Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Diogo Mónica
Security Lead, 

Docker
Riyaz Faizullabhoy
Security Engineer, 

Docker
Secure Substrate: Least Privilege Cont...
Vulnerability
Vulnerability
Vulnerability
Vulnerability
Security Tetrominos
infraKit
linuxKit
runC
containerD
Docker
Notary
swarmKit
infraKit
Infrastructure independent
machine management
Platform Agnostic
infraKit
Declarative Updates
infraKit
Reverse Uptime
infraKit
Rolling Deploys
infraKit
infraKit
OS
OS
create
rem
ove
uptime: 1 week
uptime: 3 minutes
linuxKit
The most secure OS builder for your
containers
Minimal Base
linuxKit
Immutable
Infrastructure
linuxKit
Already in use by
millions of users
linuxKit
linuxKit
Incubating the Future
linuxKit
Type-safe
System
Daemons
runC
Lightweight universal container runtime
• Namespace Isolation
• Cgroups
runC
PID
Namespaces
MNT IPC NET
Cgroups
…
CPU BLKIO MEM PIDS …
containerD
Container runtime supervisor
Content Addressable
Image Pulls
containerD
alpine@sha256:29d234… 29d234…
Manifest
16df34… 6ec6e1…3e94f1… 200dc0… 50d932…
L...
Docker
Secure-by-default software
container platform
• SELinux & AppArmor
• Capability Whitelist
• Syscall Whitelist
Docker
Notary
Trusted software delivery
Cryptographic
Name Resolution
Notary
latest da4f25c…
stable 1b33e92…
edge 9dfe47d…
• Threshold Signing
• Survivable Key
Compromise
Notary
DEPLOYSIGNSIGN
swarmKit
Least-privilege
container orchestrator
Secure Node
Introduction
swarmKit
SWMTKN-1-mx8suomaom825bet6-cm6zts22rl4hly2
Known
Prefix
Token
Version
Hash
of Root CA
Ra...
Cryptographic
Node Identity
swarmKit
MTLS Between
All Nodes
swarmKit
Worker
Manager
TLS
TLS
Certificate
Authority
Worker
Manager
TLS
TLS
Certificate
Authority
Wo...
Secure Secret
Distribution
swarmKit
Worker
Manager
Raft Store
Worker
Manager
Raft Store
Worker
Manager
Raft Store
Transparent
Root Rotation
swarmKit
Worker Worker
Worker
Manager
TLS
Certificate
Authority
Worker
TLS
Worker
TLS
Worker
TLS
...
Transparent
Root Rotation
swarmKit
Worker Worker
Worker
Manager
TLS
Certificate
Authority
Worker
TLS
Worker
TLS
Worker
TLS
...
Transparent
Root Rotation
swarmKit
Worker Worker
Worker
Manager
TLS
Certificate
Authority
Worker
TLS
Worker
TLS
Worker
TLS
...
Transparent
Root Rotation
swarmKit
Worker Worker
Worker
Manager
TLS
Certificate
Authority
Worker
TLS
Worker
TLS
Worker
TLS
...
Bringing it all together
Notary for Docker image name resolution
Notary for Docker image name resolution
Cryptographically
Verified Pulls
swarmKit delivered Docker containers
swarmKit delivered Docker containers
Authorized,
Authenticated,
Encrypted delivery
of Resources
Node
TLS
Node
TLS
Node
TLS
Node
TLS
infraKit for swarmKit Bootstrap
infraKit for swarmKit Bootstrap
Secure Node
Cluster
Introduction
1. Retrieve and validate Root
CA Public key material.
2. Submit new CSR along
with secret...
linuxKit as the base OS builder
linuxKit as the base OS builder
Hardened
Configuration
Notary for secure dependency resolution
Notary for secure dependency resolution
Cryptographically
Verified Build
infraKit plus Notary for trusted OS
Provisioning
infraKit plus Notary for trusted OS
Provisioning
Cryptographically
Verified Boot
4k
dm-verity
4k 4k4k
4k 4k
root_hash
Notary
infraKit
linuxKit
+
Layered runC, containerD, Docker Runtime
Layered runC, containerD, Docker Runtime
Secure-by-default
Container Execution
Secure-by-default
Container Execution
runC, containerD, Docker, swarmKit, Notary
runC, containerD, Docker, swarmKit, Notary
Secure-by-default
Container Platform
runC, containerD, Docker, swarmKit,
Notary, infraKit, linuxKit
runC, containerD, Docker, swarmKit,
Notary, infraKit, linuxKit
Secure-by-default
Infrastructure
Thank you!
Secure Substrate: Least Privilege Container Deployment - Diogo Monica and Riyaz Faizullabhoy, Docker
Secure Substrate: Least Privilege Container Deployment - Diogo Monica and Riyaz Faizullabhoy, Docker
Secure Substrate: Least Privilege Container Deployment - Diogo Monica and Riyaz Faizullabhoy, Docker
Secure Substrate: Least Privilege Container Deployment - Diogo Monica and Riyaz Faizullabhoy, Docker
Secure Substrate: Least Privilege Container Deployment - Diogo Monica and Riyaz Faizullabhoy, Docker
Secure Substrate: Least Privilege Container Deployment - Diogo Monica and Riyaz Faizullabhoy, Docker
Secure Substrate: Least Privilege Container Deployment - Diogo Monica and Riyaz Faizullabhoy, Docker
Secure Substrate: Least Privilege Container Deployment - Diogo Monica and Riyaz Faizullabhoy, Docker
Secure Substrate: Least Privilege Container Deployment - Diogo Monica and Riyaz Faizullabhoy, Docker
Prochain SlideShare
Chargement dans…5
×

