SlideShare une entreprise Scribd logo

An In-depth look at application containers

Télécharger en tant que PPTX, PDF
John Kinsella
John Kinsella

Slides for a talk I gave to the NIST cloud security working group on the state of container security. Due to this being a NIST talk, it's without branding or vendor mentions, where possible.

Technologie
1  sur  33
An In-Depth Look at Application Containers
Overview • A Brief History and Overview of Containers • Security Benefits(?) of Containers • Container Vulnerability Management • Responding to Container Attacks
Containers are not new, but…
Container Adoption Challenges
Source: ClusterHQ Container Adoption Challenges
Container (n): • Software-based isolation, for processes controlling… • Process grouping • Resource usage • What actions a process can take
cgroups
Grouping and constraints
What does a process do? • Auditing (read write audit events) • File access (read, write, create, delete) • Network access (bind, send, receive) • Process management (fork, kill) • Security (MAC) • Debug (tracing) • Administration (system config)
Capabilities • CAP_AUDIT_CONTROL • CAP_AUDIT_READ • CAP_AUDIT_WRITE • CAP_BLOCK_SUSPEND • CAP_CHOWN • CAP_DAC_OVERRIDE • CAP_DAC_READ_SEARCH • CAP_FOWNERCAP_FSETID • CAP_IPC_LOCK • CAP_IPC_OWNER • CAP_KILL • CAP_LEASE • CAP_LINUX_IMMUTABLE • CAP_MAC_ADMIN • CAP_MAC_OVERRIDE • CAP_MKNOD • CAP_NET_ADMIN • CAP_NET_BIND_SERVICE • CAP_NET_BROADCAST • CAP_NET_RAW • CAP_SETGID • CAP_SETFCAP • CAP_SETPCAP
Capabilities Worst to best: • Run with --privileged=true • Run with –cap-add ALL • Run with --cap-drop ALL --cap-add <only needed> • Run as non-root user, unprivileged Useful: capabilities section of documentation container runtimes
Security Benefits of Containers and Microservices • Smaller surface area* • Shorter lifespan* – shorter period when open to attack • More automated process – easier to recreate/redeploy* *(in theory)
Security Benefits of Containers and Microservices • Containerized apps lend themselves to ”12 factor” design 12factor.net
Security Disadvantages of Containers and Microservices • Relatively new technology • Lots of moving parts • Shorter lifespan – this makes investigations more difficult
Results of Twitter Survey
Why Isolate? • Only as secure as your weakest link • What happens if other departments are running in your private cloud? • What happens if other customers are running in your bare metal CaaS?
Unikernels – Hardware Isolated Containers • Build custom VM images to boot bare OS to support single (usually) container
Brief Overview of Container Orchestration
Why Orchestration? • For “real” workloads: • How to launch 500 containers across 20 hosts? • Being aware of resources on each host • Getting storage and networking to right container on the right host • Distribution for speed, efficiency, cost, etc. • As part of a CI/CD process • How to do a rolling update of those 500 live containers to a new sw version?
Lots to Orchestrate Customer VM VM Image Management Networking Customer VM Local Storage NAS/SAN
Lots to Orchestrate Customer VM VM Image Management Networking Customer VM Local Storage NAS/SAN Containers Container Image mgmt Container networking Container storage Host Host Image Mgmt Host Networking Local Storage NAS/SAN
Image Security • Where did an image come from? • Is it an official image? • Is it the right version? • Has somebody modified it?
Host Security • Follow standard hardening processes but only firewall host, not it’s containers • A host itself shouldn’t be “exposed” – there should be no public attack surface. Administer via known private network • One nasty exposure – privileged containers.
Vulnerability Management in a Container World
Managing Security Exposure in Containers
Smaller Image, Less Vulnerabilities • Avoid ”From:$bloatedDistribution” and similar • Software can’t be vulnerable if it’s not installed. An amazingly large percentage of public container images are based on bloated (500mb+) full distributions.
Why? Least Privilege • We want the smallest image possible, when we load it across 100 hosts • The smaller the image, the less exposure for potential vulnerabilities • If the parent image has a vulnerability, everybody based on that parent has to re-spin their image
Seccomp We need to build a list of system calls called by the program… …that we want to succeed • Guess (preferably educated) • RTFM (thanks John!) • Capture behavior – maybe /usr/sbin/strace • Disassembly?
Plan For Container Attacks • Before going to production, think about how you’d investigate an attack • Containers are mostly ephemeral • Collect logs at a central location • Practice identifying and snapshotting problem containers • Don’t forget about data backup/recovery
Thanks – Let’s continue the conversation! @johnlkinsella Slides posted at http://www.slideshare.net/jlkinsel
Addendum • Classification and grouping of system calls http://seclab.cs.sunysb.edu/sekar/papers/syscallclassif.htm
Data Sources • Container Adoption Challenges: RightScale 2016 State of the Cloud • Layered container image: Ubuntu • Namespaces and cgroups images: IBM Data and some graphics provided by:

