![Page 1: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/1.jpg)
Linux Containers: Future or Fantasy?
Aaron Grattafiori
Technical Director
NCC Group (aka iSEC Partners/Matasano Security/Intrepidus Group)
DEF CON 23
![Page 2: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/2.jpg)
Infosec, pentesting, Neg9/CTF iSEC Partners for 5.5 years NCC Group for 0.1 years Hacking Samsung Smart TVs @ BH USA 2013, Toorcon, etc Macs in the age of the APT @ BH USA 2011, Source, etc
2015 NCC Group 2
whoami
![Page 3: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/3.jpg)
These slides are not intended to be consumed without the corresponding presentation or whitepaper. The information contained within is designed for presenting and not 100% completeness with regards to risks, recommendations, findings, etc.
2015 NCC Group - INTERNAL 3
Disclaimer
![Page 4: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/4.jpg)
2015 NCC Group 4
whoami
![Page 5: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/5.jpg)
2015 NCC Group 5
Story One: The Server
![Page 6: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/6.jpg)
Bob’s Ruby on Rails app gets popped or his SQL database server is compromised or his Wordpress plugin gives RCE or …. He wants to add security... But how?
2015 NCC Group 6
Once Upon a Time
![Page 7: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/7.jpg)
OLD The tried and true still used today Broken if you have root
2015 NCC Group 7
Chroot ?
![Page 8: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/8.jpg)
mkdir(“ncc");
chroot(“ncc");
chdir("../.."); oh no…
chroot(".");
2015 NCC Group 8
Chroot
![Page 9: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/9.jpg)
2015 NCC Group 9
SELinux ?
![Page 10: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/10.jpg)
NSA made it Complex type system for MLS systems Good support on RHEL 2015 NCC Group 10
SELinux ?
![Page 11: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/11.jpg)
Complexity Linus Torvalds problem The setenforce 0 problem Kernel enforces it: Kernel gotta kernel
2015 NCC Group 11
SELinux (and other MAC)
![Page 12: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/12.jpg)
Well you’ve protected the kernel, apps and helped prevention memory corruption and hardened against other attacks but…
2015 NCC Group 12
OK, No MAC but grsecurity!
![Page 13: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/13.jpg)
2015 NCC Group 13
Full Virtual Machines?
![Page 14: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/14.jpg)
QEMU, KVM or ESX escapes Recent Xen/QEMU updates anyone? VM for single process? Nope.
2015 NCC Group 14
Full Virtual Machines
![Page 15: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/15.jpg)
2015 NCC Group 15
Story Two: The Client
![Page 16: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/16.jpg)
“Gulenn” talks to a potential source named “citizenfour” He can’t use a Chromebook because he is paranoid of Google 2015 NCC Group 16
Once Upon a Time
![Page 17: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/17.jpg)
“Malware is just for Windows” “OSX sucks, it’s insecure” Linox is like… super sakure right?
2015 NCC Group 17
Hey, just use Linux!
![Page 18: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/18.jpg)
He’s one webkit or gekco bug away from a TBB compromise. What app sandboxes? Pidgin and libpurple don’t have a great track record LiveCDs are stale code by definition
2015 NCC Group 18
aaaaannnnddd broken…
![Page 19: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/19.jpg)
2015 NCC Group 19
Story Three: The Embedded
![Page 20: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/20.jpg)
Margaret is in charge of embedded security at D-LINK, Belkin, <insert IoT company> She wants to add isolation between the web app, wpa_supplicant and DLNA stack Tired of having CSRF-able arbitrary code execution via buggy input validation
2015 NCC Group 20
Once Upon a Time
![Page 21: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/21.jpg)
Everything runs as root No security is added (because $$$) You can’t easily virtualize or segment ARM/MIPS within a router, but is there nothing we can do to improve IoT?
2015 NCC Group 21
Margret isn’t alone!