Secure Substrate: Least Privilege Container Deployment - Diogo Monica and Riyaz Faizullabhoy, Docker

368 vues

Publié le

The popularity of containers has driven the need for distributed systems that can provide a substrate for container deployments. These systems need the ability to provision and manage resources, place workloads, and adapt in the presence of failures. In particular, container orchestrators make it easy for anyone to manage their container workloads using their cloud-based or on-premise infrastructure. Unfortunately, most of these systems have not been architected with security in mind.Compromise of a less-privileged node can allow an attacker to escalate privileges to either gain control of the whole system, or to access resources it shouldn't have access to. In this talk, we will go over how Docker has been working to build secure blocks that allow you to run a least privilege infrastructure - where any participant of the system only has access to the resources that are strictly necessary for its legitimate purpose. No more, no less.

Publié dans : Technologie
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Secure Substrate: Least Privilege Container Deployment - Diogo Monica and Riyaz Faizullabhoy, Docker

  1. 1. Diogo Mónica Security Lead, 
 Docker Riyaz Faizullabhoy Security Engineer, 
 Docker Secure Substrate: Least Privilege Container Deployment
  2. 2. Vulnerability Vulnerability
  3. 3. Vulnerability Vulnerability
  4. 4. Security Tetrominos infraKit linuxKit runC containerD Docker Notary swarmKit
  5. 5. infraKit Infrastructure independent machine management
  6. 6. Platform Agnostic infraKit
  7. 7. Declarative Updates infraKit
  8. 8. Reverse Uptime infraKit
  9. 9. Rolling Deploys infraKit infraKit OS OS create rem ove uptime: 1 week uptime: 3 minutes
  10. 10. linuxKit The most secure OS builder for your containers
  11. 11. Minimal Base linuxKit
  12. 12. Immutable Infrastructure linuxKit
  13. 13. Already in use by millions of users linuxKit
  14. 14. linuxKit Incubating the Future
  15. 15. linuxKit Type-safe System Daemons
  16. 16. runC Lightweight universal container runtime
  17. 17. • Namespace Isolation • Cgroups runC PID Namespaces MNT IPC NET Cgroups … CPU BLKIO MEM PIDS …
  18. 18. containerD Container runtime supervisor
  19. 19. Content Addressable Image Pulls containerD alpine@sha256:29d234… 29d234… Manifest 16df34… 6ec6e1…3e94f1… 200dc0… 50d932… Layer 1 Layer 3Layer 2 Layer 4 Layer N …
  20. 20. Docker Secure-by-default software container platform
  21. 21. • SELinux & AppArmor • Capability Whitelist • Syscall Whitelist Docker
  22. 22. Notary Trusted software delivery
  23. 23. Cryptographic Name Resolution Notary latest da4f25c… stable 1b33e92… edge 9dfe47d…
  24. 24. • Threshold Signing • Survivable Key Compromise Notary DEPLOYSIGNSIGN
  25. 25. swarmKit Least-privilege container orchestrator
  26. 26. Secure Node Introduction swarmKit SWMTKN-1-mx8suomaom825bet6-cm6zts22rl4hly2 Known Prefix Token Version Hash of Root CA Random Secret
  27. 27. Cryptographic Node Identity swarmKit
  28. 28. MTLS Between All Nodes swarmKit Worker Manager TLS TLS Certificate Authority Worker Manager TLS TLS Certificate Authority Worker Manager TLS TLS Certificate Authority