Recommandé

Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
John Kinsella
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
John Kinsella
 
Container Security
Container SecurityContainer Security
Container Security
Amazon Web Services
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container Security
Shea Stewart
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Zach Hill
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container Security
Suraj Khetani
 
Container Security Essentials
Container Security EssentialsContainer Security Essentials
Container Security Essentials
DNIF
 

Recommandé

Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
John Kinsella
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
John Kinsella
 
Container Security
Container SecurityContainer Security
Container Security
Amazon Web Services
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container Security
Shea Stewart
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Zach Hill
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container Security
Suraj Khetani
 
Container Security Essentials
Container Security EssentialsContainer Security Essentials
Container Security Essentials
DNIF
 
Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017
Gordon Haff
 
Container Security
Container SecurityContainer Security
Container Security
Salman Baset
 
Containers 101
Containers 101Containers 101
Containers 101
Black Duck by Synopsys
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
Container Security
Container SecurityContainer Security
Container Security
Jie Liau
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability Scanners
John Kinsella
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
OW2
 
Advanced Container Security
Advanced Container Security Advanced Container Security
Advanced Container Security
Amazon Web Services
 
From Zero to Hero: Continuous Container Security in 4 Simple Steps
From Zero to Hero: Continuous Container Security in 4 Simple StepsFrom Zero to Hero: Continuous Container Security in 4 Simple Steps
From Zero to Hero: Continuous Container Security in 4 Simple Steps
DevOps.com
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
Michael Ducy
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel security
smart_bit
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers Security
Stephane Woillez
 
Deployment with Ruby on Rails
Deployment with Ruby on RailsDeployment with Ruby on Rails
Deployment with Ruby on Rails
Jonathan Weiss
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on Linux
Michael Boelen
 
DockerCon 2016 Recap
DockerCon 2016 RecapDockerCon 2016 Recap
DockerCon 2016 Recap
ehazlett
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
Black Duck by Synopsys
 
How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?
Manideep Konakandla
 
Is Docker Secure?
Is Docker Secure?Is Docker Secure?
Is Docker Secure?
Manideep Konakandla
 
BSides SF talk on Docker Images Security - Feb 13, 2017
BSides SF talk on Docker Images Security - Feb 13, 2017BSides SF talk on Docker Images Security - Feb 13, 2017
BSides SF talk on Docker Images Security - Feb 13, 2017
Manideep Konakandla
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at Netflix
Docker, Inc.
 
Digital Transformation with Kubernetes, Containers, and Microservices
Digital Transformation with Kubernetes, Containers, and MicroservicesDigital Transformation with Kubernetes, Containers, and Microservices
Digital Transformation with Kubernetes, Containers, and Microservices
Lightbend
 

Contenu connexe

Tendances

Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
Michael Ducy
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on Linux
Michael Boelen
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
Black Duck by Synopsys
 

Tendances (20)

Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017
 
Container Security
Container SecurityContainer Security
Container Security
 
Containers 101
Containers 101Containers 101
Containers 101
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
Container Security
Container SecurityContainer Security
Container Security
 
A (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability ScannersA (fun!) Comparison of Docker Vulnerability Scanners
A (fun!) Comparison of Docker Vulnerability Scanners
 
Container security
Container securityContainer security
Container security
 
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, ParisApplied Security for Containers, OW2con'18, June 7-8, 2018, Paris
Applied Security for Containers, OW2con'18, June 7-8, 2018, Paris
 
Advanced Container Security
Advanced Container Security Advanced Container Security
Advanced Container Security
 
From Zero to Hero: Continuous Container Security in 4 Simple Steps
From Zero to Hero: Continuous Container Security in 4 Simple StepsFrom Zero to Hero: Continuous Container Security in 4 Simple Steps
From Zero to Hero: Continuous Container Security in 4 Simple Steps
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel security
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers Security
 
Deployment with Ruby on Rails
Deployment with Ruby on RailsDeployment with Ruby on Rails
Deployment with Ruby on Rails
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on Linux
 
DockerCon 2016 Recap
DockerCon 2016 RecapDockerCon 2016 Recap
DockerCon 2016 Recap
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
 
How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?How secure is your Docker Container pipeline?
How secure is your Docker Container pipeline?
 
Is Docker Secure?
Is Docker Secure?Is Docker Secure?
Is Docker Secure?
 
BSides SF talk on Docker Images Security - Feb 13, 2017
BSides SF talk on Docker Images Security - Feb 13, 2017BSides SF talk on Docker Images Security - Feb 13, 2017
BSides SF talk on Docker Images Security - Feb 13, 2017
 

Similaire à An In-depth look at application containers

Software Architectures, Week 5 - Advanced Architectures
Software Architectures, Week 5 - Advanced ArchitecturesSoftware Architectures, Week 5 - Advanced Architectures
Software Architectures, Week 5 - Advanced Architectures
Angelos Kapsimanis
 
The economies of scaling software - Abdel Remani
The economies of scaling software - Abdel RemaniThe economies of scaling software - Abdel Remani
The economies of scaling software - Abdel Remani
jaxconf
 
The Economies of Scaling Software
The Economies of Scaling SoftwareThe Economies of Scaling Software
The Economies of Scaling Software
Abdelmonaim Remani
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
Ksenia Peguero
 

Similaire à An In-depth look at application containers (20)

DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at Netflix
 
Digital Transformation with Kubernetes, Containers, and Microservices
Digital Transformation with Kubernetes, Containers, and MicroservicesDigital Transformation with Kubernetes, Containers, and Microservices
Digital Transformation with Kubernetes, Containers, and Microservices
 
Software Architectures, Week 5 - Advanced Architectures
Software Architectures, Week 5 - Advanced ArchitecturesSoftware Architectures, Week 5 - Advanced Architectures
Software Architectures, Week 5 - Advanced Architectures
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
 
Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdf
 
The economies of scaling software - Abdel Remani
The economies of scaling software - Abdel RemaniThe economies of scaling software - Abdel Remani
The economies of scaling software - Abdel Remani
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure Security
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summary
 
The Economies of Scaling Software
The Economies of Scaling SoftwareThe Economies of Scaling Software
The Economies of Scaling Software
 
BGOUG "Agile Data: revolutionizing database cloning'
BGOUG "Agile Data: revolutionizing database cloning'BGOUG "Agile Data: revolutionizing database cloning'
BGOUG "Agile Data: revolutionizing database cloning'
 
Microservices, Kubernetes, and Application Modernization Done Right
Microservices, Kubernetes, and Application Modernization Done RightMicroservices, Kubernetes, and Application Modernization Done Right
Microservices, Kubernetes, and Application Modernization Done Right
 
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
 
Presentation ING for ISC2 Secure Summits EMEA
Presentation ING for ISC2 Secure Summits EMEAPresentation ING for ISC2 Secure Summits EMEA
Presentation ING for ISC2 Secure Summits EMEA
 
Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?
 
Denver devops : enabling DevOps with data virtualization
Denver devops : enabling DevOps with data virtualizationDenver devops : enabling DevOps with data virtualization
Denver devops : enabling DevOps with data virtualization
 
Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment Planning
 
Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...
 
The State of Kubernetes Security
The State of Kubernetes Security The State of Kubernetes Security
The State of Kubernetes Security
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
 

Plus de John Kinsella

What is Cloud Security, and Can I Have Some?
What is Cloud Security, and Can I Have Some?What is Cloud Security, and Can I Have Some?
What is Cloud Security, and Can I Have Some?
John Kinsella
 

Plus de John Kinsella (8)

Removing the Burden of Securing Microservices Through Automation and Visibility
Removing the Burden of Securing Microservices Through Automation and VisibilityRemoving the Burden of Securing Microservices Through Automation and Visibility
Removing the Burden of Securing Microservices Through Automation and Visibility
 
2019 Infosec World Keynote
2019 Infosec World Keynote2019 Infosec World Keynote
2019 Infosec World Keynote
 
Docker security configuration
Docker security configurationDocker security configuration
Docker security configuration
 
CloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerabilityCloudStack and the HeartBleed vulnerability
CloudStack and the HeartBleed vulnerability
 
Dont break the glass
Dont break the glassDont break the glass
Dont break the glass
 
CloudStack Secured
CloudStack SecuredCloudStack Secured
CloudStack Secured
 
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
Truly Secure: The Steps a Security Practitioner Took to Build a Secure Public...
 
What is Cloud Security, and Can I Have Some?
What is Cloud Security, and Can I Have Some?What is Cloud Security, and Can I Have Some?
What is Cloud Security, and Can I Have Some?
 

