security options for container implementations
play

Security options for container implementations Jay Coles doger.io - PowerPoint PPT Presentation

Nov 18, 2023 •187 likes •379 views

Security options for container implementations Jay Coles doger.io LCA2015 @container_doge Who am I http://doger.io @container_doge Jay Coles doger.io LCA2015 @container_doge Triangle of Effort NSA Decreasing Skill Hacker Level

  1. Security options for container implementations Jay Coles doger.io LCA2015 @container_doge

  2. Who am I http://doger.io @container_doge Jay Coles doger.io LCA2015 @container_doge

  3. Triangle of Effort NSA Decreasing Skill Hacker Level Organized Crime Drive By/Botnet Script Kiddie Increasing Effort Jay Coles doger.io LCA2015 @container_doge

  4. What they want ● Do not want to be detected ● Access to other customers information ● Access to other customers environments ● Adequate Storage/CPU/Mem/Network capacity ● Further ingress/infiltration on the network Jay Coles doger.io LCA2015 @container_doge

  5. How they do it ● Exploit an exposed service (does not need to have network access, eg in batch/queue processing) ● Pull down their toolset ● Start attacking the kernels ● Cement hold on system (command and control, process hiding) Jay Coles doger.io LCA2015 @container_doge

  6. What is security? ● Restrict access to other containers ● Prevent knowledge of other containers from leaking ● Ability to account for memory/cpu/network/disk usage ● Ability to control memory/cpu/network/disk resources ● Ability to detect and remove rouge processes Jay Coles doger.io LCA2015 @container_doge

  7. Usual Suspects ● Unix permissions ● Capabilities ● Chroot ● Quotas ● Rlimit ● Cgroups ● App Armor ● Seccomp ● Selinux ● ACLs Jay Coles doger.io LCA2015 @container_doge

  8. What does not work ● rlimits ● Quotas ● Blacklisting via ACLs Jay Coles doger.io LCA2015 @container_doge

  9. Capabilities ● CAP_SYS_MODULE ● CAP_MAC_OVERRIDE ● CAP_SYS_RAWIO ● CAP_MAC_ADMIN ● CAP_NET_BROADCAST ● CAP_NET_RAW ● CAP_MKNOD ● CAP_SETPCAP ● CAP_SYS_TTY_CONFIG ● CAP_SYSLOG ● CAP_AUDIT_WRITE ● CAP_WAKE_ALARM ● CAP_AUDIT_CONTROL ● CAP_BLOCK_SUSPEND ● CAP_AUDIT_READ ● CAP_SYS_BOOT ● CAP_SYS_TIME Jay Coles doger.io LCA2015 @container_doge

  10. Capabilities ● 'capsh' to drop capabilities ● Call instead of /sbin/init or entry point ● Have it invoke the init/entrypoint ● CAP_SETPCAP allows you to turn capabilties back on Jay Coles doger.io LCA2015 @container_doge

  11. cgroups ● Multiple protections in one – Accounting of resource usage – Limiting resource usage (cpu/mem) – Tracking of processes – Preventing/allowing device access Jay Coles doger.io LCA2015 @container_doge

  12. cgroups Jay Coles doger.io LCA2015 @container_doge

  13. App Armor vs selinux Jay Coles doger.io LCA2015 @container_doge

  14. selinux NSA ASIO CIA Secret Multi Confidential Level Security Unclassified Multi Category Security Jay Coles doger.io LCA2015 @container_doge

  15. selinux ● 'runcon' is your friend ● 'chcon' to tag the files as belonging to a container ● Mainly going to be changing the security level – s0:c1,c4 ● Will need appropriate policies/rules in place – This means a working selinux setup Jay Coles doger.io LCA2015 @container_doge

  16. seccomp ● Mount ● Quotactl ● finit_module ● Acct ● Setns ● Umount2 ● clock_adjtime ● Sethostname ● kexec_load ● Swapon ● Nfsservct ● swapoff ● pivot_root ● Reboot ● pciconfig_iobase ● Adjtimeex ● pciconfig_read ● Setdomainname ● pciconfig_write ● init_module ● clock_settime ● delete_module ● Personality Jay Coles doger.io LCA2015 @container_doge

  17. Adding things in ● Can be patched in: – App Armor – Selinux – Capabilities – Cgroups ● Requires app support: – seccomp Jay Coles doger.io LCA2015 @container_doge

  18. Questions Jay Coles doger.io LCA2015 @container_doge

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Agenda Container Security Concerns Addressing Container Security Security @ SUSE True or False?

Agenda Container Security Concerns Addressing Container Security Security @ SUSE True or False?

Agenda Container Security Concerns Addressing Container Security Security @ SUSE True or False? Containers are inherently insecure. Some Learnings from an Enterprise Study 94%: Containers have security implications 31%: Worried

490 views • 24 slides
Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography Reading Group Presenter: C t lin Hri cu References Verified Interoperable Implementations of Security Protocols. Karthikeyan Bhargavan,

922 views • 70 slides
BASTION: A Security Enforcement Network Stack for Container Networks Jaehyun Nam 1 , Seungsoo Lee

BASTION: A Security Enforcement Network Stack for Container Networks Jaehyun Nam 1 , Seungsoo Lee

BASTION: A Security Enforcement Network Stack for Container Networks Jaehyun Nam 1 , Seungsoo Lee 1 , Hyunmin Seo 1 , Phillip Porras 2 , Vinod Yegneswaran 2 , and Seungwon Shin 1 KAIST 1 and SRI International 2 The state of Container Security

800 views • 24 slides
CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT Chief Scientist @ Container Solutions Wrote

CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT Chief Scientist @ Container Solutions Wrote

CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT Chief Scientist @ Container Solutions Wrote "Using Docker" for O'Reilly 40% Discount with AUTHD code Free Docker Security minibook http://www.oreilly.com/webops-perf/free/docker-

1.06k views • 68 slides
DISASTER RELIEF CENTER 2x Accommodation Container 2x Sanitary Container 1x

DISASTER RELIEF CENTER 2x Accommodation Container 2x Sanitary Container 1x

DISASTER RELIEF CENTER 2x Accommodation Container 2x Sanitary Container 1x Galley Container 1x Medical Container 1x Feed Water Container 1x Water Treatment Container 2x Generator Container 1x

569 views • 8 slides
Kubernetes und Container Aber Sicher! Container / K8s Security Andreas Falk Vorstellung

Kubernetes und Container Aber Sicher! Container / K8s Security Andreas Falk Vorstellung

Kubernetes und Container Aber Sicher! Container / K8s Security Andreas Falk Vorstellung Andreas Falk Novatec Consulting andreas.falk@novatec-gmbh.de / @andifalk https://www.novatec-gmbh.de/beratung/agile-security 2

1.1k views • 65 slides
Composition of SDN applications: Options/challenges for real implementations Arne Schwabe Pedro

Composition of SDN applications: Options/challenges for real implementations Arne Schwabe Pedro

Composition of SDN applications: Options/challenges for real implementations Arne Schwabe Pedro A. Aranda Gutirrez Holger Karl Computer Networks Group Universitt Paderborn Modernizing the setup Simple standard network setup

409 views • 21 slides
Kubernetes Security Zooming In, Zooming Out A comprehensive Container Security Strategy Kavya

Kubernetes Security Zooming In, Zooming Out A comprehensive Container Security Strategy Kavya

Kubernetes Security Zooming In, Zooming Out A comprehensive Container Security Strategy Kavya Pearlman Global Cybersecurity Strategist - Wallarm @KavyaPearlman | @Wallarm Rob Richardson Technical Evangelist - MemSQL @Rob_Rich | @MemSQL

279 views • 27 slides
Evaluating the Security of Implementations Against Side Channel Attacks Activities from ANSSI

Evaluating the Security of Implementations Against Side Channel Attacks Activities from ANSSI

Evaluating the Security of Implementations Against Side Channel Attacks Activities from ANSSI Laboratory for Embedded Security Emmanuel Prouff emmanuel.prouff@ssi.gouv.fr Agence Nationale de la S ecurit e des Syst` emes dInformation

790 views • 68 slides
First Building Blocks For Implementations of Security Protocols Verified in Coq Reynald Affeldt

First Building Blocks For Implementations of Security Protocols Verified in Coq Reynald Affeldt

First Building Blocks For Implementations of Security Protocols Verified in Coq Reynald Affeldt 1) Kazuhiko Sakaguchi 1)2) 1) National Institute of Advanced Industrial Science and Technology, Japan 2) University of Tsukuba Motivation

352 views • 21 slides
Reducing a Masked Implementations Effective Security Order with Setup Manipulations And an

Reducing a Masked Implementations Effective Security Order with Setup Manipulations And an

Crypto. group SWORD Reducing a Masked Implementations Effective Security Order with Setup Manipulations And an Explanation Based on Externally-Amplified Couplings Itamar Levi, Davide Bellizia and Franois-Xavier Standaert Aug. 2018 Moti

298 views • 27 slides
Container Library and FUSE Container File System Softwarepraktikum f ur Fortgeschrittene

Container Library and FUSE Container File System Softwarepraktikum f ur Fortgeschrittene

Introduction Container Library Container Tools FUSE Container File System Evaluation Container Library and FUSE Container File System Softwarepraktikum f ur Fortgeschrittene Michael Kuhn Parallele und Verteilte Systeme Institut f ur

353 views • 22 slides
Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure countermeasure Against (first) order power analysis based on multi party computation and secret sharing 2 Outline Threshold Implementations

990 views • 58 slides
Building Hardened Implementations of SCADA/ICS Protocols Using Language-Theoretic Security

Building Hardened Implementations of SCADA/ICS Protocols Using Language-Theoretic Security

Building Hardened Implementations of SCADA/ICS Protocols Using Language-Theoretic Security Prashant Anantharaman, Dartmouth College pa@cs.dartmouth.edu http://cs.dartmouth.edu/~pa CREDC Industry Workshop March 27-29, 2017 Funded by the U.S.