  29. 29. Secure Secret Distribution swarmKit Worker Manager Raft Store Worker Manager Raft Store Worker Manager Raft Store
  30. 30. Transparent Root Rotation swarmKit Worker Worker Worker Manager TLS Certificate Authority Worker TLS Worker TLS Worker TLS TLS Worker Manager Certificate Authority Worker Worker TLS TLS TLS TLS Worker Manager Certificate Authority Worker Worker TLS TLS TLS TLS Add Remove Worker Manager TLS Certificate Authority Worker TLS Worker TLS Worker TLS TLS Renew 1 2 34
  31. 31. Transparent Root Rotation swarmKit Worker Worker Worker Manager TLS Certificate Authority Worker TLS Worker TLS Worker TLS TLS Worker Manager Certificate Authority Worker Worker TLS TLS TLS TLS Worker Manager Certificate Authority Worker Worker TLS TLS TLS TLS Add Remove Worker Manager TLS Certificate Authority Worker TLS Worker TLS Worker TLS TLS Renew 1 2 34
  32. 32. Transparent Root Rotation swarmKit Worker Worker Worker Manager TLS Certificate Authority Worker TLS Worker TLS Worker TLS TLS Worker Manager Certificate Authority Worker Worker TLS TLS TLS TLS Worker Manager Certificate Authority Worker Worker TLS TLS TLS TLS Add Remove Worker Manager TLS Certificate Authority Worker TLS Worker TLS Worker TLS TLS Renew 1 2 34
  33. 33. Transparent Root Rotation swarmKit Worker Worker Worker Manager TLS Certificate Authority Worker TLS Worker TLS Worker TLS TLS Worker Manager Certificate Authority Worker Worker TLS TLS TLS TLS Worker Manager Certificate Authority Worker Worker TLS TLS TLS TLS Add Remove Worker Manager TLS Certificate Authority Worker TLS Worker TLS Worker TLS TLS Renew 1 2 34
  34. 34. Bringing it all together
  35. 35. Notary for Docker image name resolution
  36. 36. Notary for Docker image name resolution
  37. 37. Cryptographically Verified Pulls
  38. 38. swarmKit delivered Docker containers
  39. 39. swarmKit delivered Docker containers
  40. 40. Authorized, Authenticated, Encrypted delivery of Resources Node TLS Node TLS Node TLS Node TLS
  41. 41. infraKit for swarmKit Bootstrap
  42. 42. infraKit for swarmKit Bootstrap
  43. 43. Secure Node Cluster Introduction 1. Retrieve and validate Root CA Public key material. 2. Submit new CSR along with secret token. 3. Retrieve the signed certificate.
  44. 44. linuxKit as the base OS builder
  45. 45. linuxKit as the base OS builder
  46. 46. Hardened Configuration
  47. 47. Notary for secure dependency resolution
  48. 48. Notary for secure dependency resolution
  49. 49. Cryptographically Verified Build
  50. 50. infraKit plus Notary for trusted OS Provisioning
  51. 51. infraKit plus Notary for trusted OS Provisioning
  52. 52. Cryptographically Verified Boot 4k dm-verity 4k 4k4k 4k 4k root_hash Notary infraKit linuxKit +
  53. 53. Layered runC, containerD, Docker Runtime
  54. 54. Layered runC, containerD, Docker Runtime
  55. 55. Secure-by-default Container Execution
  56. 56. Secure-by-default Container Execution
  57. 57. runC, containerD, Docker, swarmKit, Notary
  58. 58. runC, containerD, Docker, swarmKit, Notary
  59. 59. Secure-by-default Container Platform
  60. 60. runC, containerD, Docker, swarmKit, Notary, infraKit, linuxKit
  61. 61. runC, containerD, Docker, swarmKit, Notary, infraKit, linuxKit
  62. 62. Secure-by-default Infrastructure
  63. 63. Thank you!

×