RHEL/Fedora + Docker (and SELinux)
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloud
 
Oscon London 2016 - Docker from Development to Production
Oscon London 2016 - Docker from Development to ProductionOscon London 2016 - Docker from Development to Production
Oscon London 2016 - Docker from Development to Production
 
Kubernetes deployment on bare metal with container linux
Kubernetes deployment on bare metal with container linuxKubernetes deployment on bare metal with container linux
Kubernetes deployment on bare metal with container linux
 
App container rkt
App container rktApp container rkt
App container rkt
 
Eclipsecon 2017 presentation
Eclipsecon 2017 presentationEclipsecon 2017 presentation
Eclipsecon 2017 presentation
 
Orchestrating docker containers at scale (PJUG edition)
Orchestrating docker containers at scale (PJUG edition)Orchestrating docker containers at scale (PJUG edition)
Orchestrating docker containers at scale (PJUG edition)
 
Docker dDessi november 2015
Docker dDessi november 2015Docker dDessi november 2015
Docker dDessi november 2015
 
Orchestrating docker containers at scale (#DockerKRK edition)
Orchestrating docker containers at scale (#DockerKRK edition)Orchestrating docker containers at scale (#DockerKRK edition)
Orchestrating docker containers at scale (#DockerKRK edition)
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned
 
What's really the difference between a VM and a Container?
What's really the difference between a VM and a Container?What's really the difference between a VM and a Container?
What's really the difference between a VM and a Container?
 
Container security
Container securityContainer security
Container security
 
Stop disabling SELinux!
Stop disabling SELinux!Stop disabling SELinux!
Stop disabling SELinux!
 
How to master OpenStack in 2 hours
How to master OpenStack in 2 hoursHow to master OpenStack in 2 hours
How to master OpenStack in 2 hours
 
CLI Wizardry - A Friendly Intro To sed/awk/grep
CLI Wizardry - A Friendly Intro To sed/awk/grepCLI Wizardry - A Friendly Intro To sed/awk/grep
CLI Wizardry - A Friendly Intro To sed/awk/grep
 
Techtalks: taking docker to production
Techtalks: taking docker to productionTechtalks: taking docker to production
Techtalks: taking docker to production
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
 
Rishidot research briefing notes Cloudscaling
Rishidot research briefing notes CloudscalingRishidot research briefing notes Cloudscaling
Rishidot research briefing notes Cloudscaling
 
Docker linuxday 2015
Docker linuxday 2015Docker linuxday 2015
Docker linuxday 2015
 

Similar to Vulnerability Exploitation in Docker Container Environments

Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel security
smart_bit
 
Shmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security BriefShmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security Brief
openfly
 
Weave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 RecapWeave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 Recap
Patrick Chanezon
 
UniK - a unikernel compiler and runtime
UniK - a unikernel compiler and runtimeUniK - a unikernel compiler and runtime
UniK - a unikernel compiler and runtime
Lee Calcote
 
Bugs Ex Ante by Kristaps Dzonsons
Bugs Ex Ante by Kristaps DzonsonsBugs Ex Ante by Kristaps Dzonsons
Bugs Ex Ante by Kristaps Dzonsons
eurobsdcon
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
OW2
 
OpenStack for VMware Administrators
OpenStack for VMware AdministratorsOpenStack for VMware Administrators
OpenStack for VMware Administrators
Trevor Roberts Jr.
 
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesEnterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Alex Senkevitch
 
[JOI] TOTVS Developers Joinville - Java #1
[JOI] TOTVS Developers Joinville - Java #1[JOI] TOTVS Developers Joinville - Java #1
[JOI] TOTVS Developers Joinville - Java #1
Rubens Dos Santos Filho
 
Beyond static configuration
Beyond static configurationBeyond static configuration
Beyond static configuration
Stefan Schimanski
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
James Wickett
 
Cloud Resilience with Open Stack
Cloud Resilience with Open StackCloud Resilience with Open Stack
Cloud Resilience with Open Stack
Jorge Cardoso
 
Docker Seattle Meetup, May 2017
Docker Seattle Meetup, May 2017Docker Seattle Meetup, May 2017
Docker Seattle Meetup, May 2017
Stephen Walli
 
Container Intrusions - Assessing the Efficacy of Intrusion Detection and Anal...
Container Intrusions - Assessing the Efficacy of Intrusion Detection and Anal...Container Intrusions - Assessing the Efficacy of Intrusion Detection and Anal...
Container Intrusions - Assessing the Efficacy of Intrusion Detection and Anal...
Alfredo Hickman
 
Continous delivery at docker age
Continous delivery at docker ageContinous delivery at docker age
Continous delivery at docker age
Adrien Blind
 
Cloud Operations and Analytics: Improving Distributed Systems Reliability usi...
Cloud Operations and Analytics: Improving Distributed Systems Reliability usi...Cloud Operations and Analytics: Improving Distributed Systems Reliability usi...
Cloud Operations and Analytics: Improving Distributed Systems Reliability usi...
Jorge Cardoso
 
