security options for container implementations
play

Security options for container implementations Jay Coles doger.io - PowerPoint PPT Presentation

Nov 18, 2023 •187 likes •379 views

Security options for container implementations Jay Coles doger.io LCA2015 @container_doge Who am I http://doger.io @container_doge Jay Coles doger.io LCA2015 @container_doge Triangle of Effort NSA Decreasing Skill Hacker Level

  1. Security options for container implementations Jay Coles doger.io LCA2015 @container_doge

  2. Who am I http://doger.io @container_doge Jay Coles doger.io LCA2015 @container_doge

  3. Triangle of Effort NSA Decreasing Skill Hacker Level Organized Crime Drive By/Botnet Script Kiddie Increasing Effort Jay Coles doger.io LCA2015 @container_doge

  4. What they want ● Do not want to be detected ● Access to other customers information ● Access to other customers environments ● Adequate Storage/CPU/Mem/Network capacity ● Further ingress/infiltration on the network Jay Coles doger.io LCA2015 @container_doge

  5. How they do it ● Exploit an exposed service (does not need to have network access, eg in batch/queue processing) ● Pull down their toolset ● Start attacking the kernels ● Cement hold on system (command and control, process hiding) Jay Coles doger.io LCA2015 @container_doge

  6. What is security? ● Restrict access to other containers ● Prevent knowledge of other containers from leaking ● Ability to account for memory/cpu/network/disk usage ● Ability to control memory/cpu/network/disk resources ● Ability to detect and remove rouge processes Jay Coles doger.io LCA2015 @container_doge

  7. Usual Suspects ● Unix permissions ● Capabilities ● Chroot ● Quotas ● Rlimit ● Cgroups ● App Armor ● Seccomp ● Selinux ● ACLs Jay Coles doger.io LCA2015 @container_doge

  8. What does not work ● rlimits ● Quotas ● Blacklisting via ACLs Jay Coles doger.io LCA2015 @container_doge

  9. Capabilities ● CAP_SYS_MODULE ● CAP_MAC_OVERRIDE ● CAP_SYS_RAWIO ● CAP_MAC_ADMIN ● CAP_NET_BROADCAST ● CAP_NET_RAW ● CAP_MKNOD ● CAP_SETPCAP ● CAP_SYS_TTY_CONFIG ● CAP_SYSLOG ● CAP_AUDIT_WRITE ● CAP_WAKE_ALARM ● CAP_AUDIT_CONTROL ● CAP_BLOCK_SUSPEND ● CAP_AUDIT_READ ● CAP_SYS_BOOT ● CAP_SYS_TIME Jay Coles doger.io LCA2015 @container_doge

  10. Capabilities ● 'capsh' to drop capabilities ● Call instead of /sbin/init or entry point ● Have it invoke the init/entrypoint ● CAP_SETPCAP allows you to turn capabilties back on Jay Coles doger.io LCA2015 @container_doge

  11. cgroups ● Multiple protections in one – Accounting of resource usage – Limiting resource usage (cpu/mem) – Tracking of processes – Preventing/allowing device access Jay Coles doger.io LCA2015 @container_doge

  12. cgroups Jay Coles doger.io LCA2015 @container_doge

  13. App Armor vs selinux Jay Coles doger.io LCA2015 @container_doge

  14. selinux NSA ASIO CIA Secret Multi Confidential Level Security Unclassified Multi Category Security Jay Coles doger.io LCA2015 @container_doge

  15. selinux ● 'runcon' is your friend ● 'chcon' to tag the files as belonging to a container ● Mainly going to be changing the security level – s0:c1,c4 ● Will need appropriate policies/rules in place – This means a working selinux setup Jay Coles doger.io LCA2015 @container_doge

  16. seccomp ● Mount ● Quotactl ● finit_module ● Acct ● Setns ● Umount2 ● clock_adjtime ● Sethostname ● kexec_load ● Swapon ● Nfsservct ● swapoff ● pivot_root ● Reboot ● pciconfig_iobase ● Adjtimeex ● pciconfig_read ● Setdomainname ● pciconfig_write ● init_module ● clock_settime ● delete_module ● Personality Jay Coles doger.io LCA2015 @container_doge

  17. Adding things in ● Can be patched in: – App Armor – Selinux – Capabilities – Cgroups ● Requires app support: – seccomp Jay Coles doger.io LCA2015 @container_doge

  18. Questions Jay Coles doger.io LCA2015 @container_doge

Recommend

Agenda Container Security Concerns Addressing Container Security Security @ SUSE True or False?

Agenda Container Security Concerns Addressing Container Security Security @ SUSE True or False?

