"The majority of the container security discussion revolves around containers on Linux while the security of containers in Windows is left as a mystical black box. In this talk we'll peel back the curtain and dive in to how Windows containers are secured.
Does Windows have namespaces? How does it compose the layers of a container's filesystem? How does it limit resource usage of containers? I heard there's a Hyper-V isolation thing, what's that about?
We'll answer all these questions and more!"
5. Production Environments
Docker Trusted Registry
Docker UCP
Production Environments
Version Control
Docker UCP
Non-Production EnvironmentsDeveloper Machine
Development CI/CD Operations
Datacenter 1
Datacenter 2
Docker Trusted Registry
Docker for
Docker EE Secure Supply Chain
9. Hyper-V Isolation
Hyper-V isolation
Host User Mode
Container
Management
System
Processes
Application
Process(es)
System
Processes
Hyper-V VM
System
Processes
Application
Process(es)
11. Linux
• Namespaces
• Resource Control (cgroups)
• System call whitelisting (seccomp)
• Linux Security Modules
• Scanning
• Image Signing
Namespaces
Resource Control (cgroups)
System call whitelisting
(seccomp)
Linux Security Modules
Scanning
Image Signing
Windows
• Namespaces
• Resource Control (cgroups)
• System call whitelisting (seccomp)
• Linux Security Modules
• Scanning
• Image Signing
Silos
Job Objects
Per Process limited blacklisting
Opt-in Sandboxing API
(AppContainer)
Scanning
Image Signing
12. Job ObjectsSilos
Kernel Isolation in Windows
Assigned to process and all
children
Pristine NT Object Table
Separate volume mount
No namedpipes, LPC, Sockets
from root
Unless the root wants to alias
one in…
API accessible from root
Can be assigned to child
process or a Silo
Resource constraints
[CPU, Memory, IO]
API accessible from Medium
Integrity for child processes
23. Hyper-V Isolation
Host User Mode
Container
Management
System
Processes
Application
Process(es)
System
Processes
Hyper-V VM
System
Processes
Application
Process(es)
24. Host User Mode
VM Worker
Process
Container’s ‘Physical’ Memory
Container
Management
VM Memory
Process
0x00000000
0xf7ffffff
Guest
Memory
Guest Memory
25. Host User Mode
VM Worker
Process
Hyper-V VM
Container
Management
System
Processes
Application
Processes
Container
Management
26. Host User Mode
VM Worker
Process
Hyper-V VM
StorVSP
Container
Storage
C:
Container
Management
Sandbox.vhd
System
Processes
Application
Process(es)
28. Host User Mode
VM Worker
Process
Hyper-V VM
StorVSP
Container
Storage
C:
Container
Management
Target
Folder
System
Processes
Application
Process(es)
29. Host User Mode
VM Worker
Process
Container’s ‘Physical’ Memory
Container
Management
VM Memory
Process
0x00000000
0xf7ffffff
Guest
Memory
Guest Memory
File 1
File 1
30. v
cgroups -> Job Objects
Windows Internals – Resource Limitations
39. Network Isolation
always matters
Image Scanning
Image Signing
Process
Isolation/Restriction
Set up automated
builds
Hyper-V Isolation
OR
Process
Isolation/Restriction
Use Docker EE
secrets
N e t w o r kC o n t a i n e r H o s t
Think Defense-in-Depth