583 views • 36 slides
Categorizing container escape methodologies in multi-tenant environments Rik Janssen

Categorizing container escape methodologies in multi-tenant environments Rik Janssen

Categorizing container escape methodologies in multi-tenant environments Rik Janssen rik.janssen@os3.nl Research Project 1 MSc Security and Network Engineering (SNE/OS3) University of Amsterdam Supervisor: Max Hovens KPMG Cyber Security

774 views • 17 slides
Declassification Options and Requirements Information Security Webinar Marc Brandsness

Declassification Options and Requirements Information Security Webinar Marc Brandsness

6/20/2013 Declassification Options and Requirements Information Security Webinar Marc Brandsness Security Asset Protection Professional Certification (SAPPC) Retired US Air Force-Security Forces with over 25 years of Law Enforcement

307 views • 15 slides
A Framework for Advanced Robot Programming in the RoboCup Domain Hayato Kobayashi 1 , Akira Ishino

A Framework for Advanced Robot Programming in the RoboCup Domain Hayato Kobayashi 1 , Akira Ishino

A Framework for Advanced Robot Programming in the RoboCup Domain Hayato Kobayashi 1 , Akira Ishino 2 , and Ayumi Shinohara 3 1 Department of Informatics, Kyushu University, Japan 2 Office for Information of University Evaluation, Kyushu University,

681 views • 54 slides
Big Bang Designing a Statically Typed Scripting Language Pottayil Harisanker Menon, Zachary

Big Bang Designing a Statically Typed Scripting Language Pottayil Harisanker Menon, Zachary

Big Bang Designing a Statically Typed Scripting Language Pottayil Harisanker Menon, Zachary Palmer, Scott F. Smith, Alexander Rozenshteyn The Johns Hopkins University June 11, 2012 Scripting Languages Terse Flexible Easy to

1.86k views • 159 slides
Rediscovering Ousterhouts Dichotomy in the 21st Century while Developing and Deploying Software

Rediscovering Ousterhouts Dichotomy in the 21st Century while Developing and Deploying Software

Rediscovering Ousterhouts Dichotomy in the 21st Century while Developing and Deploying Software for Set-Theoretic Empirical Analysis: From R to Python/Qt to OCaml and Tcl/Tk Claude Rubinson University of HoustonDowntown rubinsonc@uhd.edu

441 views • 21 slides
Extending LLDB to More Scripting Languages Jonas Devlieghere, Apple C++ API Scripting Bridge

Extending LLDB to More Scripting Languages Jonas Devlieghere, Apple C++ API Scripting Bridge

Extending LLDB to More Scripting Languages Jonas Devlieghere, Apple C++ API Scripting Bridge API Scripting Bridge API SBThread SBDebugger SBBreakpoint SBTarget SBFrame SBSymbol SBValue SBProcess SBFunction Python Python

307 views • 15 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239 systems Computer Software Some sample intrusion detection March 9, 2005 systems Lecture 15 Lecture 15 Page 1 Page 2 CS 239, Winter 2005

602 views • 12 slides
ICE and RTP DoS draft-rosenberg-mmusic-rtp-denialofservice draft-rosenberg-sipping-ice Jonathan

ICE and RTP DoS draft-rosenberg-mmusic-rtp-denialofservice draft-rosenberg-sipping-ice Jonathan

ICE and RTP DoS draft-rosenberg-mmusic-rtp-denialofservice draft-rosenberg-sipping-ice Jonathan Rosenberg dynamicsoft The DoS Problem Attacker sends SIP Server INVITE or RTSP RTP SETUP to server Flood INVITE/SETUP IP for RTP is

293 views • 10 slides
Anonymity Loves Company: Usability and the network effect Roger Dingledine, Nick Mathewson The

Anonymity Loves Company: Usability and the network effect Roger Dingledine, Nick Mathewson The

Anonymity Loves Company: Usability and the network effect Roger Dingledine, Nick Mathewson The Free Haven Project 1 Overview We design and deploy anonymity systems. Version 1: You guys are studying this in academia, and we're

684 views • 25 slides
CSc 337 LECTURE 26: REGULAR EXPRESSIONS AND SECURITY Regular expressions in JavaScript var str =

CSc 337 LECTURE 26: REGULAR EXPRESSIONS AND SECURITY Regular expressions in JavaScript var str =

CSc 337 LECTURE 26: REGULAR EXPRESSIONS AND SECURITY Regular expressions in JavaScript var str = "The rain in SPAIN stays mainly in the plain"; var res = str.match(/ain/g); - The match function takes a regular expression as a

408 views • 19 slides

More recommend