Agenda Container Security Concerns Addressing Container Security Security @ SUSE True or False? Containers are inherently insecure. Some Learnings from an Enterprise Study 94%: Containers have security implications 31%: Worried

490 views • 24 slides
Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography Reading Group Presenter: C t lin Hri cu References Verified Interoperable Implementations of Security Protocols. Karthikeyan Bhargavan,

922 views • 70 slides
BASTION: A Security Enforcement Network Stack for Container Networks Jaehyun Nam 1 , Seungsoo Lee

BASTION: A Security Enforcement Network Stack for Container Networks Jaehyun Nam 1 , Seungsoo Lee

BASTION: A Security Enforcement Network Stack for Container Networks Jaehyun Nam 1 , Seungsoo Lee 1 , Hyunmin Seo 1 , Phillip Porras 2 , Vinod Yegneswaran 2 , and Seungwon Shin 1 KAIST 1 and SRI International 2 The state of Container Security

800 views • 24 slides
CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT Chief Scientist @ Container Solutions Wrote

CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT Chief Scientist @ Container Solutions Wrote

CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT Chief Scientist @ Container Solutions Wrote "Using Docker" for O'Reilly 40% Discount with AUTHD code Free Docker Security minibook http://www.oreilly.com/webops-perf/free/docker-

1.06k views • 68 slides
DISASTER RELIEF CENTER 2x Accommodation Container 2x Sanitary Container 1x

DISASTER RELIEF CENTER 2x Accommodation Container 2x Sanitary Container 1x

DISASTER RELIEF CENTER 2x Accommodation Container 2x Sanitary Container 1x Galley Container 1x Medical Container 1x Feed Water Container 1x Water Treatment Container 2x Generator Container 1x

569 views • 8 slides
Kubernetes und Container Aber Sicher! Container / K8s Security Andreas Falk Vorstellung

Kubernetes und Container Aber Sicher! Container / K8s Security Andreas Falk Vorstellung

Kubernetes und Container Aber Sicher! Container / K8s Security Andreas Falk Vorstellung Andreas Falk Novatec Consulting andreas.falk@novatec-gmbh.de / @andifalk https://www.novatec-gmbh.de/beratung/agile-security 2

1.1k views • 65 slides
Composition of SDN applications: Options/challenges for real implementations Arne Schwabe Pedro

Composition of SDN applications: Options/challenges for real implementations Arne Schwabe Pedro

Composition of SDN applications: Options/challenges for real implementations Arne Schwabe Pedro A. Aranda Gutirrez Holger Karl Computer Networks Group Universitt Paderborn Modernizing the setup Simple standard network setup

409 views • 21 slides
Kubernetes Security Zooming In, Zooming Out A comprehensive Container Security Strategy Kavya

Kubernetes Security Zooming In, Zooming Out A comprehensive Container Security Strategy Kavya

Kubernetes Security Zooming In, Zooming Out A comprehensive Container Security Strategy Kavya Pearlman Global Cybersecurity Strategist - Wallarm @KavyaPearlman | @Wallarm Rob Richardson Technical Evangelist - MemSQL @Rob_Rich | @MemSQL

279 views • 27 slides
Evaluating the Security of Implementations Against Side Channel Attacks Activities from ANSSI

Evaluating the Security of Implementations Against Side Channel Attacks Activities from ANSSI

Evaluating the Security of Implementations Against Side Channel Attacks Activities from ANSSI Laboratory for Embedded Security Emmanuel Prouff emmanuel.prouff@ssi.gouv.fr Agence Nationale de la S ecurit e des Syst` emes dInformation

790 views • 68 slides
First Building Blocks For Implementations of Security Protocols Verified in Coq Reynald Affeldt

First Building Blocks For Implementations of Security Protocols Verified in Coq Reynald Affeldt

First Building Blocks For Implementations of Security Protocols Verified in Coq Reynald Affeldt 1) Kazuhiko Sakaguchi 1)2) 1) National Institute of Advanced Industrial Science and Technology, Japan 2) University of Tsukuba Motivation

352 views • 21 slides
Reducing a Masked Implementations Effective Security Order with Setup Manipulations And an

Reducing a Masked Implementations Effective Security Order with Setup Manipulations And an

Crypto. group SWORD Reducing a Masked Implementations Effective Security Order with Setup Manipulations And an Explanation Based on Externally-Amplified Couplings Itamar Levi, Davide Bellizia and Franois-Xavier Standaert Aug. 2018 Moti

298 views • 27 slides
Container Library and FUSE Container File System Softwarepraktikum f ur Fortgeschrittene

Container Library and FUSE Container File System Softwarepraktikum f ur Fortgeschrittene

Introduction Container Library Container Tools FUSE Container File System Evaluation Container Library and FUSE Container File System Softwarepraktikum f ur Fortgeschrittene Michael Kuhn Parallele und Verteilte Systeme Institut f ur

353 views • 22 slides
Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure countermeasure Against (first) order power analysis based on multi party computation and secret sharing 2 Outline Threshold Implementations

990 views • 58 slides
Building Hardened Implementations of SCADA/ICS Protocols Using Language-Theoretic Security

Building Hardened Implementations of SCADA/ICS Protocols Using Language-Theoretic Security

Building Hardened Implementations of SCADA/ICS Protocols Using Language-Theoretic Security Prashant Anantharaman, Dartmouth College pa@cs.dartmouth.edu http://cs.dartmouth.edu/~pa CREDC Industry Workshop March 27-29, 2017 Funded by the U.S.

