clair, a container image security analyzer
TRANSCRIPT
Quentin Machu@Quentin__M | [email protected]
ClairA Container Image Security Analyzer
We’re hiring in all departments! Email: [email protected] Positions: coreos.com/ careers
90+ Projects on GitHub, 1,000+ Contributors
OPEN SOURCE
CoreOS.com - @coreoslinux - github/coreos
Secure solutions, support plans, training + more
ENTERPRISE
[email protected] - tectonic.com - quay.io
CoreOS is Running the World’s Containers
Secure the InternetMISSION
2
Storytelling()
A traditional deployment
5
But … wait
6
A containerized deployment
7
A container in practice ...
8
Is that all ?
9
CVE-2015-0235aka
GHOST
“GHOST is a buffer overflow bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library. This vulnerability
allows a remote attacker that is able to make an application call to either of these functions to execute arbitrary code.”
11
CVE-2014-0160aka
Heartbleed
“The TLS and DTLS implementations in OpenSSL do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain
sensitive information from process memory via crafted packets that trigger a buffer over-read.”
12
76KVulnerabilities
13
How do we make this better for developers?
Open source project for the static analysis of vulnerabilities in appc and docker containers.
github.com/coreos/clair
15
Showtime()
- Static analysis
- Do the job only once
- Suggest & Notify
- Built as a framework
Clair in a few points
17
Static analysisCONTEXT
Millions of container images
- Running these containers is expensive
- Running any untrusted container is unsafe- “We need to go deeper”- Secure solutions can become pretty complex
- Several dynamic analysis tools exist- Requires human input and guidance
18
- Extract and store enough to inform about both known and future vulnerabilities
- Reuse analysis data as much as possible
Do the job only onceCONTEXT
Millions of container imagesOver 15 new vulnerabilities / day
What happens when new vulnerabilities are published ?
19
“I read your security report about my container, but …what can I actually do?”
Here, look, here’s what you can easily fix.
“I feel confident about my container now. I’m lazy though and don’t want to check the report again. Tell me as soon as there’s
something new that I should be concerned about”
Sure. Where can I contact you?
Suggest & Notify
20
Built as a framework
Open Source and Extensibilityare the heart and soul of Clair
v1.1.021
Built as a framework- Detectors
type FeaturesDetector interface {GetRequiredFiles() []string
Detect(map[string][]byte) ([]database.FeatureVersion, error)}
v1.1.0
type NamespaceDetector interface {GetRequiredFiles() []stringDetect(map[string][]byte) *database.Namespace
}
type DataDetector interface {Supported(path string, format string) boolDetect(layerReader io.ReadCloser, toExtract []string, maxFileSize int64) (data map[string][]byte, err
error)}
22
Built as a frameworktype Fetcher interface {FetchUpdate(database.Datastore) (FetcherResponse, error)Clean()
}
Built as a framework- Vulnerability Updaters / Notifiers
type Notifier interface {Configure(config.NotifierConfig) (bool, error)Send(database.VulnerabilityNotification) error
}
v1.1.023
type Datastore interface {ListNamespaces() ([]Namespace, error)
InsertLayer(Layer) errorFindLayer(name string, withFeatures, withVulnerabilities bool) (Layer, error)DeleteLayer(name string) error
ListVulnerabilities(namespaceName string, limit int, page int) ([]Vulnerability, int, error)InsertVulnerabilities(vulnerabilities []Vulnerability, createNotification bool) errorFindVulnerability(namespaceName, name string) (Vulnerability, error)DeleteVulnerability(namespaceName, name string) errorInsertVulnerabilityFixes(vulnerabilityNamespace, vulnerabilityName string, fixes []FeatureVersion)
errorDeleteVulnerabilityFix(vulnerabilityNamespace, vulnerabilityName, featureName string) error
GetAvailableNotification(renotifyInterval time.Duration) (VulnerabilityNotification, error)GetNotification(name string, limit int, page PageNumber) (VulnerabilityNotification, PageNumber,
error)SetNotificationNotified(name string) errorDeleteNotification(name string) error
InsertKeyValue(key, value string) errorGetKeyValue(key string) (string, error)
Lock(name string, owner string, duration time.Duration, renew bool) (bool, time.Time)Unlock(name, owner string)FindLock(name string) (string, time.Time, error)
Ping() boolClose()
}
Built as a framework- Datastores
v1.1.024
- Image format: appc, Docker
- Operating systems: Debian, Ubuntu, CentOS
- Detection: package managers (dpkg, rpm)
- Vulnerability sources: Distribution-specific
- Database: PostgresSQL 9.4+
- Notification: Webhook
What does it currently support ?
v1.1.025
- Revisit database implementation- MySQL Support (Huawei)
- Improve release distribution- Embed migrations
- Address client UX- Integrate a solid command-line tool (Wemanity)
- Expand detection capabilities- Add Alpine Linux support (goo.gl/TSkCxM)- Implement npm (Huawei), python, OWASP
- Anything you’d like to see!
What’s next?
v1.1.026
coreos.com/fest - @coreosfestMay 9 & 10, 2016 - Berlin, Germany
Thank you!We’re hiring in all departments! Email: [email protected] Positions: coreos.com/ careers
Quentin Machu@Quentin__M | [email protected]