categorizing container escape methodologies in multi
play

Categorizing container escape methodologies in multi-tenant - PowerPoint PPT Presentation

Categorizing container escape methodologies in multi-tenant environments Rik Janssen rik.janssen@os3.nl Research Project 1 MSc Security and Network Engineering (SNE/OS3) University of Amsterdam Supervisor: Max Hovens KPMG Cyber Security


  1. Categorizing container escape methodologies in multi-tenant environments Rik Janssen rik.janssen@os3.nl Research Project 1 MSc Security and Network Engineering (SNE/OS3) University of Amsterdam Supervisor: Max Hovens KPMG Cyber Security Netherlands February 6, 2018 Rik Janssen (SNE/OS3) Multi-tenant container escapes February 6, 2018 1 / 17

  2. Introduction Operating-system-level virtualization Docker, LXC, FreeBSD Jails, etc. Container escapes Host system takeover Data leakage Multi-tenant environments Rik Janssen (SNE/OS3) Multi-tenant container escapes February 6, 2018 2 / 17

  3. Introduction Research Question How to systematically categorize vulnerabilities relating to multi-tenant environments that make use of operating-system-level virtualization? Figure 1: Public cloud Rik Janssen (SNE/OS3) Multi-tenant container escapes February 6, 2018 3 / 17

  4. Related Work Comparative study [1] of OS-level virtualization systems: defines attacker model; defines security requirements for isolation techniques; LXC, FreeBSD Jails, Solaris Zones, etc., but not Docker. Later study [2] extends on previous study: Linux only (Docker); evaluates and extends security requirements; correlates CVEs to requirements. Both focus on single container host. Rik Janssen (SNE/OS3) Multi-tenant container escapes February 6, 2018 4 / 17

  5. Approach Literature study Linux and Kubernetes Breakdown of components Mapping CVEs Extending requirements Affected workloads Mitigation techniques Rik Janssen (SNE/OS3) Multi-tenant container escapes February 6, 2018 5 / 17

  6. Results - Architecture overview Figure 2: Cloud Native Computing Foundation (CNCF) Scope [3] Rik Janssen (SNE/OS3) Multi-tenant container escapes February 6, 2018 6 / 17

  7. Results - Architecture overview Figure 3: Kubernetes [4] Rik Janssen (SNE/OS3) Multi-tenant container escapes February 6, 2018 7 / 17

  8. Results - Security model Hardened application User namespace w/o caps Mount protections Minimal container distro Syscall Filtering w/ seccomp-bpf Linux kernel with grsecurity+pax HYPERVISOR/HARDWARE Figure 4: NCC Group’s security model [5] Rik Janssen (SNE/OS3) Multi-tenant container escapes February 6, 2018 8 / 17

  9. Results - Attack surface via linking Figure 5: Static linking Rik Janssen (SNE/OS3) Multi-tenant container escapes February 6, 2018 9 / 17

  10. Discussion - Attack surface via linking Figure 6: Dynamic linking Rik Janssen (SNE/OS3) Multi-tenant container escapes February 6, 2018 10 / 17

  11. Discussion - CVEs Etcd Distributed key-value store Single source of configuration truth Authorization Modules (e.g. ’ABAC’) One CVE found (CVE-2015-5305) OpenShift Red Hat Integrated platform (Atomic OS + Docker + Kubernetes) Rik Janssen (SNE/OS3) Multi-tenant container escapes February 6, 2018 11 / 17

  12. Results - CVE-2017-5754: ’Meltdown’ Side-channel attack [6] utilizing out-of-order execution and CPU cache timings to read all physical memory. Hardware-level vulnerability Possible from any user space process Containers specifically mentioned in regards to information leakage Intel covered in paper Mitigate using kernel page-table isolation patches Rik Janssen (SNE/OS3) Multi-tenant container escapes February 6, 2018 12 / 17

  13. Conclusion Research question How to systematically categorize vulnerabilities relating to multi-tenant environments that make use of operating-system-level virtualization? Rik Janssen (SNE/OS3) Multi-tenant container escapes February 6, 2018 13 / 17

  14. Conclusion Research question How to systematically categorize vulnerabilities relating to multi-tenant environments that make use of operating-system-level virtualization? Answer (preliminary) Application architecture is critical due to tight coupling with the underlying infrastructure. Security boundary is moved to the infrastructure (i.e. hardware) level. Utilize integrated approach (i.e. don’t use upstream). Rik Janssen (SNE/OS3) Multi-tenant container escapes February 6, 2018 14 / 17

  15. Future work Compliance correlation (e.g. ISO, HIPAA, NEN) Other OS-level virtualization platforms (e.g. Windows, *BSD, Nomad, Mesos, etc.) Other virtualization techniques (e.g. full and/or para) Automated workload classification and orchestration Istio platform (alpha) Rik Janssen (SNE/OS3) Multi-tenant container escapes February 6, 2018 15 / 17

  16. References I [1] E. Reshetova, J. Karhunen, T. Nyman, and N. Asokan, “Security of os-level virtualization technologies,” in Nordic Conference on Secure IT Systems , pp. 77–93, Springer, 2014. [2] S. Laur´ en, M. R. Memarian, M. Conti, and V. Lepp¨ anen, “Analysis of security in modern container platforms,” in Research Advances in Cloud Computing , pp. 351–369, Springer, 2017. [3] The Linux Foundation, “Cloud Native Computing Foundation (CNCF) Charter,” 2017. [Online]. Available: https://www.cncf.io/about/charter . [Accessed: Jan. 15, 2018]. [4] I. Gunaratne, “A Reference Architecture for Deploying WSO2 Middleware on Kubernetes,” Jan. 2017. [Online]. Available: https://medium.com/containermind/ a-reference-architecture-for-deploying-wso2-middleware-on-kubernetes- [Accessed: Jan. 17, 2018]. Rik Janssen (SNE/OS3) Multi-tenant container escapes February 6, 2018 16 / 17

  17. References II [5] A. Grattafiori, “Def con 23 - aaron grattafiori - linux containers: Future or fantasy? - 101 track.” Youtube. 2015. Available: https://www.youtube.com/watch?v=iN6QbszB1R8 [Accessed: Jan. 3, 2018]. [6] M. Lipp, M. Schwarz, D. Gruss, T. Prescher, W. Haas, S. Mangard, P. Kocher, D. Genkin, Y. Yarom, and M. Hamburg, “Meltdown.” arXiv:1801.01207, Jan. 2018. Rik Janssen (SNE/OS3) Multi-tenant container escapes February 6, 2018 17 / 17

Recommend


More recommend