583 views • 36 slides
Categorizing container escape methodologies in multi-tenant environments Rik Janssen

Categorizing container escape methodologies in multi-tenant environments Rik Janssen

Categorizing container escape methodologies in multi-tenant environments Rik Janssen rik.janssen@os3.nl Research Project 1 MSc Security and Network Engineering (SNE/OS3) University of Amsterdam Supervisor: Max Hovens KPMG Cyber Security

774 views • 17 slides
Declassification Options and Requirements Information Security Webinar Marc Brandsness

Declassification Options and Requirements Information Security Webinar Marc Brandsness

6/20/2013 Declassification Options and Requirements Information Security Webinar Marc Brandsness Security Asset Protection Professional Certification (SAPPC) Retired US Air Force-Security Forces with over 25 years of Law Enforcement

307 views • 15 slides
WHAT ARE YOUR FREIGHT OPTIONS? Air Freight Sea Freight Direct Service Full Container

WHAT ARE YOUR FREIGHT OPTIONS? Air Freight Sea Freight Direct Service Full Container

WHAT ARE YOUR FREIGHT OPTIONS? Air Freight Sea Freight Direct Service Full Container Load (FCL) Transhipment Service o Direct o Transhipment Courier Service Less Than Container Load (LCL) When to Use Air Freight Value

746 views • 43 slides
Container Deposits The story so far, and why doesn t everyone do this? Container Deposit

Container Deposits The story so far, and why doesn t everyone do this? Container Deposit

Plastic Bags Ban and Container Deposits The story so far, and why doesn t everyone do this? Container Deposit Legislation Remember 1975? Source: Adelaide Now Adelaide Oval Cricket test 1973 Football Grand Final 1973Adelaide Cans

658 views • 18 slides
LS-Designs Bitslice Encryption for Efficient Masked Software Implementations Instances Security

LS-Designs Bitslice Encryption for Efficient Masked Software Implementations Instances Security

1 / 20 Conclusion FSE 2014 LS-Designs G. Leurent (UCL,Inria) Motivation LS-Designs Bitslice Encryption for Efficient Masked Software Implementations Instances Security Analysis LS-Designs . . . . . . . . . . . . . . . . . . Vincent

638 views • 27 slides
Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks Juraj Somorovsky Ruhr University Bochum 3curity GmbH juraj.somorovsky@3curity.de About me Security Researcher at: Chair for Network and Data Security,

818 views • 53 slides
Verifying Web Services Security Protocols, Standards, and Implementations Karthik Bhargavan

Verifying Web Services Security Protocols, Standards, and Implementations Karthik Bhargavan

Verifying Web Services Security Protocols, Standards, and Implementations Karthik Bhargavan Microsoft Research, Cambridge Microsoft Research INRIA Joint Centre, Paris Joint work with C. Fournet and A.D. Gordon + R. Puccella, S. Tse, N.

1.4k views • 122 slides
A Series Of Unfortunate Container Events Netflixs container platform lessons learned About the

A Series Of Unfortunate Container Events Netflixs container platform lessons learned About the

A Series Of Unfortunate Container Events Netflixs container platform lessons learned About the speakers and team Follow along - @sargun @tomaszbak_ca @fabiokung @aspyker @amit_joshee @anwleung 2 Netflixs container management platform

808 views • 44 slides
Practical Cryptanalysis of Json Web Token and Galois Counter Modes Implementations Quan Nguyen

Practical Cryptanalysis of Json Web Token and Galois Counter Modes Implementations Quan Nguyen

Practical Cryptanalysis of Json Web Token and Galois Counter Modes Implementations Quan Nguyen (quannguyen@google.com) Google Information Security Engineer (ISE) My Job Conduct security reviews, i.e., play the attacker role mentioned in

516 views • 29 slides
TLS THE LAW OF BROKEN TLS IMPLEMENTATIONS Hanno Bck https://hboeck.de/ 1 WHO AM I? Hanno

TLS THE LAW OF BROKEN TLS IMPLEMENTATIONS Hanno Bck https://hboeck.de/ 1 WHO AM I? Hanno

TLS THE LAW OF BROKEN TLS IMPLEMENTATIONS Hanno Bck https://hboeck.de/ 1 WHO AM I? Hanno Bck Freelance journalist (Golem.de, Zeit Online, taz, LWN) Find and fix security vulnerabilities and bugs in free soware (Fuzzing Project,

693 views • 44 slides

More recommend