CloudCamp justin cormack hypervise my app!
CloudCamp justin cormack hypervise my app! CloudCamp justin cormack hypervise my app!
CloudCamp justin cormack hypervise my app! Chris Purrington
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel security
smart_bit
 
Cloud computing and bioinformatics
Cloud computing and bioinformaticsCloud computing and bioinformatics
Cloud computing and bioinformatics
Enis Afgan
 
Seven Simple Reasons to Use AppFuse
Seven Simple Reasons to Use AppFuseSeven Simple Reasons to Use AppFuse
Seven Simple Reasons to Use AppFuse
Matt Raible
 

Similar to Vulnerability Exploitation in Docker Container Environments (20)

Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel security
 
Shmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security BriefShmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security Brief
 
Weave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 RecapWeave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 Recap
 
UniK - a unikernel compiler and runtime
UniK - a unikernel compiler and runtimeUniK - a unikernel compiler and runtime
UniK - a unikernel compiler and runtime
 
Bugs Ex Ante by Kristaps Dzonsons
Bugs Ex Ante by Kristaps DzonsonsBugs Ex Ante by Kristaps Dzonsons
Bugs Ex Ante by Kristaps Dzonsons
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
 
OpenStack for VMware Administrators
OpenStack for VMware AdministratorsOpenStack for VMware Administrators
OpenStack for VMware Administrators
 
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesEnterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
 
[JOI] TOTVS Developers Joinville - Java #1
[JOI] TOTVS Developers Joinville - Java #1[JOI] TOTVS Developers Joinville - Java #1
[JOI] TOTVS Developers Joinville - Java #1
 
Beyond static configuration
Beyond static configurationBeyond static configuration
Beyond static configuration
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
Cloud Resilience with Open Stack
Cloud Resilience with Open StackCloud Resilience with Open Stack
Cloud Resilience with Open Stack
 
Docker Seattle Meetup, May 2017
Docker Seattle Meetup, May 2017Docker Seattle Meetup, May 2017
Docker Seattle Meetup, May 2017
 
Container Intrusions - Assessing the Efficacy of Intrusion Detection and Anal...
Container Intrusions - Assessing the Efficacy of Intrusion Detection and Anal...Container Intrusions - Assessing the Efficacy of Intrusion Detection and Anal...
Container Intrusions - Assessing the Efficacy of Intrusion Detection and Anal...
 
Continous delivery at docker age
Continous delivery at docker ageContinous delivery at docker age
Continous delivery at docker age
 
Cloud Operations and Analytics: Improving Distributed Systems Reliability usi...
Cloud Operations and Analytics: Improving Distributed Systems Reliability usi...Cloud Operations and Analytics: Improving Distributed Systems Reliability usi...
Cloud Operations and Analytics: Improving Distributed Systems Reliability usi...
 
CloudCamp justin cormack hypervise my app!
CloudCamp justin cormack hypervise my app! CloudCamp justin cormack hypervise my app!
CloudCamp justin cormack hypervise my app!
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel security
 
Cloud computing and bioinformatics
Cloud computing and bioinformaticsCloud computing and bioinformatics
Cloud computing and bioinformatics
 
Seven Simple Reasons to Use AppFuse
Seven Simple Reasons to Use AppFuseSeven Simple Reasons to Use AppFuse
Seven Simple Reasons to Use AppFuse
 

Recently uploaded

Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 

Recently uploaded (20)

Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 

Vulnerability Exploitation in Docker Container Environments

  • 1. VULNERABILITY EXPLOITATION IN DOCKER CONTAINER ENVIRONMENTS ANTHONY BETTINI FLAWCHECK
  • 2. ABOUT ANTHONY BETTINI Working in cybersecurity since 1996 (Netect, Bindview Team RAZOR, Guardent, Foundstone Labs, McAfee Avert Labs, Intel, Appthority, FlawCheck) Original vulnerabilities discovered in products by PGP, ISS, Symantec, McAfee, Microsoft, Apple, etc. Founded Appthority, which did static & dynamic analysis of mobile apps and was named the Most Innovative Company of the Year at RSA Conference 2012 Most recently, founded FlawCheck, the only scalable vulnerability & malware inspection platform for container images
  • 3. CONTAINERS CONTAIN … UNTIL THEY DON’T MODERN HISTORY OF LINUX CONTAINERS
  • 5. For ftpd, not security
  • 8. CONTROL GROUPS (CGROUPS) “Control Groups provide a mechanism for aggregating/partitioning sets of tasks, and all their future children, into hierarchical groups with specialized [behavior].” Started in 2006 as “process containers” Released in 2007 in Linux kernel 2.6.24 as control groups (due to containers being an overloaded term) Primarily authored by Google engineers for scaling out isolated workloads Basis for at least: systemd, CoreOS, Docker, lmctfy, LXC, etc. cgroups resource: https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt
  • 9. LXC Runs in userspace Provides interface to all of the kernel containment features ­ Kernel namespaces ­ Control Groups ­ Apparmour & SELinux ­ Policies Learn more at: https://linuxcontainers.org/lxc/introduction/ 2008
  • 10. 2013 Solomon Hykes on "The future of Linux Containers" PyCon US 2013: https://www.youtube.com/watch?v=wW9CAH9nSLs
  • 13. DOCKER REMOTE API EVENTS (ARCHITECTURE)
  • 14. LINUX NAMESPACES “A namespace wraps a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource. Changes to the global resource are visible to other processes that are members of the namespace, but are invisible to other processes. One use of namespaces is to implement containers.” Six namespaces: 1. mnt (filesystems & mount points) 2. PID (processes) 3. net (network stack) 4. UTS (hostname) 5. IPC (Linux implementation of System V IPC) 6. user (more on this later…) namespaces(7)
  • 15. USER NAMESPACES Introduced in Linux kernel 3.8 user_namespaces(7) Docker uses kernel namespaces and does not yet fully implement user namespaces More on namespaces (from Plan 9): ­ http://www.cs.bell-labs.com/sys/doc/names.html More on user namespaces: ­ https://lwn.net/Articles/532593/ 2013
  • 16. STATE OF THE UNION: CONTAINERS IN THE ENTERPRISE
  • 17. ENTERPRISES SLOW TO ADOPT CONTAINERS DUE TO CYBERSECURITY CONCERNS JANUARY 2015
  • 19. VULNERABILITIES & MALWARE AUGUST 2015 42% 21% 16% 11% 11% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% Top Security Concern RECENT ENTERPRISE SURVEY BY FLAWCHECK Vulnerabilities & Malware Policy Enforcement Isolation Auditability Network Perimeter Security
  • 25. DOCKER NETWORKING SHUTDOWN CONTAINER HOST
  • 26. DOCKER ESCAPE (FIXED) Problem stemmed from blacklisting kernel capabilities (Docker missed CAP_DAC_READ_SEARCH, allowing open_by_handle_at() to succeed) In Docker 0.12.0, Docker switched to a whitelist model for kernel capabilities Docker kernel capabilities whitelist: ­ https://github.com/docker/docker/blob/master/daemon/execdriver/native/template/default_templ ate.go AFFECTED < 0.11.1
  • 27. DECOMPRESSION HIGHEST ROI ATTACK VECTOR Docker needs to decompress (recursively) container images (and currently does this as root on the container host) – Docker supports at least XZ, GZ, TAR Cloud Service Providers (CSP) particularly at risk if not validating container images T. TIIGI WORKS AT DOCKER NOW
  • 28. BASH IN A DOCKER CONTAINER? Present in >50% of popular containers on Docker Hub Commonly present in most or very few of homegrown containers, dependent upon how automated builds are done in the CI/CD process automation /bin/bash typically not related to the actively running process but could be CVE-2014-6271
  • 29. ELASTICSEARCH CVE-2014-3120 CVE-2014-3120 is a RCE bug in ElasticSearch (prior to 1.2.0) Ben Hall @ Ocelot Uproar was running ElasticSearch in a Docker container and it was breached via CVE-2014-3120 (probably first publicly-admitted breach of a Docker container environment in-the-wild (ITW)) Actively exploited in the wild and MetaSploit plugin available (works against Dockerized ElasticSearch): ­ https://github.com/rapid7/metasploit- framework/blob/master/modules/exploits/multi/elasticsearch/script_mvel_rce.rb
  • 30. TEARING APART CONTAINERS What did we find?
  • 31. MODERN ANALOGY Launched in 2008 Launched in 2014 Friday, November 13, 2015 CONFIDENTIAL & PROPRIETARY. COPYRIGHT 2015 © FLAWCHECK INC. ALL RIGHTS RESERVED 31
  • 32. ANDROID MALWARE Android Market launched without doing security inspection of uploaded apps Today, Google performs static & dynamic analysis of Android apps, with the hope of finding malware Long list of Android malware: http://forensics.spreitzenbarth.de/an droid-malware/ Friday, November 13, 2015 CONFIDENTIAL & PROPRIETARY. COPYRIGHT 2015 © FLAWCHECK INC. ALL RIGHTS RESERVED 32
  • 33. IS ELF MALWARE REALLY A CONCERN? Friday, November 13, 2015 CONFIDENTIAL & PROPRIETARY. COPYRIGHT 2015 © FLAWCHECK INC. ALL RIGHTS RESERVED 33
  • 34. DOCKER HUB Docker Hub Overall >15,000 pre-built containers >500 million downloads No security inspection by Docker >30% of containers have vulnerabilities Docker Hub Official Images ~100 official images (tag: latest) Blue-ribbon from Docker No security inspection by Docker >90% of official images have vulnerabilities
  • 35. BLACK HAT SOUND BYTES Concerns about vulnerabilities & malware in containers, holding back Docker from production deployments in enterprises Isolation (even strong) doesn't mean data exfiltration won't occur (due to the risk of web tier containers being compromised) If you download a pre-built container from Docker Hub, there is a high chance it comes with vulnerabilities out-of-the-box (and therefore, shouldn’t be run in production environments)