containerize all the things€¦ · threats and vulnerabilities host abuse: escape to host and host...
TRANSCRIPT
![Page 1: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/1.jpg)
Containerize all the things
![Page 2: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/2.jpg)
Agenda● Part 1: The concept of containers ● Part 2: Threats and Vulnerabilities● Part 3: Mitigating threats and best practices● Part 4: Take aways
![Page 3: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/3.jpg)
Part 1: Docker on a calm see
![Page 4: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/4.jpg)
What are containers ?● A way to isolate applications/processes from other
collocated processes or the host they are running on● Enables the packaging of an application and all its
dependencies● Portable unit: can run on a boat, truck, be lifted by a
tower crane,...
![Page 5: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/5.jpg)
Containers’ history
![Page 6: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/6.jpg)
Namespaces and cgroups● Namespaces = kernel-enforced view on different objects
from user space:– File system (mnt userspace)– Running processes (pid namespace)– Network stack (net namespace)– Users (user namespace)– Interprocess communication (ipc namespace)– Hostname configuration (uts namespace)
![Page 7: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/7.jpg)
Namespaces and cgroups● cgroups = enforces limitation/s on a/group of
processe/s:– Memory– CPU– Network bandwidth– Disks I/O
![Page 8: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/8.jpg)
Docker ?● A complete container management toolbox● Enables you to
– Build container images (with open specifications)– Execute/Run images as containers– Manage images and containers– Share and publish images
![Page 9: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/9.jpg)
Docker images● Container Images are:
– A standardized unit of software, packaging● Code● Dependencies
– Packaging units/Images are● Consistent● Portable
“Package once, run everywhere”
![Page 10: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/10.jpg)
Docker Containers● Docker Containers are:
– An instantiation of an image– Process(es) running in an isolated environment
● Docker containers should be:– Ephemeral– Stateless
“Dies like Frankenstein, resurrects as a baby”
![Page 11: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/11.jpg)
Docker components
![Page 12: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/12.jpg)
Containers vs Virtual Machines
![Page 13: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/13.jpg)
Building a beautilful app
![Page 14: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/14.jpg)
![Page 15: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/15.jpg)
![Page 16: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/16.jpg)
Why so hipster?
“Mature” technology with a rich ecosystem, changing the game on:
– Development and test automation– Integration and deployment– Software architecture– Infrastructure architecture
![Page 17: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/17.jpg)
Part 2 – Containers Attack surface
![Page 18: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/18.jpg)
Docker components
![Page 19: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/19.jpg)
Threats and Vulnerabilities● Host abuse: Escape to host and Host DoS
– Poor container runtime isolation– Poor container network isolation– Unprotected runtime API– Unpatched container runtime– Unpatched Kernel/OS– Usage of untrusted container images (e.g.: CVE-2019-5736)– Unlimited resources assignment
● Container abuse: Botnets, Resources abuses, (D)DoS minion– Application vulnerability– Image vulnerability– Usage of untrusted images
![Page 20: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/20.jpg)
Threats and Vulnerabilities● Host abuse: Escape to host and Host DoS
– Poor container runtime isolation– Poor container network isolation– Unprotected runtime API– Unpatched container runtime– Unpatched Kernel/OS– Unlimited resources assignment
● Container abuse: Botnets, Resources abuses,..– Application vulnerability– Image vulnerability– Usage of untrusted images
Usage of dangerous switches:
● --privileged
● --cap-add SYS_ADMIN
● --pid=host, --network=host,…
● --user root
Usage of dangerous volumes mappings● -v /:/tmp/a
![Page 21: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/21.jpg)
Threats and Vulnerabilities● Host abuse: Escape to host and Host DoS
– Poor container runtime isolation– Poor container network isolation– Unprotected runtime API– Unpatched container runtime– Unpatched Kernel/OS– Unlimited resources assignment
● Container abuse: Botnets, Resources abuses,..– Application vulnerability– Image vulnerability– Usage of untrusted images
![Page 22: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/22.jpg)
Threats and Vulnerabilities● Host abuse: Escape to host and Host DoS
– Poor container runtime isolation– Poor container network isolation– Unprotected runtime API– Unpatched container runtime– Unpatched Kernel/OS– Unlimited resources assignment
● Container abuse: Botnets, Resources abuses,..– Application vulnerability– Image ecosystem vulnerability– Usage of untrusted images
![Page 23: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/23.jpg)
Threats and Vulnerabilities● Host abuse: Escape to host and Host DoS
– Poor container runtime isolation– Poor container network isolation– Unprotected runtime API– Unpatched container runtime– Unpatched Kernel/OS– Unlimited resources assignment
● Container abuse: Botnets, Resources abuses,..– Application vulnerability– Image eco system vulnerability– Usage of untrusted images
CVE-2019-5736
Source: https://github.com/Frichetten/CVE-2019-5736-PoC
![Page 24: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/24.jpg)