Dernier

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 

Dernier (20)

Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 

An In-depth look at application containers

  • 1. An In-Depth Look at Application Containers
  • 2. Overview • A Brief History and Overview of Containers • Security Benefits(?) of Containers • Container Vulnerability Management • Responding to Container Attacks
  • 3. Containers are not new, but…
  • 6. Container (n): • Software-based isolation, for processes controlling… • Process grouping • Resource usage • What actions a process can take
  • 9. What does a process do? • Auditing (read write audit events) • File access (read, write, create, delete) • Network access (bind, send, receive) • Process management (fork, kill) • Security (MAC) • Debug (tracing) • Administration (system config)
  • 10. Capabilities • CAP_AUDIT_CONTROL • CAP_AUDIT_READ • CAP_AUDIT_WRITE • CAP_BLOCK_SUSPEND • CAP_CHOWN • CAP_DAC_OVERRIDE • CAP_DAC_READ_SEARCH • CAP_FOWNERCAP_FSETID • CAP_IPC_LOCK • CAP_IPC_OWNER • CAP_KILL • CAP_LEASE • CAP_LINUX_IMMUTABLE • CAP_MAC_ADMIN • CAP_MAC_OVERRIDE • CAP_MKNOD • CAP_NET_ADMIN • CAP_NET_BIND_SERVICE • CAP_NET_BROADCAST • CAP_NET_RAW • CAP_SETGID • CAP_SETFCAP • CAP_SETPCAP
  • 11. Capabilities Worst to best: • Run with --privileged=true • Run with –cap-add ALL • Run with --cap-drop ALL --cap-add <only needed> • Run as non-root user, unprivileged Useful: capabilities section of documentation container runtimes
  • 12. Security Benefits of Containers and Microservices • Smaller surface area* • Shorter lifespan* – shorter period when open to attack • More automated process – easier to recreate/redeploy* *(in theory)
  • 13. Security Benefits of Containers and Microservices • Containerized apps lend themselves to ”12 factor” design 12factor.net
  • 14. Security Disadvantages of Containers and Microservices • Relatively new technology • Lots of moving parts • Shorter lifespan – this makes investigations more difficult
  • 16.
  • 17. Why Isolate? • Only as secure as your weakest link • What happens if other departments are running in your private cloud? • What happens if other customers are running in your bare metal CaaS?
  • 18. Unikernels – Hardware Isolated Containers • Build custom VM images to boot bare OS to support single (usually) container
  • 19. Brief Overview of Container Orchestration
  • 20. Why Orchestration? • For “real” workloads: • How to launch 500 containers across 20 hosts? • Being aware of resources on each host • Getting storage and networking to right container on the right host • Distribution for speed, efficiency, cost, etc. • As part of a CI/CD process • How to do a rolling update of those 500 live containers to a new sw version?
  • 21. Lots to Orchestrate Customer VM VM Image Management Networking Customer VM Local Storage NAS/SAN
  • 22. Lots to Orchestrate Customer VM VM Image Management Networking Customer VM Local Storage NAS/SAN Containers Container Image mgmt Container networking Container storage Host Host Image Mgmt Host Networking Local Storage NAS/SAN
  • 23. Image Security • Where did an image come from? • Is it an official image? • Is it the right version? • Has somebody modified it?
  • 24. Host Security • Follow standard hardening processes but only firewall host, not it’s containers • A host itself shouldn’t be “exposed” – there should be no public attack surface. Administer via known private network • One nasty exposure – privileged containers.
  • 25. Vulnerability Management in a Container World
  • 26. Managing Security Exposure in Containers
  • 27. Smaller Image, Less Vulnerabilities • Avoid ”From:$bloatedDistribution” and similar • Software can’t be vulnerable if it’s not installed. An amazingly large percentage of public container images are based on bloated (500mb+) full distributions.
  • 28. Why? Least Privilege • We want the smallest image possible, when we load it across 100 hosts • The smaller the image, the less exposure for potential vulnerabilities • If the parent image has a vulnerability, everybody based on that parent has to re-spin their image
  • 29. Seccomp We need to build a list of system calls called by the program… …that we want to succeed • Guess (preferably educated) • RTFM (thanks John!) • Capture behavior – maybe /usr/sbin/strace • Disassembly?
  • 30. Plan For Container Attacks • Before going to production, think about how you’d investigate an attack • Containers are mostly ephemeral • Collect logs at a central location • Practice identifying and snapshotting problem containers • Don’t forget about data backup/recovery
  • 31. Thanks – Let’s continue the conversation! @johnlkinsella Slides posted at http://www.slideshare.net/jlkinsel
  • 32. Addendum • Classification and grouping of system calls http://seclab.cs.sunysb.edu/sekar/papers/syscallclassif.htm
  • 33. Data Sources • Container Adoption Challenges: RightScale 2016 State of the Cloud • Layered container image: Ubuntu • Namespaces and cgroups images: IBM Data and some graphics provided by:

Notes de l'éditeur

  1. Write-in: Provenance of containers
  2. We believe first compromised Docker-powered containers were running ElasticSearch