containers with difgerent security modules
play

Containers with difgerent Security Modules FOSDEM19 Presentation - PowerPoint PPT Presentation

Mar 24, 2023 •386 likes •609 views

Containers with difgerent Security Modules FOSDEM19 Presentation by John Johansen john.johansen@canonical.com www.canonical.com February 2019 1 LSM Infrastructure Responsibilities LSM Provides Infrastructure Which LSMs are enabled

  1. Containers with difgerent Security Modules FOSDEM19 Presentation by John Johansen john.johansen@canonical.com www.canonical.com February 2019 1

  2. LSM Infrastructure Responsibilities ● LSM Provides Infrastructure ● Which LSMs are enabled ● Hooks ● Security fjelds on various objects ● Controls which LSM are enabled ● Security Module Manages ● Policy interfaces ● Policy enforcement ● Namespacing 2

  3. References ● LSM Stacking ● linux-security-module@vger.kernel.org ● https://github.com/cschaufmer/lsm-stacking ● AppArmor ● https://gitlab.com/apparmor/apparmor/wikis/home ● https://gitlab.com/apparmor/apparmor/ ● Selinux ● https://selinuxproject.org/page/User_Help ● https://github.com/stephensmalley/selinux-kernel.git ● http://namei.org/presentations/selinux_namespacing_lca2018.pdf ● https://youtu.be/bgarfEnL2hs 3

  4. Special thanks Casey Schaufler – LSM Stacking AppArmor team IMA team Smack team Selinux team LXD team 4

  5. Questions please Thank you https://github.com/cschaufmer/lsm-stacking https://github.com/jrjohansen/lsm-stacking John Johansen john.johansen@canonical.com www.canonical.com 5

  6. Reference for Questions Stacking & LSM Namespacing Redux Linux Plumbers Container MC 2018

  7. Linux Security Modules (LSM) ● Provide security ● Often MAC but not necessarily ● Kernel provides security – Hooks Located at security decision points ● All security relevant info available ● Race free ● – Security field in various objects ● selinux, smack, apparmor, tomoyo, IMA/EVM, loadpin, yama ● proposed: LSMs: LandLock, CaitSith, Checmate, HardChroot, PTAGS, SimpleFlow, SafeName, WhiteEgret, shebang, S.A.R.A.

  8. Use Cases ● LSM enabled in container but not on Host – ChromeOS running Android SELinux container – Virtual smart phone env (Cells/Cellrox), multiple android instances – Thin linux host (clear linux) ● system container – lxd. run Ubuntu (apparmor) container on rhel (selinux) host ● application confinement – snap using apparmor running on fedora (selinux base system) – Docker – flatpak

  9. Problem The LSM is not Namespaced

  10. LSM Namespacing ● Just Create an LSM Namespace! ● Presented & Discussed idea at Linux Plumbers 2017 – Not enough semantic info at LSM layer – Some LSMs don’t want to be “namespaced” Want to bound container ● No generic Solution ● – Real work needs to be done in security modules

  11. Namespacing the LSMs

  12. Requirements ● Not every LSM has the same requirements ● System level confinement (confine the container) – eg selinux using MCS label per container – do NOT want either OR mediation ie. selinux mediating tasks outside ● container using different LSM not confined by selinux ● ● Application level confinement – Not every LSM supports ● Dependent Components Need support (audit, ...)

  13. Audit ● Want ContainerID – But … ● Dependency of LSMs (apparmor, selinux, smack, ima) ● Not Namespaced ● Single Set of Rules ● Single daemon registration

  14. Audit LSS16: Conclusion ● Auditd ok with MNT, UTS, IPC, CGRP ns ● NET ns ok for now – Will need audit_pid/portid per USER ns ● PID ns ok for now for audit user messages – Will need translation per PID ns ● Auditd per USER ns wanted for containers ● NamespaceID vs. Audit ContainerID ● Need audit log aggregation by container orch

  15. AuditID ● U64 ● containers can't be universally identified by namespace (sub)set ● audit daemon won't be tied to any namespace ● netNS needs list of possible IDs responsible for net events ● child inherits parent's ID ● allow multiple audit daemons – each will have its own queue and ruleset – auxiliaries can't influence host

  16. SELinux NS ● Adds per-namespace selinuxfs instances – unshare mount ns and mount new selinuxfs ● Move AVC into namespace ● Add per-namespace support for kernel objects ● Write to selinuxfs unshare node to instantiate ● On Disk Inodes store all each NS label ● NS – Track nesting – Bounded enforcement

  17. SELinux prototype echo 1 > /sys/fs/selinux/unshare unshare -m -n umount /sys/fs/selinux mount -t selinuxfs none /sys/fs/selinux load_policy runcon unconfined_u:unconfined_r:unconfined_t:s0:c0.c1023 /bin/bash setenforce 1

  18. AppArmor ● Namespaced ● Stacked System ● Virtualized fs nscd dnsmasq Task :ns2: :ns1: :ns3: nscd dnsmasq :ns4: :ns5:

  19. AppArmor Problems ● Namespacing – mount, network, user, .. pita Need more infrastructure ● ● Securityfs – can’t mount multiple instances need to bind mount ● Still only AppArmor in AppArmor containers

  20. IMA ● Really wants ContainerID ● Prototype – IMA Audit – Virtualized IMA fs interface ● EVM – Problems with ns xattr storage

  21. Other LSMs ● Smack – Prototype namespace from a few years ago ● Yama ● Loadpin ● Landlock ● Sara

Recommend

Everything you need to know about Containers Security Track Containers Jos Manuel Ortega

Everything you need to know about Containers Security Track Containers Jos Manuel Ortega

Everything you need to know about Containers Security Track Containers Jos Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container

807 views • 57 slides
Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are not going to be the answer to preventing your application from being compromised, but they can limit the damage from a compromise. How do

823 views • 25 slides
Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs

Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs

Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs Google Wisdom: VMs and Containers are similar but different Try running containers in VMs for security Containers are best for scale-out

314 views • 17 slides
Containers: Exploits, Surprises, And Security with Elissa Shevinsky COO at SoHo Token Labs

Containers: Exploits, Surprises, And Security with Elissa Shevinsky COO at SoHo Token Labs

Containers: Exploits, Surprises, And Security with Elissa Shevinsky COO at SoHo Token Labs Editor of Lean Out #RVASec @ElissaBeth on twitter @Elissa_is_offmessage on Instagram this was Silicon Valley in 2011 Containers are eating

954 views • 66 slides
Agenda Container Security Concerns Addressing Container Security Security @ SUSE True or False?

Agenda Container Security Concerns Addressing Container Security Security @ SUSE True or False?

Agenda Container Security Concerns Addressing Container Security Security @ SUSE True or False? Containers are inherently insecure. Some Learnings from an Enterprise Study 94%: Containers have security implications 31%: Worried

490 views • 24 slides
Containers can actually improve your security story(!) Maya Kaczorowski, Google Cloud June 12

Containers can actually improve your security story(!) Maya Kaczorowski, Google Cloud June 12

Containers can actually improve your security story(!) Maya Kaczorowski, Google Cloud June 12 2019 Maya Kaczorowski Security PM, Google Cloud @MayaKaczorowski Objection: My security team is opposed to containers and Kubernetes 3

649 views • 41 slides
UTA Service Choices Difgerent Goals Result in Difgerent Service What is the job of public

UTA Service Choices Difgerent Goals Result in Difgerent Service What is the job of public

UTA Service Choices Difgerent Goals Result in Difgerent Service What is the job of public transit in our region? We have 18 buses to deploy in this fjctional town. Dots represent residents or jobs. Should transit be

313 views • 3 slides
Advanced Systems Security: Linux Security Modules Trent Jaeger Systems and Internet

Advanced Systems Security: Linux Security Modules Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Linux Security Modules Trent

872 views • 30 slides
Hardware Security Smartcards and other TamperResistant Modules Markus G. Kuhn Computer

Hardware Security Smartcards and other TamperResistant Modules Markus G. Kuhn Computer

Hardware Security Smartcards and other TamperResistant Modules Markus G. Kuhn Computer Laboratory http://www.cl.cam.ac.uk/~mgk25/ Applications of Tamper Resistant Modules Security of cryptographic applications is based on secure

564 views • 23 slides
COMPANY PRESENTATION TRANS CONSTRUCTION AS AN EPC CONTRACTOR SUPPLYING CONTAINERS, MODULES AND

COMPANY PRESENTATION TRANS CONSTRUCTION AS AN EPC CONTRACTOR SUPPLYING CONTAINERS, MODULES AND

COMPANY PRESENTATION TRANS CONSTRUCTION AS AN EPC CONTRACTOR SUPPLYING CONTAINERS, MODULES AND OTHER WELDED CONSTRUCTIONS FOR THE OFFSHORE AND ONSHORE INDUSTRY FOR THE OFFSHORE AND ONSHORE INDUSTRY 1 Trans Construction AS, Vognvegen 2 A/B, rn

526 views • 21 slides
Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com

Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com

Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com Containers are great Containers are resource efficient Containers make deployment easy Containers can be monitored easily Containers are secure But are

508 views • 38 slides
Hardware Security Modules (HSMs) Benefits and Challenges ICANN 50, London, UK 25 June 2014

Hardware Security Modules (HSMs) Benefits and Challenges ICANN 50, London, UK 25 June 2014

Hardware Security Modules (HSMs) Benefits and Challenges ICANN 50, London, UK 25 June 2014 richard.lamb@icann.org Hardware Security Modules Cool but what are you protecting? This works fine in many cases ..but this may be the real problem No

255 views • 12 slides
Surviving the Zombie Apocalypse Security in the Cloud Containers, KVM and Xen Ian Jackson

Surviving the Zombie Apocalypse Security in the Cloud Containers, KVM and Xen Ian Jackson

Surviving the Zombie Apocalypse Security in the Cloud Containers, KVM and Xen Ian Jackson <ian.jackson@eu.citrix.com> FOSDEM 2015 originally based on a talk and research by George Dunlap "Some people make the mistake of thinking

328 views • 6 slides
1 Agenda Docker world Containers VS Virtual machine Security concerns Conclusion Whoami

1 Agenda Docker world Containers VS Virtual machine Security concerns Conclusion Whoami

12.03.2019 Docker security 1 Agenda Docker world Containers VS Virtual machine Security concerns Conclusion Whoami M.Sc Computer Security M.Sc Software Development Worked previously as an embedded software developer Actually

586 views • 54 slides
Security Operation Center Concepts and Implementation renaud.bidou@intexxia.com > SOC Modules

Security Operation Center Concepts and Implementation renaud.bidou@intexxia.com > SOC Modules

Security Operation Center Concepts and Implementation renaud.bidou@intexxia.com > SOC Modules > Global Architecture > Collection & Storage > Correlation > SOC Modules R Box R Box reaction and reporting + A Box K Box A Box

673 views • 13 slides
Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni

Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni

Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni (@jpetazzo) French software engineer living in California Joined Docker (dotCloud) more than 4 years ago (I was at Docker before it was cool! ) I built

420 views • 38 slides
SUSE Containers as a Service Platform 53 53 Why Do You Want to Invest in Containers? 54 54

SUSE Containers as a Service Platform 53 53 Why Do You Want to Invest in Containers? 54 54

SUSE Containers as a Service Platform 53 53 Why Do You Want to Invest in Containers? 54 54 What are Containers? A package/image that can be deployed anywhere (thats running a Linux Kernel) Developers create a layered image of their

996 views • 53 slides
Herd of Containers Sad DIF Database Engineer Herd of Containers: PostgreSQL in containers at

Herd of Containers Sad DIF Database Engineer Herd of Containers: PostgreSQL in containers at

Herd of Containers Sad DIF Database Engineer Herd of Containers: PostgreSQL in containers at BlaBlaCar pgDay Paris, Mar 15, 2018 BlaBlaCar Overview Todays agenda PostgreSQL usage at BlaBlaCar Switching to a new implementation

844 views • 40 slides
General Services Administration Contractor Procurement of GSA-Approved Security Containers

General Services Administration Contractor Procurement of GSA-Approved Security Containers

General Services Administration Contractor Procurement of GSA-Approved Security Containers Procurement Steps 6/15/2020 2 1. Authorization to store classified information GSA Order OGP 4100.21 allows for contractors to procure through the

180 views • 17 slides
Persistent storage for Containers Anil Degwekar What are we talking about? Containers have

Persistent storage for Containers Anil Degwekar What are we talking about? Containers have

Persistent storage for Containers Anil Degwekar What are we talking about? Containers have become popular replacing many Physical / Virtual Machine use cases But: The persistent storage problem for containers is still not fully solved

1.01k views • 17 slides
Containers in the Enterprise Avoiding the Kobayashi Maru Agenda Containers Bring Change

Containers in the Enterprise Avoiding the Kobayashi Maru Agenda Containers Bring Change

Containers in the Enterprise Avoiding the Kobayashi Maru Agenda Containers Bring Change An Approach Required Software Processes Cultural Changes Additional Concerns Lessons Learned Why This Talk? Containers are

678 views • 49 slides
Hardware Security Modules What they are and why it's likely that you've (indirectly) used one

Hardware Security Modules What they are and why it's likely that you've (indirectly) used one

Hardware Security Modules What they are and why it's likely that you've (indirectly) used one today Insert Your Name Insert Your Title Insert Date RWC 2015 Paul Hampton 8 th January 2015 What Am I Going to Talk About? What Is A Where Will

746 views • 30 slides
Attacking a co-hosted VM A hacker, a hammer and two memory modules 1 Who we are (1) Mehdi

Attacking a co-hosted VM A hacker, a hammer and two memory modules 1 Who we are (1) Mehdi

Attacking a co-hosted VM A hacker, a hammer and two memory modules 1 Who we are (1) Mehdi Talbi Security researcher at Stormshield haka-security project. Past life: academia (phd, postdoc, ) Main research topics: advanced

1.61k views • 94 slides
Do Containers Enhance Application Level Security? Benjy Portnoy, CISA, CISSP # whoami

Do Containers Enhance Application Level Security? Benjy Portnoy, CISA, CISSP # whoami

Do Containers Enhance Application Level Security? Benjy Portnoy, CISA, CISSP # whoami BlueCoat-> Symantec Director, DevSecOps @AquaSecTeam I know, Ill use Ruby on Rails! * Thanks To Jim Brickman@gruntwork.io > gem install rails

960 views • 53 slides

More recommend