an in-depth look at application containers
TRANSCRIPT
![Page 1: An In-depth look at application containers](https://reader030.vdocument.in/reader030/viewer/2022020314/5a6540ff7f8b9a57138b47c1/html5/thumbnails/1.jpg)
An In-Depth Look at Application Containers
![Page 2: An In-depth look at application containers](https://reader030.vdocument.in/reader030/viewer/2022020314/5a6540ff7f8b9a57138b47c1/html5/thumbnails/2.jpg)
Overview
• A Brief History and Overview of Containers
• Security Benefits(?) of Containers
• Container Vulnerability Management
• Responding to Container Attacks
![Page 3: An In-depth look at application containers](https://reader030.vdocument.in/reader030/viewer/2022020314/5a6540ff7f8b9a57138b47c1/html5/thumbnails/3.jpg)
Containers are not new, but…
![Page 4: An In-depth look at application containers](https://reader030.vdocument.in/reader030/viewer/2022020314/5a6540ff7f8b9a57138b47c1/html5/thumbnails/4.jpg)
Container Adoption Challenges
![Page 5: An In-depth look at application containers](https://reader030.vdocument.in/reader030/viewer/2022020314/5a6540ff7f8b9a57138b47c1/html5/thumbnails/5.jpg)
Source: ClusterHQ
Container Adoption Challenges
![Page 6: An In-depth look at application containers](https://reader030.vdocument.in/reader030/viewer/2022020314/5a6540ff7f8b9a57138b47c1/html5/thumbnails/6.jpg)
Container (n):
• Software-based isolation, for processes controlling…• Process grouping
• Resource usage
• What actions a process can take
![Page 7: An In-depth look at application containers](https://reader030.vdocument.in/reader030/viewer/2022020314/5a6540ff7f8b9a57138b47c1/html5/thumbnails/7.jpg)
cgroups
![Page 8: An In-depth look at application containers](https://reader030.vdocument.in/reader030/viewer/2022020314/5a6540ff7f8b9a57138b47c1/html5/thumbnails/8.jpg)
Grouping and constraints
![Page 9: An In-depth look at application containers](https://reader030.vdocument.in/reader030/viewer/2022020314/5a6540ff7f8b9a57138b47c1/html5/thumbnails/9.jpg)
What does a process do?
• Auditing (read write audit events)
• File access (read, write, create, delete)
• Network access (bind, send, receive)
• Process management (fork, kill)
• Security (MAC)
• Debug (tracing)
• Administration (system config)
![Page 10: An In-depth look at application containers](https://reader030.vdocument.in/reader030/viewer/2022020314/5a6540ff7f8b9a57138b47c1/html5/thumbnails/10.jpg)
Capabilities
• CAP_AUDIT_CONTROL
• CAP_AUDIT_READ
• CAP_AUDIT_WRITE
• CAP_BLOCK_SUSPEND
• CAP_CHOWN
• CAP_DAC_OVERRIDE
• CAP_DAC_READ_SEARCH
• CAP_FOWNERCAP_FSETID
• CAP_IPC_LOCK
• CAP_IPC_OWNER
• CAP_KILL
• CAP_LEASE• CAP_LINUX_IMMUTABLE• CAP_MAC_ADMIN• CAP_MAC_OVERRIDE• CAP_MKNOD• CAP_NET_ADMIN• CAP_NET_BIND_SERVICE• CAP_NET_BROADCAST• CAP_NET_RAW• CAP_SETGID• CAP_SETFCAP• CAP_SETPCAP
![Page 11: An In-depth look at application containers](https://reader030.vdocument.in/reader030/viewer/2022020314/5a6540ff7f8b9a57138b47c1/html5/thumbnails/11.jpg)
Capabilities
Worst to best:
• Run with --privileged=true
• Run with –cap-add ALL
• Run with --cap-drop ALL --cap-add <only needed>
• Run as non-root user, unprivileged
Useful: capabilities section of documentation container runtimes
![Page 12: An In-depth look at application containers](https://reader030.vdocument.in/reader030/viewer/2022020314/5a6540ff7f8b9a57138b47c1/html5/thumbnails/12.jpg)
Security Benefits of Containers and Microservices• Smaller surface area*
• Shorter lifespan* – shorter period when open to attack
• More automated process – easier to recreate/redeploy*
*(in theory)
![Page 13: An In-depth look at application containers](https://reader030.vdocument.in/reader030/viewer/2022020314/5a6540ff7f8b9a57138b47c1/html5/thumbnails/13.jpg)
Security Benefits of Containers and Microservices• Containerized apps lend themselves to ”12 factor” design
12factor.net
![Page 14: An In-depth look at application containers](https://reader030.vdocument.in/reader030/viewer/2022020314/5a6540ff7f8b9a57138b47c1/html5/thumbnails/14.jpg)
Security Disadvantages of Containers and Microservices• Relatively new technology
• Lots of moving parts
• Shorter lifespan – this makes investigations more difficult
![Page 15: An In-depth look at application containers](https://reader030.vdocument.in/reader030/viewer/2022020314/5a6540ff7f8b9a57138b47c1/html5/thumbnails/15.jpg)
Results of Twitter Survey
![Page 16: An In-depth look at application containers](https://reader030.vdocument.in/reader030/viewer/2022020314/5a6540ff7f8b9a57138b47c1/html5/thumbnails/16.jpg)
![Page 17: An In-depth look at application containers](https://reader030.vdocument.in/reader030/viewer/2022020314/5a6540ff7f8b9a57138b47c1/html5/thumbnails/17.jpg)
Why Isolate?
• Only as secure as your weakest link
• What happens if other departments are running in your private cloud?
• What happens if other customers are running in your bare metal CaaS?