Threats and Vulnerabilities● Host abuse: Escape to host and Host DoS
– Poor container runtime isolation– Poor container network isolation– Unprotected runtime API– Unpatched container runtime– Unpatched Kernel/OS– Unlimited resources assignment
● Container abuse: Botnets, Resources abuses,..– Application vulnerability– Image ecosystem vulnerability– Usage of untrusted images
Source: https://blog.docker.com
![Page 25: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/25.jpg)
Threats and Vulnerabilities
Source: https://blog.docker.com
![Page 26: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/26.jpg)
Threats and Vulnerabilities● Host abuse: Escape to host and Host DoS
– Poor container runtime isolation– Poor container network isolation– Unprotected runtime API– Unpatched container runtime– Unpatched Kernel/OS– Unlimited resources assignment
● Container abuse: Botnets, Resources abuses,..– Application vulnerability– Image ecosystem vulnerability– Usage of untrusted images
Source: https://cvedetails.com
![Page 27: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/27.jpg)
Threats and Vulnerabilities● Host abuse: Escape to host and Host DoS
– Poor container runtime isolation– Poor container network isolation– Unprotected runtime API– Unpatched container runtime– Unpatched Kernel/OS– Unlimited resources assignment
● Container abuse: Botnets, Resources abuses,..– Application vulnerability– Image eco system vulnerability– Usage of untrusted images
Containers with unlimited resources:
● CPU
● Memory
● Network Bandwidth
could abuse these resources and bring
the underlying system on its knees
Source: https://blog.docker.com
![Page 28: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/28.jpg)
Threats and Vulnerabilities● Host abuse: Escape to host and Host DoS
– Poor container runtime isolation– Poor container network isolation– Unprotected runtime API– Unpatched container runtime– Unpatched Kernel/OS– Unlimited resources assignment
● Container abuse: Botnets, Resources abuses,..– Application vulnerability– Image eco system vulnerability– Usage of untrusted images
Containers do not magically
● Make your application flawless
● Remove Programming errors
● Patch dependencies and libraries
● ...
![Page 29: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/29.jpg)
Threats and Vulnerabilities● Host abuse: Escape to host and Host DoS
– Poor container runtime isolation– Poor container network isolation– Unprotected runtime API– Unpatched container runtime– Unpatched Kernel/OS– Unlimited resources assignment
● Container abuse: Botnets, Resources abuses,..– Application vulnerability– Image eco system vulnerability– Usage of untrusted images
Containers do not magically
● Protect yourself from avoiding running
Untrusted components
![Page 30: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/30.jpg)
Part 3 – Controls and mitigation
![Page 31: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/31.jpg)
(s)SDLC
![Page 32: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/32.jpg)
Build phase● During build
– Use scanned/tested images– Integrate images in the SDLC– Use small footprint images– Use a trusted source
● At runtime– Apply General best practices– Docker best practices– Linux Capabilities– Seccomp– Kernel patchs– Use cgroup limits
Security of images should be assessed to
● Identify unsafe settings in images manifests
● Identify vulnerable binaries/libraries
● Perform compliance checks on images
Possible solutions:
● CoreOS Clair
● Anchore
● Aqua Microscanner
● OpenScap
![Page 33: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/33.jpg)
Build phase
Image source: https://anchore.com
![Page 34: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/34.jpg)
Build phase● During build
– Use scanned/tested images– Integrate images in the SDLC– Use small footprint images– Use a trusted source
● At runtime– Apply General best practices– Docker best practices– Linux Capabilities– Seccomp– Kernel patchs– Use cgroup limits
How to ensure only “compliant” images are used
● Images manifest must be version controlled
● Use a private/dedicate image registry
● Security tests could make the build fail
● Only a successful build can push to the registry
● Users can only pull from registry
And now, what about tomorrow for:
● Running containers
● Already validated images
![Page 35: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/35.jpg)
Build phase
Image source: https://www.anchore.com
![Page 36: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/36.jpg)
Reducing the attack surface● During build
– Use scanned/tested images– Integrate images in the SDLC– Use small footprint images– Use a trusted source
● At runtime– Apply General best practices– Docker best practices– Linux Capabilities– Seccomp– Kernel patchs– Use cgroup limits
Build you images using minimal parent images
● scratch
● distroless-based
● Alpine based
![Page 37: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/37.jpg)
Reducing attack surface● During build
– Use scanned/tested images– Integrate images in the SDLC– Use small footprint images– Use a trusted source
● At runtime– Apply General best practices– Docker best practices– Linux Capabilities– Seccomp– Kernel patchs– Use cgroup limits
Issue with minimal images (non-distro based)
● Debug sessions are tricky
● More difficult to maintain
● Scanners could fail to identify vulnerabilities
![Page 38: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/38.jpg)
Reducing attack surface● During build
– Use scanned/tested images– Integrate images in the SDLC– Use small footprint images– Use a trusted source
● At runtime– Apply General best practices– Docker best practices– Linux Capabilities– Seccomp– Kernel patchs– Use cgroup limits
How can you trust the images you are downloading?
● Content should be audited/verified
● Image builds should be traceable
● Image should be rebuild-able
● Only pull signed images: Docker Content Trust
![Page 39: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/39.jpg)
Reducing attack surface● At runtime
– Apply General best practices– Docker best practices– Linux Capabilities– Seccomp– Kernel patchs– Use cgroup limits
● During build– Use scanned/tested images– Integrate images in the SDLC– Use a trusted source
● Up to date/patched Operating System
● Up to date/patch container runtime
● Do not run application/containers as root
● Network isolation: iptables, NetworkPolicies,…
● Log all the things!
● Beef it up with container ‘IDS/ADS’ (eg. sysdig/falco)
![Page 40: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/40.jpg)
Reducing attack surface● At runtime
– Apply General best practices– Docker best practices– Linux Capabilities– Seccomp– Kernel patchs– Use cgroup limits
● During build– Use scanned/tested images– Integrate images in the SDLC– Use a trusted source
● Disable intercontainers and host communication:
● dockerd --icc=false
● Re-map UID of root and other local users
● /etc/{subuid, subgid}
● Ensure docker API is not exposed and control docker
group membership
● Giving access to dockerd = giving root access
![Page 41: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/41.jpg)
Reducing attack surface● At runtime
– Apply General best practices– Docker best practices– Linux Capabilities– Seccomp– Kernel patchs– Use cgroup limits
● During build– Use scanned/tested images– Integrate images in the SDLC– Use a trusted source
● Linux Capabilities = broken down root authorizations
● Docker by default disables a lot of capabilities
● Don’t add capabilities to your container
● Seccomp = syscall filter
● Firewall between user land and kernel
● Avoid at all costs --security-opt seccomp=unconfined
● 25 Kernel CVE prevented thanks to these layers
Source: https://docs.docker.com/engine/security/non-events/
![Page 42: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/42.jpg)
Reducing attack surface● At runtime
– Apply General best practices– Docker best practices– Linux Capabilities– Seccomp– Kernel patchs– Use cgroup limits
● During build– Use scanned/tested images– Integrate images in the SDLC– Use a trusted source
Use kernel hardening modules
● SELinux
● AppArmor
● GRSec
![Page 43: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/43.jpg)
Reducing attack surface● At runtime
– Apply General best practices– Docker best practices– Linux Capabilities– Seccomp– Kernel patchs– Use cgroup limits
● During build– Use scanned/tested images– Integrate images in the SDLC– Use a trusted source
Use cgroups limitations on your containers to:
● Avoid resources DoS on host
● Reduce impact by pausing the container
![Page 44: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/44.jpg)
Take-aways (TLDL;)● Containers are:
– already in the vein of your infrastructure– Impacting software architectures and your development, build, integration and deployments
● Smooth ci/cd pipelines integrated with SSDLC– Security involved at build time: secure that deployment package– Security monitoring/detection at runtime
● Best practices also apply in container world:– System Container/Hardening– Vulnerability scanning– System and application logging– But you should/could go beyond this
![Page 45: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/45.jpg)
Beyond docker...● Container orchestrators:
– Docker Swarm– Kubernetes
● Gvisor: Moving ring0 in ring3● Kata containers: s/docker/qemu● Cloud-Native?
![Page 46: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/46.jpg)
Questions ?
![Page 47: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/47.jpg)
Back-up slides
![Page 48: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/48.jpg)
References● CVE-2019-5736:
https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html ● Dirtyc0w, container escape via vdso shared library:
https://github.com/scumjr/dirtycow-vdso ● Sysdig/Falco: https://github.com/falcosecurity/falco ● Sysdig/Images scanning tools:
https://sysdig.com/blog/container-security-docker-image-scanning/ ● Anchore: https://anchore.com● Clair:● Distroless: https://github.com/GoogleContainerTools/distroless
![Page 49: Containerize all the things€¦ · Threats and Vulnerabilities Host abuse: Escape to host and Host DoS – Poor container runtime isolation – Poor container network isolation –](https://reader034.vdocument.in/reader034/viewer/2022042219/5ec564c4040010522219d22c/html5/thumbnails/49.jpg)
CVE-2019-5736
Source: https://www.twistlock.com/labs-blog/breaking-docker-via-runc-explaining-cve-2019-5736/