![Page 22: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/22.jpg)
2015 NCC Group 22
What do these stories have in common?
![Page 23: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/23.jpg)
Attack surface matters almost more than anything else Sandboxes and containers at least let us pick our battles: they should be the rule not the exception ( Props to Google Chrome Browser, Adobe Reader X, Apple Seatbelt, Google ChromeOS, etc)
How can we work to improve server, desktop and embedded security for Linux ?
2015 NCC Group 23
What do these stories have in common?
![Page 24: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/24.jpg)
2015 NCC Group 24
We have to try something new
![Page 25: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/25.jpg)
Paul Smecker: They exited out the front door. They had no idea what they were in for. Now they're staring at six men with guns drawn. It was a fucking ambush.
NCC Group - INTERNAL 2015 25
![Page 26: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/26.jpg)
Paul Smecker: This was a fucking bomb dropping on Beaver Cleaverville. For a few seconds, this place was Armageddon!
NCC Group - INTERNAL 2015 26
![Page 27: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/27.jpg)
Officer Greenly: What if it was just one guy with six guns?
NCC Group - INTERNAL 2015 27
![Page 28: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/28.jpg)
Paul Smecker: Why don't you let me do the thinking, huh, genius?
NCC Group - INTERNAL 2015 28
![Page 29: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/29.jpg)
But Greenly was right… it was “il Duce”
NCC Group - INTERNAL 2015 29
![Page 30: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/30.jpg)
2015 NCC Group 30
What if it wasn’t one cpu with multiple kernels, but one kernel with multiple userlands?
![Page 31: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/31.jpg)
2015 NCC Group 31
OpenVZ Linux Vservers FreeBSD Jails OpenBSD/NetBSD Sysjail Solaris Zones HP UX Containers AIX Workload Partitions
![Page 32: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/32.jpg)
Fundamentally less secure than hardware virtualization
2015 NCC Group 32
A little bit about OS Virtualization
![Page 33: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/33.jpg)
Hardware virtualization creates software emulation for pretty much everything Software or OS virtualization partitions a single kernel and attempts to restrict or control access to hardware
2015 NCC Group 33
OS vs Hardware Virtualization
![Page 34: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/34.jpg)
Hardware virtualization is even fundamentally less secure than physically different hardware… (surrounded by guys with guns and fences)
2015 NCC Group 34
But we don’t want to depend on a single method for security …
![Page 35: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/35.jpg)
2015 NCC Group 35
Namespaces
![Page 36: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/36.jpg)
2015 NCC Group 36
Namespaces
http://www.cs.bell-labs.com/sys/doc/names.html
Plan9
![Page 37: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/37.jpg)
2015 NCC Group 37
Namespaces
Linux Kernel
MOUNT NET
UTS
USER PID
![Page 38: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/38.jpg)
clone(2)
set_ns(2)
unshare(2)
2015 NCC Group 38
It all starts with a CLONE(2)
“Kernel Execution Context”
![Page 39: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/39.jpg)
CLONE_NEWNS: Added in 2.4.19 kernel Per user / via PAM Per process view of files, disks, NFS
2015 NCC Group 39
MOUNT Namespace
![Page 40: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/40.jpg)
CLONE_NEWIPC: Added in 2.6.19 “System 4 IPC objects”
2015 NCC Group 40
IPC Namespace
![Page 41: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/41.jpg)
CLONE_NEWUTS: Added in 2.6.19 uname(2), setdomainname(2), sethostname(2)
2015 NCC Group 41
UTS Namespace
![Page 42: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/42.jpg)
CLONE_NEWPID: Added in 2.6.24 Process IDs start at 1 Can be nested
2015 NCC Group 42
PID Namespace
![Page 43: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/43.jpg)
2015 NCC Group 43
PID NS example
$ lxc-create –t busybox –n foo ; lxc-start –n foo $ lxc-attach -n foo -- ps PID USER COMMAND 1 root init 5 root /bin/sh 10 root ps
![Page 44: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/44.jpg)
2015 NCC Group 44
![Page 45: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/45.jpg)
CLONE_NEWNET: Added in 2.6.24 Separate network device, IP, MAC, routing table, firewall
2015 NCC Group 45
NETWORK Namespace
![Page 46: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/46.jpg)
CLONE_NEWUSER: Added in 2.6.23 but finished 3.8 Important for actually securing containers … also a high risk area of the kernel :/
2015 NCC Group 46
USER Namespace
![Page 47: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/47.jpg)
$ lxc-attach -n foo -- sh
BusyBox v1.21.1 (Ubuntu 1:1.21.0-1ubuntu1) built-in shell (ash) …
$ id
uid=0(root) gid=0(root)
$ sleep 1337
2015 NCC Group 47
USER NS example
100000 17110 0.0 0.0 2184 260 pts/14 S+ 12:03 0:00 sleep 1337
![Page 48: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/48.jpg)
2015 NCC Group 48
Capabilities
![Page 49: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/49.jpg)
2015 NCC Group 49
root
CAP_NET_ADMIN
CAP_SYS_PCAP
CAP_SYS_MODULE
CAP_SYS_RAWIO
CAP_MKNOD
CAP_NET_BIND_SERVICE
CAP_SYSLOG
CAP_NET_RAW
CAP_DAC_READ_SEARCH
CAP_MAC_ADMIN
CAP_SYS_PTRACE
CAP_SETGID
CAP_SETUID
CAP_SYS_BOOT
CAP_SYS_TIME
CAP_SYS_CHROOT
CAP_AUDIT_WRITE
CAP_WAKE_ALARM
CAP_SYS_ADMIN
![Page 50: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/50.jpg)
Pros: Kernel devs adding them Cons: Busy (and lazy) kernel devs Result: Semi-working capabilities model!
2015 NCC Group 50
Capabilities
![Page 51: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/51.jpg)
CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SYS_RESOURCE CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_KILL
2015 NCC Group 51
Examples of Capabilities
![Page 52: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/52.jpg)
What should be dropped ?
2015 NCC Group 52
Dropping Capabilities
Everything! What if I leave just “CAP_FOO” enabled? It depends…
![Page 53: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/53.jpg)
$ ls –l /bin/ping
-rwsr-xr-x 1 root root 44168 May 7 2014 /bin/ping
2015 NCC Group 53
Fixing ping
$ cp /bin/ping /tmp ; ls –l /tmp/ping -rwxr-xr-x 1 root root 44168 Mar 18 11:02 /tmp/ping
$ /tmp/ping localhost ping: icmp open socket: Operation not permitted
![Page 54: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/54.jpg)
$ sudo setcap cap_net_raw=p /tmp/ping
2015 NCC Group 54
Fixing ping
$ getcap /tmp/ping
/tmp/ping = cap_net_raw+p
$ /tmp/ping localhost
PING localhost (127.0.0.1) 56(84) bytes of data
64 bytes from localhost (127.0.0.1): icmp_seq ...
![Page 55: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/55.jpg)
SYS_CHROOT NET_RAW SYS_MODULE SYS_RAWIO NET_ADMIN SYS_PTRACE MAC_ADMIN CAP_MKNOD MAC_OVERRIDE DAC_READ_SEARCH
2015 NCC Group 55
Some Dangerous Capabilities
![Page 56: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/56.jpg)
* Perform a range of system administration operations including: quotactl(2),
mount(2), umount(2), swapon(2), swapoff(2), sethostname(2), and setdomain‐
name(2);
* perform privileged syslog(2) operations (since Linux 2.6.37, CAP_SYSLOG should
be used to permit such operations);
* perform VM86_REQUEST_IRQ vm86(2) command;
* perform IPC_SET and IPC_RMID operations on arbitrary System V IPC objects;
* perform operations on trusted and security Extended Attributes (see attr(5));
* use lookup_dcookie(2);
* use ioprio_set(2) to assign IOPRIO_CLASS_RT and (before Linux 2.6.25)
IOPRIO_CLASS_IDLE I/O scheduling classes;
* forge UID when passing socket credentials;
* perform administrative operations on many device drivers.
2015 NCC Group 56
CAP_SYS_ADMIN == root
* exceed /proc/sys/fs/file-max, the system-wide limit on the number of open files, in system calls that open files (e.g., accept(2), execve(2), open(2), pipe(2)); * employ CLONE_* flags that create new namespaces with clone(2) and unshare(2); * call perf_event_open(2); * access privileged perf event information; * call setns(2); * call fanotify_init(2); * perform KEYCTL_CHOWN and KEYCTL_SETPERM keyctl(2) operations; * perform madvise(2) MADV_HWPOISON operation; * employ the TIOCSTI ioctl(2) to insert characters into the input queue of a ter‐ minal other than the caller's controlling terminal. * employ the obsolete nfsservctl(2) system call; * employ the obsolete bdflush(2) system call; * perform various privileged block-device ioctl(2) operations; * perform various privileged filesystem ioctl(2) operations;
See False Boundaries and Arbitrary Code Execution post by Spender https://forums.grsecurity.net/viewtopic.php?f=7&t=2522
![Page 57: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/57.jpg)
2015 NCC Group 57
Control groups
![Page 58: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/58.jpg)
Hierarchical and inheritable Controls different subsystems (Dev, CPU, Mem, I/O, Network) ulimit on steroids
2015 NCC Group 58
cgroups
![Page 59: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/59.jpg)
Controlling access to resources based on subgroups: devices, CPU, I/O, Mem, … Filling some gaps of namespaces
2015 NCC Group 59
cgroups
![Page 60: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/60.jpg)
Controlling cgroups is typically performed via a virtual filesystem: /sys/fs/cgroup
Main configuration (besides container configs): /etc/cgrules.conf, /etc/cgconfig.conf
2015 NCC Group 60
cgroups
![Page 61: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/61.jpg)
cgexec cgmanager Container platforms make it easy
2015 NCC Group 61
cgroups
![Page 62: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/62.jpg)
2015 NCC Group 62
Putting that all together…
![Page 63: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/63.jpg)
Namespaces logically isolate kernel elements Capabilities help enforce namespaces and reduce undesired privileges Cgroups limit hardware resources
2015 NCC Group 63
Putting it all together…
![Page 64: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/64.jpg)
Linux Containers Better than chroot! Still not virtualization… 2015 NCC Group 64
Enter: Containers (LXC, Docker, CoreOS rkt, Heroku, Flockport, Kubernets, Joyant, etc)
![Page 65: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/65.jpg)
Beyond ro, nodev, noexec, nosuid Bind, Overlay, Union, CoW, Versioning, even sshfs
2015 NCC Group 65
Mount options
![Page 66: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/66.jpg)
Self-hosted PaaS systems Amazon EC2 Google App Engine Rackspace, Heroku 2015 NCC Group 66
Namespaces, Capabilities and Cgroups: where are they now on Linux servers?
![Page 67: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/67.jpg)
ChromeOS and the Chrome browser Limited use in Android Some Linux distros Sandboxing tools: minijail, mbox
2015 NCC Group 67
Namespaces, Capabilities and Cgroups: where are they now on Linux clients?
![Page 68: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/68.jpg)
2015 NCC Group 68
LinuX Containers: LXC
![Page 69: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/69.jpg)
lxc.rootfs = /var/lib/lxc/defcon-ctf/rootfs
lxc.utsname = isec
lxc.start.auto = 1
lxc.mount.entry = /lib lib none ro,bind,nodev 0 0
lxc.mount.entry = /lib64 lib64 none ro,bind,noexec 0 0
2015 NCC Group 69
LXC: Template: Basics
![Page 70: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/70.jpg)
lxc.cgroup.tasks.limit = 256
lxc.cgroup.devices.deny = a
lxc.cgroup.devices.allow = b 9:0 r
lxc.cgroup.memory.limit_in_bytes = 4000000
2015 NCC Group 70
LXC: Template: Cgroups
![Page 71: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/71.jpg)
lxc.cap.keep = sys_time sys_nice
lxc.aa_profile = lxc-container-default
lxc.seccomp = /path/to/seccomp.rules
2015 NCC Group 71
LXC: Template: Other Security
![Page 72: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/72.jpg)
2015 NCC Group 72
Recent Advancements
![Page 73: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/73.jpg)
Non-root users can now create/start containers and be “root” inside the container Weird things can obviously happen More work and auditing to be done
2015 NCC Group 73
Unprivileged Containers
![Page 74: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/74.jpg)
There are 190 syscalls in Linux 2.2 There are 337 syscalls in Linux 2.6 There are 340 syscalls in Linux 4.1 How many does your app really need?
2015 NCC Group 74
What about that kernel attack surface?
![Page 75: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/75.jpg)
SECure COMPuting Filtering the kernel (yet again)
“System call filtering isn't a sandbox. It provides a clearly defined mechanism for minimizing the exposed kernel surface.” – Will @redpig Drewry, Google
2015 NCC Group 75
Seccomp-bpf
![Page 76: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/76.jpg)
Syscall arguments can also be filtered (mostly) Large number of filters = performance hit Only really supports x86 and x86_64 (for now) You’ll need LXC, Minijail or Mbox (Docker /contrib now, release branch soon (1.8?))
2015 NCC Group 76
Seccomp-bpf
![Page 77: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/77.jpg)
Seccomp-bpf
prctl(2) – operations on a process
PR_SET_SECCOMP:
SECCOMP_MODE_STRICT (old)
SECCOMP_MODE_FILTER (new hotness)
NCC Group - INTERNAL 2015 77
![Page 78: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/78.jpg)
Seccomp-bpf
struct sock_filter filter[] = {
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, syscall_nr),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ptrace, 1, 0),
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
};
struct sock_fprog prog = {(unsigned short) (sizeof(filter) /
sizeof(filter[0])), filter };
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
NCC Group - INTERNAL 2015 78
![Page 79: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/79.jpg)
Berkeley Packet Filter # tcpdump –p –nqi wlan0 –d ‘tcp and port 80’
(000) ldh [12]
(001) jeq #0x86dd jt 2 jf 8
(002) ldb [20]
(003) jeq #0x6 jt 4 jf 19
(004) ldh [54]
(005) jeq #0x50 jt 18 jf 6
(006) ldh [56]
(007) jeq #0x50 jt 18 jf 19
(008) jeq #0x800 jt 9 jf 19
(009) ldb [23]
. . . . .
NCC Group - INTERNAL 2015 79
![Page 80: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/80.jpg)
ChromeOS / Google Chrome Firejail OpenSSH Capsicum Tor Mbox vsftpd BIND LXC QEMU Opera Browser Docker (/contrib) 2015 NCC Group 80
Seccomp-bpf: where
![Page 81: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/81.jpg)
Docker CoreOS Flockport Sandstorm.io RancherOS
… and many more
2015 NCC Group 81
So who is implementing and supporting containers?
Heroku (ish) Joyent Amazon VMware Google/Kubernets
![Page 82: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/82.jpg)
2015 NCC Group 82
Lets talk about the big two
![Page 83: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/83.jpg)
2015 NCC Group 83
![Page 84: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/84.jpg)
Packaging and deployment focused – one app per container Devs and Ops, DevOps, DevCyberOps, DevSecOps, BlackOps, etc Developing PaaS Makes it easy
2015 NCC Group 84
What is the “big deal”
![Page 85: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/85.jpg)
libcontainer, libchan, libswarm, etc Written in go REST API Running docker daemon (as root)
2015 NCC Group 85
So Docker is just LXC? Nope.
![Page 86: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/86.jpg)
Docker images: $ docker run --name mynginx –v \
/opt/content:/usr/share/nginx/html:ro -d nginx
Docker Hub: $ sudo docker run ubuntu:14.04 /bin/echo 'Hello world’
Hello world
Orchestration, Communication, Management
2015 NCC Group 86
Docker Ecosystem
![Page 87: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/87.jpg)
2015 NCC Group 87
![Page 88: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/88.jpg)
Minimal OS for hosting containers Launching the rkt and app container spec App container spec picked up by VMware Photon Separation from Docker and LXC
2015 NCC Group 88
CoreOS
![Page 89: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/89.jpg)
Takes some of the configuration away FreeBSD::OSX LXC::Docker Additional packaged tools | features
2015 NCC Group 89
Why Docker, Rocket, etc?
![Page 90: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/90.jpg)
LXC: You want to run a containerized OS or single app. Hard mode with the most flexibility. Docker: You want to run a single app per container. Easy mode with some costs. CoreOS: You want to host Docker containers or try and use rkt. So much bleeding it’s rated R. 2015 NCC Group 90
Why Docker, Rocket, etc?
![Page 91: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/91.jpg)
2015 NCC Group 91
Going on the attack
![Page 92: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/92.jpg)
Container to other container Container to itself Container to host Container to support infrastructure Container to local network Container to …
2015 NCC Group - INTERNAL 92
Lets think about this….
![Page 93: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/93.jpg)
2015 NCC Group 93
Starting at the top
![Page 94: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/94.jpg)
2015 NCC Group 94
Starting at the top
![Page 95: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/95.jpg)
Lots of drivers, old code, weird filesystems, old syscalls, platform specific problems strange or unused network protocols
2015 NCC Group 95
Kernel who?
![Page 96: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/96.jpg)
If you don’t drop the right ones: game over Not dropping caps also allows kernel code exec… CAP_NET_ADMIN (CVE-2013-4588, CVE-2011-
2517, CVE-2011-1019, …)
2015 NCC Group 96
Not…. Dropping caps
![Page 97: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/97.jpg)
Speaking of dropping capabilities, a Docker shocker: CAP_DAC_READ_SEARCH “Invoke open_by_handle_at(2)” Brute force the inode of /etc/shadow Props to Stealth aka Sebastian Kramer 2015 NCC Group 97
Not…. Dropping caps
![Page 98: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/98.jpg)
Without a MAC system, capability dropping and the user namespace are your only line of defense
2015 NCC Group 98
Not…. Dropping caps
![Page 99: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/99.jpg)
Procfs: /proc/kcore,
/proc/sys/modprobe,
/proc/sys/kernel/sysrq
Sysfs: /sys
Cgroups does not limit: mknod Kernel ring buffer: dmesg
Network access: br0
Unintended devfs: /dev, /dev/shm
2015 NCC Group 99
Not…. Limiting access
![Page 100: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/100.jpg)
Forkbomb! :(){ :|:& };: Memory, disk, entropy…
2015 NCC Group 100
Not…. Limiting resources
![Page 101: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/101.jpg)
When was the last time you updated OpenSSL in your Docker container? How do you deal with updates in place if apt-get upgrade is a “no-no”?
2015 NCC Group 101
When good containers go stale
![Page 102: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/102.jpg)
“The flawed assumption of modern computing environments” Eggs in one (kernel) basket AppArmor does a decent job
2015 NCC Group 102
Lack of MAC (Mandatory Access Controls)
![Page 103: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/103.jpg)
Bad defaults: Capability dropping, networking, Unprivileged containers finished-ish
A few security fixes have lagged :/
2015 NCC Group 103
LXC Weaknesses
![Page 104: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/104.jpg)
2015 NCC Group 104
![Page 105: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/105.jpg)
Capability dropping: a shocker Root daemon plus root to use it Weak REST API authentication defaults Docker “github all the way down”
2015 NCC Group 105
Docker Weaknesses
![Page 106: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/106.jpg)
Does not drop all capabilities by default, drops all except “those needed” (still includes some dangerous capabilities CAP_NET_RAW, CAP_FOWNER, CAP_MKNOD, …) Docker binds container port maps to all interfaces by default Base images are huge… apt-get is hungry Docker networking defaults allow cross-container networking and access to Docker host
2015 NCC Group 106
Docker Weaknesses
![Page 107: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/107.jpg)
Giving low rights users access to Docker means giving them root on the Docker host Currently missing support for key security features: seccomp-bpf and the User Namespace Exposing the socket/REST API inside a container for introspection <- don’t do that
2015 NCC Group 107
Docker Weaknesses
![Page 108: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/108.jpg)
Docker Weaknesses About that lack of User namespace….: Hi all, I'm a maintainer of Docker. As others already indicated this doesn't work on 1.0. But it could have. Please remember that at this time, we don't claim Docker out-of-the-box is suitable for containing untrusted programs with root privileges. So if you're thinking "pfew, good thing we upgraded to 1.0 or we were toast", you need to change your underlying configuration now. Add apparmor or selinux containment, map trust groups to separate machines, or ideally don't grant root access to the application. Docker will soon support user namespaces, which is a great additional security layer but also not a silver bullet! When we feel comfortable saying that Docker out-of-the-box can safely contain untrusted uid0 programs, we will say so clearly.
NCC Group - INTERNAL 2015 108
![Page 109: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/109.jpg)
Posted one year ago :/
2015 NCC Group - INTERNAL 109
![Page 110: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/110.jpg)
2015 NCC Group 110
![Page 111: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/111.jpg)
Rocket (rkt) is extremely new No root daemon but rkt still requires root…
2015 NCC Group 111
CoreOS “rkt” Weaknesses
![Page 112: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/112.jpg)
2015 NCC Group 112
Rocket does not drop many dangerous Capabilities or support the User namespace
CoreOS “rkt” Weaknesses
![Page 113: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/113.jpg)
2015 NCC Group 113
Seccomp ? Nope. Apparmor ? Nope. SELinux? Kinda. Root inside container? Yep. /proc, /proc/sys limits? Nope.
CoreOS “rkt” Weaknesses
![Page 114: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/114.jpg)
2015 NCC Group 114
The Dream
![Page 115: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/115.jpg)
2015 NCC Group 115
The Implementation
![Page 116: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/116.jpg)
2015 NCC Group 116
Open Container Project (OCP)
Robert 'Bob' Morton: At Security Concepts, we're projecting the end of crime in Old Detroit within forty days. There's a new guy in town. His name is RoboCop.
![Page 117: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/117.jpg)
2015 NCC Group 117
Open Container Initiative (OCI?)
Working on a joint specification (OCF) for containers Launched runc. An OCF implementation using libcontainer from Docker. Unfortunately still not working on RoboCop.
![Page 118: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/118.jpg)
2015 NCC Group 118
That all sounds bad/easy to mess up … and how to make it better
![Page 119: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/119.jpg)
2015 NCC Group 119
Recommendations
![Page 120: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/120.jpg)
2015 NCC Group 120
![Page 121: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/121.jpg)
Grsecurity/PaX is the only serious kernel hardening patchset. Just do it Typical sysctl hardening Minimal kernel modules 2015 NCC Group 121
Kernel Hardening
![Page 122: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/122.jpg)
Gotta drop them all! Design for the smallest set Assume the worst
2015 NCC Group 122
Dropping all the Capabilities
![Page 123: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/123.jpg)
AppArmor Grsecurity RBAC SMACK SELinux
2015 NCC Group 123
Adding a MAC Layer
![Page 124: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/124.jpg)
Defaults to enabled for LXC and Docker! Can be nested! Path based, but hey it works
2015 NCC Group 124
AppArmor
![Page 125: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/125.jpg)
Don’t allow access to docker user or group Don’t run privileged or root containers Drop additional capabilities Upgrade to 1.8 when released (or use /contrib now) which has seccomp-bpf and User namespace support, w00t! Checkout docker-bench-security and other solid work by Docker Security team Use small base images
2015 NCC Group 125
Docker Specific Hardening
![Page 126: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/126.jpg)
Use a whitelist if you can but a blacklist will do OK Docker is exploring a “high”, “med”, “low” default for 1.8+ but what is really needed is profiles for each Containerized app.
2015 NCC Group 126
Seccomp-bpf
![Page 127: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/127.jpg)
Mount security, Extended filesystem attributes, Access controls, Permissions, Logging, Firewalls, Auditing, Hardened Toolchain, Safe languages, Attack surface reduction, Least privileges, Least Access, Resource Limits, 2FA, Reduced Complexity, Pentesting
2015 NCC Group 127
Normal System Hardening
![Page 128: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/128.jpg)
Listening on “all interfaces” (includes docker0/lxcbr0) Containers are great for network auditing/traceflow!
2015 NCC Group 128
Network Hardening
![Page 129: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/129.jpg)
2015 NCC Group 129
Trust A
HYPERVISOR/HARDWARE Linux kernel with grsecurity+pax Syscall Filtering w/ seccomp-bpf
Minimal container distro Mount protections
User namespace w/o caps Hardened application
Trust B
Trust C
Trust D
![Page 130: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/130.jpg)
2015 NCC Group 130
Where do we go from here?
![Page 131: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/131.jpg)
More namespaces (proc, dev) Minimal hypervisors (ClearContainers) Minimal container distros Android or other non-x86 that needs app/system segmentation/sandboxing 2015 NCC Group 131
Where do we go from here?
![Page 132: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/132.jpg)
“Desktop” applications in containers Improved seccomp-bpf argument filtering Hopefully more granular capabilities ….. more vulnerabilities too! :/ 2015 NCC Group 132
Where do we go from here?
![Page 133: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/133.jpg)
Microservices 2015 NCC Group 133
Where do we go from here?
![Page 134: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/134.jpg)
2015 NCC Group 134
Where do we go from here?
![Page 135: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/135.jpg)
2015 NCC Group 135
Where do we go from here?
![Page 136: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/136.jpg)
2015 NCC Group 136
Conclusion
![Page 137: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/137.jpg)
It’s not about perfect security but improving the current state and making attackers work harder The technologies to support containers can be used to help secure existing non-container Linux systems Microservices architecture fits a least-privilege and least-access container/security model Physically separate critical security barriers and isolate by trust
2015 NCC Group 137
In closing
![Page 138: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/138.jpg)
My whitepaper: “Understanding and Hardening Linux Containers”… Covers everything here in muuuch more depth! (background, namespaces, all the capabilities, cgroups, explores MAC, seccomp-bpf, past container attacks, overall and specific weaknesses, security recommendations for LXC, Docker, rkt deployments)
2015 NCC Group 138
Coming soon!
![Page 139: Linux Containers: Future or Fantasy? CON 23/DEF CON 23 presentations/DE… · Linux Containers: Future or Fantasy? Aaron Grattafiori Technical Director NCC Group (aka iSEC Partners/Matasano](https://reader034.vdocument.in/reader034/viewer/2022042204/5ea60637682da669e975db09/html5/thumbnails/139.jpg)
When will the whitepaper be released ? Hopefully in the next few weeks! How can I make sure I get it? Email me! or follow me on Twitter! @dyn___ (totally not a ploy for more followers)
2015 NCC Group 139
Coming soon!