![Page 18: An In-depth look at application containers](https://reader030.vdocument.in/reader030/viewer/2022020314/5a6540ff7f8b9a57138b47c1/html5/thumbnails/18.jpg)
Unikernels – Hardware Isolated Containers
• Build custom VM images to boot bare OS to support single (usually) container
![Page 19: An In-depth look at application containers](https://reader030.vdocument.in/reader030/viewer/2022020314/5a6540ff7f8b9a57138b47c1/html5/thumbnails/19.jpg)
Brief Overview of Container Orchestration
![Page 20: An In-depth look at application containers](https://reader030.vdocument.in/reader030/viewer/2022020314/5a6540ff7f8b9a57138b47c1/html5/thumbnails/20.jpg)
Why Orchestration?
• For “real” workloads:• How to launch 500 containers across 20 hosts?
• Being aware of resources on each host
• Getting storage and networking to right container on the right host
• Distribution for speed, efficiency, cost, etc.
• As part of a CI/CD process
• How to do a rolling update of those 500 live containers to a new sw version?
![Page 21: An In-depth look at application containers](https://reader030.vdocument.in/reader030/viewer/2022020314/5a6540ff7f8b9a57138b47c1/html5/thumbnails/21.jpg)
Lots to Orchestrate
Customer VM
VM Image Management
Networking
Customer VM
Local Storage NAS/SAN
![Page 22: An In-depth look at application containers](https://reader030.vdocument.in/reader030/viewer/2022020314/5a6540ff7f8b9a57138b47c1/html5/thumbnails/22.jpg)
Lots to Orchestrate
Customer VM
VM Image Management
Networking
Customer VM
Local Storage NAS/SAN
Containers
Container Image mgmt
Container networking
Container storage
Host
Host Image Mgmt
Host Networking
Local Storage
NAS/SAN
![Page 23: An In-depth look at application containers](https://reader030.vdocument.in/reader030/viewer/2022020314/5a6540ff7f8b9a57138b47c1/html5/thumbnails/23.jpg)
Image Security
• Where did an image come from?
• Is it an official image?
• Is it the right version?
• Has somebody modified it?
![Page 24: An In-depth look at application containers](https://reader030.vdocument.in/reader030/viewer/2022020314/5a6540ff7f8b9a57138b47c1/html5/thumbnails/24.jpg)
Host Security
• Follow standard hardening processes but only firewall host, not it’s containers
• A host itself shouldn’t be “exposed” – there should be no public attack surface. Administer via known private network
• One nasty exposure – privileged containers.
![Page 25: An In-depth look at application containers](https://reader030.vdocument.in/reader030/viewer/2022020314/5a6540ff7f8b9a57138b47c1/html5/thumbnails/25.jpg)
Vulnerability Management in a Container World
![Page 26: An In-depth look at application containers](https://reader030.vdocument.in/reader030/viewer/2022020314/5a6540ff7f8b9a57138b47c1/html5/thumbnails/26.jpg)
Managing Security Exposure in Containers
![Page 27: An In-depth look at application containers](https://reader030.vdocument.in/reader030/viewer/2022020314/5a6540ff7f8b9a57138b47c1/html5/thumbnails/27.jpg)
Smaller Image, Less Vulnerabilities
• Avoid ”From:$bloatedDistribution” and similar
• Software can’t be vulnerable if it’s not installed.
An amazingly large percentage of public container images are based on bloated (500mb+) full distributions.
![Page 28: An In-depth look at application containers](https://reader030.vdocument.in/reader030/viewer/2022020314/5a6540ff7f8b9a57138b47c1/html5/thumbnails/28.jpg)
Why? Least Privilege
• We want the smallest image possible, when we load it across 100 hosts
• The smaller the image, the less exposure for potential vulnerabilities
• If the parent image has a vulnerability, everybody based on that parent has to re-spin their image
![Page 29: An In-depth look at application containers](https://reader030.vdocument.in/reader030/viewer/2022020314/5a6540ff7f8b9a57138b47c1/html5/thumbnails/29.jpg)
Seccomp
We need to build a list of system calls called by the program…
…that we want to succeed
• Guess (preferably educated)
• RTFM (thanks John!)
• Capture behavior – maybe /usr/sbin/strace
• Disassembly?
![Page 30: An In-depth look at application containers](https://reader030.vdocument.in/reader030/viewer/2022020314/5a6540ff7f8b9a57138b47c1/html5/thumbnails/30.jpg)
Plan For Container Attacks
• Before going to production, think about how you’d investigate an attack
• Containers are mostly ephemeral
• Collect logs at a central location
• Practice identifying and snapshotting problem containers
• Don’t forget about data backup/recovery
![Page 31: An In-depth look at application containers](https://reader030.vdocument.in/reader030/viewer/2022020314/5a6540ff7f8b9a57138b47c1/html5/thumbnails/31.jpg)
Thanks – Let’s continue the conversation!
@johnlkinsella
Slides posted at http://www.slideshare.net/jlkinsel
![Page 32: An In-depth look at application containers](https://reader030.vdocument.in/reader030/viewer/2022020314/5a6540ff7f8b9a57138b47c1/html5/thumbnails/32.jpg)
Addendum
• Classification and grouping of system calls http://seclab.cs.sunysb.edu/sekar/papers/syscallclassif.htm
![Page 33: An In-depth look at application containers](https://reader030.vdocument.in/reader030/viewer/2022020314/5a6540ff7f8b9a57138b47c1/html5/thumbnails/33.jpg)
Data Sources
• Container Adoption Challenges: RightScale 2016 State of the Cloud
• Layered container image: Ubuntu
• Namespaces and cgroups images: IBM
Data and some graphics provided by: